Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
Predictable Session ID Vulnerability
« previous
next »
Print
Pages: [
1
]
Author
Topic: Predictable Session ID Vulnerability (Read 4559 times)
pcplace
Newbie
Posts: 4
Karma: 0
Predictable Session ID Vulnerability
«
on:
January 20, 2020, 04:46:00 pm »
We have been using OPNsense for a while now and everything has been fine. Recently we switched credit card processors and now fail a PCI compliance scan becasuse of a "Predictable Sesion ID Vulnerability" on port 443 with OPNsense. I have searched for a while trying to come up with an answer to fix this and can't figure it out.
Any suggestions?
Thanks!
Logged
newsense
Hero Member
Posts: 1037
Karma: 77
Re: Predictable Session ID Vulnerability
«
Reply #1 on:
January 20, 2020, 04:58:20 pm »
The PCI assessor should provide all the needed guidance in the context of your organization.
THere isn't enough information here to work on, yet at first glance it appears to be unrelated to OPNsense.
Logged
pcplace
Newbie
Posts: 4
Karma: 0
Re: Predictable Session ID Vulnerability
«
Reply #2 on:
January 20, 2020, 05:29:49 pm »
Thanks for the info. The reason I say it is related to OPNsense is it only fails when the GUI is accessable. If I log into the shell and kill the lighttpd process that runs the GUI the scan passes.
I guess I could leave the GUI dead and do everything from the shell... Just thought it would be fixable.
Thanks!
Logged
banym
Sr. Member
Posts: 468
Karma: 31
Free Human Being, FreeBSD, Linux and Mac nerd
Re: Predictable Session ID Vulnerability
«
Reply #3 on:
January 20, 2020, 05:32:24 pm »
Do you have some more information about the tool and parameters used for the security scan in your network?
Logged
Twitter: banym
Mastodon: banym@bsd.network
Blog:
https://www.banym.de
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Predictable Session ID Vulnerability
«
Reply #4 on:
January 20, 2020, 11:04:52 pm »
I do not know if you are talking about TLS session IDs, Cookies or something else but in any case, the session ID must be unique and not guessable so your check may provide some more information what is likely vulnerable and where we can work on.
Also maybe it is a defect in the RNG of PHP.
Logged
pcplace
Newbie
Posts: 4
Karma: 0
Re: Predictable Session ID Vulnerability
«
Reply #5 on:
January 20, 2020, 11:24:00 pm »
So while I am waiting to hear back from a support agent with our processor, I was able to print out a little more info. I have attached a picture of the info provided. As soon as I have any more info, I will post that as well.
Thanks!
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: Predictable Session ID Vulnerability
«
Reply #6 on:
January 21, 2020, 08:13:20 am »
It's not a session (validation) cookie, it's only used to check if your browser supports cookies:
https://github.com/opnsense/core/blob/57e8b9ddd0a26d27fbd68859d6c29b2ee2e1c2c8/src/etc/inc/authgui.inc#L301-L302
https://github.com/opnsense/core/blob/57e8b9ddd0a26d27fbd68859d6c29b2ee2e1c2c8/src/etc/inc/authgui.inc#L370
It wouldn't be a huge change to change this to some random value, just open a ticket here
https://github.com/opnsense/core/issues
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Predictable Session ID Vulnerability
«
Reply #7 on:
January 21, 2020, 08:13:45 am »
From the description you got it is likely about the PHP session id cookie. In that case it is likely that this has to be brought upstream to the PHP project if it is not a false positive. At least I can try to reproduce. Are you using LibreSSL or OpenSSL?
Edit: sorry I did not read the report carefully enough. Ad is right - this is a non-functional cookie. It is just there to check if the browser supports cookies.
«
Last Edit: January 21, 2020, 08:17:28 am by fabian
»
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Predictable Session ID Vulnerability
«
Reply #8 on:
January 21, 2020, 03:54:56 pm »
Randomize eventually sounds good, although with a name "cookie_test" and open source code at hand to look it up the issue is not a vulnerability at all, it would simply be labeled "bad practice".
Cheers,
Franco
Logged
pcplace
Newbie
Posts: 4
Karma: 0
Re: Predictable Session ID Vulnerability
«
Reply #9 on:
January 21, 2020, 04:17:35 pm »
Thanks for the reply!
This is not my area of expertise so I wasn't sure if "cookie_test" was a label from the scanner or the name of the actual cookie.
Thanks again for the replies. A very helpful community. Based on the answers given here I will ask for an "exception" on this false positive.
On that note should I still open a ticket at
https://github.com/opnsense/core/issues
as suggested by AdSchellevis in case this affects anyone else in the future?
Have a great day!
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Predictable Session ID Vulnerability
«
Reply #10 on:
January 21, 2020, 04:20:21 pm »
Hi pcplace,
No worries. A ticket would certainly be nice.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
Predictable Session ID Vulnerability