=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2008/VULN488
_____________________________________________________________________

DATE                      : 06/11/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Novell Access Manager version 3.

======================================================================
http://www.novell.com/support/viewContent.do?externalId=7001788
______________________________________________________________________

Security Vulnerability: Logged out users authenticated with X509
certificates can log back in without resending personal certificates
using the same browser window

This document (7001788) is provided subject to the disclaimer at the
end of this document.


Environment

Novell Access Manager 3 Linux Novell Identity Server
Novell Access Manager 3 Support Pack 4 applied
X509 authentication enabled on Identity Server
Problem common to Internet Explorer (IE) and Firefox browsers
Client certificates sent from browser to Identity Server


Situation
When a user authenticates using the standard Novell X509 authentication
class using a certificate that is stored on a smartcard or within the
browser certificate store, and the certificate validation process is
successful, the user will see the target page on the browser. When
the user is done and needs to logout of Access Manager, they will
hit the logout link (/AGLogout on the Access Gateway or /nidp/app/plogout
on the Identity Server) and get a message indicating that the user has
been successfully logged out.

As long as the browser is not closed (user can even remove smartcard
containing X509 certificate!), and the session timeouts have not
expired, another user can come and take over the previous users
session without being prompted to login again.

Resolution
Make sure that the browser is closed after logging out of the Identity
Server or Access Manager environment. This process can be automated
using javascript within the logoutSuccess.jsp page. When a user logs
out of Access Manager, the logout.jsp page is initially executed,
followed by the logoutSuccess.jsp page assuming the logout request
is successful. By injecting the following javascript into the
logoutSuccess.jsp page, the user will be prompted to close the the
browser:

<script type="text/javascript">
        window.close();
</script>

You can add a warning here so that users recognise the importance of
closing the browser. There are other options to force the Window to close.

Another possible solution is to clear out the SSL cache on the browser
after logout. This can be done by going to Internet Options -> Content
-> Clear SSL State on IE for example.


Additional Information

The real issue here is twofold:

1. the browser, in the above case, does not do a full but partial
SSL handshake. The client hello that is sent on the subsequent request
after the user logs out includes an SSL sessionID, which the server
still has reference to in it's cache. By closing the browser and
reopening it, the SSL client hello will include an SSL sessionID
on 0 and a full handshake will be performed with the SSL server.

2. the tomcat SSL server does not clear the cached entry upon
logout of the Identity Server. There is a feature request to
include this in future tomcat builds but so far it has not been
made available (Apache has this option to clear the SSL state).
The defect number for tracking purposes is available at
https://issues.apache.org/bugzilla/show_bug.cgi?id=44285. When this
is available, the Identity Server can interface into Tomcat's SSL
cache and reset the session upon logout. The SSL key regeneration
requirement is sent out by the server who initiates the Mutual SSL
session (the Identity Server in our case) but as we interface into
Tomcat and Tomcat does not provide the option to set this Mutual
SSL key regeneration timer, we have to use the workarounds above.


Document
Document ID:	7001788
Creation Date:	11-04-2008
Modified Date:	11-05-2008
Novell Product:	Access Manager
Disclaimer

The Origin of this information may be internal or external to
Novell. Novell makes all reasonable efforts to verify this
information. However, the information provided in this document
is for your information only. Novell makes no explicit or implied
claims to the validity of this information.
Any trademarks referenced in this document are the property of their
respective owners. Consult your product manuals for complete
trademark information.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================