The Apache web server must generate unique session identifiers with definable entropy.

From Apache Server 2.4 UNIX Server Security Technical Implementation Guide

Part of SRG-APP-000224-WSR-000139

Associated with: CCI-001188

AS24-U1-000530_rule The Apache web server must generate unique session identifiers with definable entropy.

Vulnerability discussion

Generating a session identifier (ID) that is not easily guessed through brute force is essential to deter several types of session attacks. By knowing the session ID, an attacker can hijack a user session that has already been user authenticated by the hosted application. The attacker does not need to guess user identifiers and passwords or have a secure token since the user session has already been authenticated.Random and unique session IDs are the opposite of sequentially generated session IDs, which can be easily guessed by an attacker. Random session identifiers help to reduce predictability of said identifiers. The session ID must be unpredictable (random enough) to prevent guessing attacks, where an attacker is able to guess or predict the ID of a valid session through statistical analysis techniques. For this purpose, a good Pseudo Random Number Generator (PRNG) must be used.Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.At least half of a session ID must be created using a definable source of entropy (PRNG).

Check content

Review the web server documentation and deployed configuration to verify that the web server is generating random session IDs with entropy equal to at least half the session ID length. First ensure that ssl is enabled: httpd2 -M |grep ssl If the above command returns "ssl_module", then the SSL module is enabled in the running Apache service. Check for the random seed used to generate session IDs: grep SSLRandomSeed /etc/apache2/ssl-global.conf The above command should return two lines: SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 The above lines ensure that the SSL module is using a proper entropy source. This should be the only entropy source enabled. If the web server is not configured to generate random session IDs with the proper entropy and the size of the entropy seed is too small, this is a finding.

Fix text

Configure the web server to generate random session IDs with minimum entropy equal to half the session ID length. First ensure that ssl is enabled: httpd2 -M |grep ssl If the above command returns "ssl_module", then the SSL module is enabled in the running Apache service. Edit the file "/etc/apache2/ssl-global.conf". Configure the entropy section of the file with the following values: SSLRandomSeed startup file:/dev/urandom 512 SSLRandomSeed connect file:/dev/urandom 512 Turn off any other values for SSLRandomSeed by putting a # sign in front of them. Example: #SSLRandomSeed builtin Restart Apache: apachectl restart

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer