Session Fixation Vulnerability in ZCC

  • 7012808
  • 09-Jul-2013
  • 10-Jan-2014

Environment

Novell ZENworks Configuration Management 11.2.3

Situation

It was possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user .

Resolution

This is fixed in version 11.2.4 - see KB 7012027 "ZENworks Configuration Management 11.2.4 - update information and list of fixes" which can be found at http:////support.microfocus.com/kb/doc.php?id=7012027

Fixed by adding code to regenerate the session id on every login to ZCC

Cause

Root cause:The session generation was only happening at the ZCC login page and it was not being regenerated after the the initial login causing a possible window where someone could reuse the logged in session.

Status

Security Alert

Additional Information

assigned CVE-2013-6347