CVE-2008-6722 in Access Manager
Summary
by MITRE
Novell Access Manager 3 SP4 does not properly expire X.509 certificate sessions, which allows physically proximate attackers to obtain a logged-in session by using a victim s web-browser process that continues to send the original and valid SSL sessionID, related to inability of Apache Tomcat to clear entries from its SSL cache.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/14/2017
This vulnerability affects Novell Access Manager 3 Service Pack 4 and stems from improper session management within the SSL/TLS implementation. The flaw occurs when X.509 certificate sessions fail to expire correctly, allowing attackers who are physically proximate to a victim to maintain access to authenticated sessions. The vulnerability specifically relates to Apache Tomcat's inability to properly clear entries from its SSL session cache, creating a persistent authentication state that can be exploited. This represents a significant security weakness in session lifecycle management where the system fails to properly terminate SSL sessions even after the intended expiration time has passed. The vulnerability is classified under CWE-200, which deals with information exposure, and falls within the broader category of improper session handling as defined by CWE-613. From an operational perspective, this vulnerability enables what is known as session hijacking or session fixation attacks, where an attacker can leverage a legitimate SSL session to gain unauthorized access to resources.
The technical mechanism behind this vulnerability involves the SSL session cache maintained by Apache Tomcat, which stores session identifiers and associated cryptographic information for performance optimization. When a user authenticates through Novell Access Manager, a session is established and cached within Tomcat's memory structures. The system fails to properly invalidate these cached entries when sessions should expire, allowing the cached session to remain active even after the intended authentication period. This occurs because the SSL session cache cleanup mechanisms are not functioning correctly, leaving stale session identifiers available for reuse. The vulnerability is particularly concerning because it requires minimal physical proximity to exploit, making it a significant risk in environments where attackers might gain access to a victim's device or network traffic. The attack vector is classified as local network access, which aligns with ATT&CK technique T1566.001 for credential access through phishing and social engineering, though the specific exploitation requires physical proximity rather than remote network access.
The operational impact of this vulnerability extends beyond simple unauthorized access to potentially enabling more sophisticated attacks within the compromised session. An attacker with access to a cached SSL session can perform actions as the authenticated user, potentially accessing sensitive data, modifying system configurations, or conducting transactions within the application. This vulnerability directly impacts the principle of least privilege and can lead to privilege escalation if the authenticated user has elevated permissions. Organizations using Novell Access Manager 3 SP4 are particularly vulnerable because the application relies heavily on SSL session management for authentication continuity, and the underlying Tomcat implementation fails to properly manage session lifecycle events. The vulnerability can persist for extended periods, potentially allowing attackers to maintain access for hours or days, depending on how long the cached sessions remain valid. Security controls that depend on session expiration for access management become ineffective, creating a false sense of security for administrators who assume that session timeouts are properly enforced. This issue can be particularly problematic in shared or public computing environments where multiple users access the same systems, as it can enable attackers to leverage sessions from previous users who have not properly logged out.
Mitigation strategies for this vulnerability should focus on both immediate remediation and long-term architectural improvements. The most direct approach involves applying the vendor-provided security patches or updates that address the SSL session cache clearing mechanisms within Apache Tomcat. Organizations should also implement additional monitoring to detect anomalous session behavior, including unexpected session reuse or sessions that persist beyond expected timeframes. Network-level controls such as implementing session timeout policies, enforcing strict SSL/TLS protocol versions, and disabling insecure cipher suites can help reduce the attack surface. System administrators should consider implementing more robust session management policies, including mandatory session expiration intervals and automatic session invalidation upon user logout. The implementation of additional authentication factors such as multi-factor authentication can provide defense-in-depth against session hijacking attacks. Organizations should also consider deploying network segmentation and access controls to limit the scope of potential exploitation. From a compliance perspective, this vulnerability would likely fail to meet security standards such as those defined in ISO/IEC 27001, which requires proper session management and access control mechanisms. Regular security assessments and penetration testing should include specific checks for SSL session cache vulnerabilities to ensure that session management is properly enforced throughout the application stack.