Vulnerability: Server accepts fixed Session ID in a cookie

book

Article ID: 197508

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

We have received a security vulnerability related to CA Identity Manager user console application.
Can you please help us with the resolution/fix to this issue ?

Finding Details
Type: Session Fixation
Description:
Session Fixation is an attack that permits an attacker to hijack a valid user session. It fits within the more general framework of attacks that exploit a violation of best practice where the server authenticates by changing (promoting) the authentication state of the session ID cookie value so it can continue to use the same cookie value. Servers that accept session data in the URL or in POST data in particular are vulnerable. The attack follows this pattern:Attacker ascertains session ID name, value. Either the server accepts anything or the attacker visits the site and snoops the response.Attacker entices victim to visit the site with extra payload in the URL to the effect of "https://www.thesite.com/?SID=ascertained_value."Victim logs in and that SID gets promoted.Attacker now has authenticated access.
----------------------------------------
Attack Information
URL: https://<VIP_URL>/iam/im/identityEnv/ui7/index.jsp

Method: POST

Attack Type: Server accepts fixed Session ID in a cookie

Attack Value: JSESSIONID=;SMSESSION=x75j2c8w;ys-isPanelFocusSet=;ys-west-panel=;ys-west1=
------------------------------------------
Remediate
Recommendation:
This attack can be largely avoided by changing the session ID when users log in. Also, do NOT accept session ID's in GET or POST parameters; use HTTP cookies at the very least to encode session information. These two rules of thumb establish a sufficient level of security for most applications. However, for those willing to incur further development and maintenance effort for higher security, the SID can be regenerated on a per-request basis and also, on systems that support it, SSL/TLS session identifiers may be used.
-----------------------------------------

 

Resolution

The reported vulnerability is a false-positive that cannot be reproduced in Identity Manager.