Application security audit for UIM Monitoring tool identified multiple vulnerabilities
search cancel

Application security audit for UIM Monitoring tool identified multiple vulnerabilities

book

Article ID: 248793

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM) CA Unified Infrastructure Management On-Premise (Nimsoft / UIM)

Issue/Introduction

1: Session Misconfiguration

Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID

2: Application is vulnerable to Brute force attack

Brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly

3: Credentials submitted in clear text

It was observed that the password field is not encrypted in the HTTP request.

4:  Insecure Transport (HTTPS not implemented)

It was identified that no transport layer security was implemented for the web application

5: Cookie without secure flag set

The various attributes of cookies are explained below: Secure: Whenever a cookie contains sensitive information or is a session token, then it should always be transmitted to the server using an encrypted channel. For example: After logging in to an application, setting a session token and storing it in a cookie, verify that it is tagged using the 'secure' flag. If it is not, then the browser believes it to be safe to be transmitted via an unencrypted channel such as HTTP. Ensure that this cookie is initially set on a page that is accessible only over HTTPS. Domain: Verify that the domain has not been set too loosely. It should only be set for the server that needs to receive the cookie. For example: If the application resides on the server <xxx.xxx.>, then it should be set to '; domain=<xxx.xxx.>' and not to '; domain=<.xxx.>' as this would allow other potentially vulnerable servers to receive the cookie. Path: Verify that the Path attribute has not been set too loosely. Even if the Domain attribute has been configured securely, if the path is set to the root directory '/' then it can be vulnerable to less secure applications on the same server. For example: If the application resides at '/myapp/', then verify that the cookie's path is set to '; path=/myapp/' and not to '; path=/'. HTTPOnly: Cookies support a security feature known as HTTPOnly. This feature protects a cookie from being read by a JavaScript. This is an additional layer of defense against CrossSite Scripting (XSS) attacks and is a good security practice to follow. The present application has not enabled HTTPOnly for the session cookie. If the application becomes vulnerable to XSS, then the absence of HTTPOnly will further allow an attacker to hijack the sessions of a victim

6: Improper input Validation

When software does not validate input properly, an attacker is able to craft the input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, which may result in altered control flow, arbitrary control of a resource, or arbitrary code execution

7: Concurrent Login Enabled

It's a common request or recommendation that a web application not allow a user to have more than one session active at a time. In other words, after a user logs into an application, he should not be permitted to open a different type of browser (or use another computer) to log in again until his first session has ended. If the web application does not want to allow simultaneous session logons, it must take effective actions after each new authentication event, implicitly terminating the previously available session, or asking the user (through the old, new or both sessions) about the session that must remain active. It is recommended for web applications to add user capabilities that allow checking the details of active sessions at any time, monitor and alert the user about concurrent logons, provide user features to remotely terminate sessions manually, and track account activity history (logbook) by recording multiple client details such as IP address, User-Agent, login date and time, idle time, etc..

 

 

 

 

 

Environment

Release : 20.4

Component : UNIFIED INFRASTRUCTURE MGMT

Resolution

1:Session Misconfiguration


UIM Operator console does not depend upon the session id. Instead it creates Jwt Tokens for authentication purpose. 
The jwt token generated by OperatorConsole for user authentication and the token is exchanged between Browser and Server as sid Header attribute in the request/response. The settings in wasp.cfg ensures the new token is generated after every interval and it is only for user auhentication purposes. For more information refer the below KB article
Information on Operator Console timeout and auto logout

 

2: Application is vulnerable to Brute force attack


This functionality is already available in UIM. Please refer the below documentation to enable it.
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/20-4/administering/Restrict-Password-Retries-in-OC.html

 

3: Credentials submitted in clear text


Please configure a Secure Sockets Layer (SSL) connection to access Operator Console or Admin Console using HTTPS. Below documentation will help you to configure the same
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/20-4/installing/optional-post-installation-tasks/configure-https-in-admin-console-or-ump.html

 

4: Insecure Transport (HTTPS not implemented)


Please configure a Secure Sockets Layer (SSL) connection to access Operator Console or Admin Console using HTTPS. Below documentation will help you to configure the same
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/20-4/installing/optional-post-installation-tasks/configure-https-in-admin-console-or-ump.html

 

5: Cookie without secure flag set


The cookies list in the screenshot are belong to the deprecated version of UMP which has the Liferay server. In the new version of UIM (>= 20.4.0) does not contain any other cookies except Session Id. That too we do not use session Id for authentication purposes. Need to remove those stale webapps from UIM installation manually.

 

6: Improper input Validation


This screenshot belongs to the deprecated version of UMP which has the Liferay server. From UIM 20.4.0 onwards we are not using Liferay server. Need to delete those stale applications manually from UIM installation location.

 

7: Concurrent Login Enabled


This functionality is already available in UIM. Please refer the below documentation to enable it.
https://techdocs.broadcom.com/us/en/ca-enterprise-software/it-operations-management/unified-infrastructure-management/20-4/administering/Restrict-Multiple-Simultaneous-Logins-in-OC.html