NetTalk Central

Author Topic: Security analysis vulnerability reported  (Read 7855 times)

GordonF

  • Jr. Member
  • **
  • Posts: 94
    • View Profile
Security analysis vulnerability reported
« on: September 30, 2021, 03:12:58 AM »
Hi,

One of our customers has run a security analysis on their system and has reported that there is a significant vulnerability with regard to our Nettalk WebServer application. The analysis was performed by Barclays Bank for their ongoing PCIDSS Compliance of card payment machines on the LAN. It appears to me in my limited knowledge that the Session ID is what they are highlighting, but beyond that I'm lost.

Does anyone have any suggestions, comments or advice about what we can do about this or what we can reply with? I would be most grateful if anyone has anything to share.

I have pasted part of their email below:


"

THREAT:
The scanner found a Web application on the target that uses cookies. The application seems to use cookies (likely, session IDs) in an insecure way. Specifically, the
scanner created a web session with the target using a session ID specified by the scanner itself. The target application simply started a new session with this specified
session ID. This issue is generally called "session-fixation" and is vulnerable to session-hijacking attacks.
One scenario where this could be used to hijack an unsuspecting user's Web session is as follows. Assuming an online store, www.examplestore.com, has this security
issue. If an attacker uses social engineering techniques to make a target user click on a link (in an email or on a malicious Web site) like http://www.examplestore.com/?
PHPSESSID=12345, where PHPSESSID is the cookie used for identifying the session, the store will start a new session for the unsuspecting user with the session ID
12345. Then, since the attacker knows the session ID already, the attacker can simply hijack the session moments after the user has visited the store.

IMPACT:
By exploiting this vulnerability, an attacker could use the hijacked session for information gathering, invasion of privacy, property theft, or credit-card theft.
For more information about the way session-fixation attacks can be performed and the possible consequences of such attacks, read this paper.

SOLUTION:
This is a common issue web-developers come across, and many application-specific solutions exist.
The PHP package itself provides a "php.ini" based global configuration option called "session.use_only_cookies" (introduced in PHP Version 4.3.0). This is disabled by
default for backward compatibility. When enabled, this allows PHP session IDs to be set only via HTTP cookies. This makes GET/POST based hijack attacks possible
only when there is significant activity by an unsuspecting user.
For more information, read the Sessions and Security description provided on PHP's Web site.

For solutions in other web packages, check the relevant documentation.

RESULT:
GET /?SESSIONID=0123456789abcdef0123456789abcdef HTTP/1.0
Host: 77-44-120-131.xdsl.murphx.net
HTTP/1.1 200 OK
Date: Thu, 16 Sep 2021 15:53:57 GMT
Expires: Wed, 16 Sep 2020 15:53:57 GMT
Content-Length: 2577
Content-Type: text/html
Cache-Control: no-store, no-cache, must-revalidate, private,post-check=0, pre-check=0, max-age=0
Pragma: no-cache
Set-Cookie: SESSIONID=0123456789abcdef0123456789abcdef; path=/; secure; HttpOnly; SameSite=Strict
Connection: close
Access-Control-Allow-Origin: *
X-Frame-Options: sameorigin
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Xss-Protection: 1; mode=block
<!DOCTYPE html><html class=" nt-html no-js">
<head>
<title>EDGE Anywhere</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="initial-scale=1">
<link href="/themes/base/theme.css?c=12.17" rel="stylesheet" />
<link href="/redactor/redactor.min.css?c=12.17" rel="stylesheet" />
<script src="/scripts/all.js?c=12.17" type="text/javascript"></script>
<script src="/redactor/redactor.min.js?c=12.17" type="text/javascript"></script>
</head>
<body class=" PageBody">
<div id="body_div" class=" PageBodyDiv">
...... rest of page

"

Vinnie

  • Full Member
  • ***
  • Posts: 183
    • View Profile
    • Email
Re: Security analysis vulnerability reported
« Reply #1 on: September 30, 2021, 05:07:08 AM »
If session was able to start in that way the session would not be logged in.
If server is set Change Session ID on Log in / Out the session ID changes


Just my Limited knowledge of this but I am interested in other answers.

GordonF

  • Jr. Member
  • **
  • Posts: 94
    • View Profile
Re: Security analysis vulnerability reported
« Reply #2 on: September 30, 2021, 05:55:28 AM »
Hi Vinnie,

Thank you for the reply, I do have Change Session ID on log In/Out ticked and also delete session on logout. However, I'm unsure whether this helps with session fixation attacks, please forgive my ignorance.

Gordon

Vinnie

  • Full Member
  • ***
  • Posts: 183
    • View Profile
    • Email
Re: Security analysis vulnerability reported
« Reply #3 on: September 30, 2021, 06:00:01 AM »
Hi Gordon.

I am unsure also but if Session needs to be logged in to do anything I guess you are OK.
I suspect Bruce will have the correct answer. Maybe ask at Webineir this afternoon. 

GordonF

  • Jr. Member
  • **
  • Posts: 94
    • View Profile
Re: Security analysis vulnerability reported
« Reply #4 on: September 30, 2021, 06:27:45 AM »
Thanks, I wish I could but I take care of my grandchildren for several hours on a Thursday afternoon so it is almost impossible.

Matthew51

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Re: Security analysis vulnerability reported
« Reply #5 on: September 30, 2021, 01:13:11 PM »
Another option is to turn on "Bind Session to IP Address" in your server settings. This could adversely affect legitimate users who frequently change ip address (ie redundant IPS, and maybe vpn users.)

The security report will likely still show the threat, even if it is much harder to exploit.
Contractor with 10+ years of NetTalk experience looking for work.
www.linkedin.com/in/matthew-leavitt
BisWare.ca
Check out my free EasyTime Template

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
Re: Security analysis vulnerability reported
« Reply #6 on: October 01, 2021, 04:15:39 AM »
Hi Gordon,

so, let's start at the beginning.
They are noting that a session can be initiated via a URL parameter, and that the server will indeed use this session ID if it does not exist on the server.

They note that this can lead to a session-fixation attack. (which would be bad). While explaining the attack is complicated, it relies on giving the user a sessionID, then getting the user to log in, then since the attacker knows the SessionID they are effectively logged in as well.

NetTalk mitigates this with the "Change Session ID on log In/Out" switch (which is on by default).
By changing the session ID when the logged in status changes, the session-fixation becomes meaningless. the user logs in, the sessionID for the valid user changes, but the attacker now only knows the old ID which is meaningless.

So, from a security perspective you are ok. In the sense that your current users are not at risk, and no data has been leaked. (In other words this attack has not, and cannot succeed.)

However from the perspective of the Penetration Test there is work to do. It is easier to simply tweak the server to make the testing program happy, than it is to explain to the client that the report is normally true, but not true for your server.

It seems they are specifically objecting to the sessionID in the URL - which is fair. It's possible to perform the same attack, even if the session is in a cookie, but it is a lot harder to pull off. (and still meaningless because of the mitigation mentioned above.)

In your app you can tweak netweb.clw to prevent the URL being tested for the sessionID.
search for the _FindSessionID method, then look for the line
  if not done and not (self.WholeURL &= Null)
tweak this line to read
  if not done and not (self.WholeURL &= Null) and false

For the next build I'll add a property you can set to determine where the SessionID can be. I'll default it to the cookie only, but there may be cases where you want / need the session ID to be passed either on the URL or in POST data.

Cheers
Bruce


GordonF

  • Jr. Member
  • **
  • Posts: 94
    • View Profile
Re: Security analysis vulnerability reported
« Reply #7 on: October 05, 2021, 06:19:02 AM »
Hi Bruce,

Thank you for the clear explanation and help in resolving the issue, I'll make the change you suggest.

Gordon