We have been using OPNsense for a while now and everything has been fine. Recently we switched credit card processors and now fail a PCI compliance scan becasuse of a "Predictable Sesion ID Vulnerability" on port 443 with OPNsense. I have searched for a while trying to come up with an answer to fix this and can't figure it out.
Any suggestions?
Thanks!
The PCI assessor should provide all the needed guidance in the context of your organization.
THere isn't enough information here to work on, yet at first glance it appears to be unrelated to OPNsense.
Thanks for the info. The reason I say it is related to OPNsense is it only fails when the GUI is accessable. If I log into the shell and kill the lighttpd process that runs the GUI the scan passes.
I guess I could leave the GUI dead and do everything from the shell... Just thought it would be fixable.
Thanks!
Do you have some more information about the tool and parameters used for the security scan in your network?
I do not know if you are talking about TLS session IDs, Cookies or something else but in any case, the session ID must be unique and not guessable so your check may provide some more information what is likely vulnerable and where we can work on.
Also maybe it is a defect in the RNG of PHP.
So while I am waiting to hear back from a support agent with our processor, I was able to print out a little more info. I have attached a picture of the info provided. As soon as I have any more info, I will post that as well.
Thanks!
(https://pc-place.com/x77/pciscan.png)
It's not a session (validation) cookie, it's only used to check if your browser supports cookies:
https://github.com/opnsense/core/blob/57e8b9ddd0a26d27fbd68859d6c29b2ee2e1c2c8/src/etc/inc/authgui.inc#L301-L302
https://github.com/opnsense/core/blob/57e8b9ddd0a26d27fbd68859d6c29b2ee2e1c2c8/src/etc/inc/authgui.inc#L370
It wouldn't be a huge change to change this to some random value, just open a ticket here https://github.com/opnsense/core/issues
From the description you got it is likely about the PHP session id cookie. In that case it is likely that this has to be brought upstream to the PHP project if it is not a false positive. At least I can try to reproduce. Are you using LibreSSL or OpenSSL?
Edit: sorry I did not read the report carefully enough. Ad is right - this is a non-functional cookie. It is just there to check if the browser supports cookies.
Randomize eventually sounds good, although with a name "cookie_test" and open source code at hand to look it up the issue is not a vulnerability at all, it would simply be labeled "bad practice".
Cheers,
Franco
Thanks for the reply!
This is not my area of expertise so I wasn't sure if "cookie_test" was a label from the scanner or the name of the actual cookie.
Thanks again for the replies. A very helpful community. Based on the answers given here I will ask for an "exception" on this false positive.
On that note should I still open a ticket at https://github.com/opnsense/core/issues as suggested by AdSchellevis in case this affects anyone else in the future?
Have a great day!
Hi pcplace,
No worries. A ticket would certainly be nice.
Cheers,
Franco