t oo created RANGER-2366:
----------------------------
Summary: [security] Admin webui - simultaneous logins
Key: RANGER-2366
URL: https://issues.apache.org/jira/browse/RANGER-2366
Project: Ranger
Issue Type: Bug
Components: admin, Ranger
Affects Versions: 1.0.0
Reporter: t oo
|The application supports concurrent sessions, enabling an attacker who has
compromised another user’s credentials to make use of them without risk of
detection. Allowing simultaneous logins without any notifications/updates can
allow an attacker to access a user’s account undetected by the latter. Having
no notifications that a user is logged in to another location and that the
system accepts multiple logins prevents a user from taking necessary steps to
address the issue.|
|The application was found to allow multiple simultaneous logins using a single
user account. When a user account is applied to log in from multiple locations,
neither the currently logged in user nor the new user are informed of this
event. This has been verified by accessing the application via two machines
using the same credentials.|
|Business Impact/Attack Scenario| | | |
|In the scenario that a genuine user’s credentials are stolen, an attacker can
use the user’s account and access information within the application.
Probability of detection of this unauthorised access is reduced as the user is
not informed during login when the account was last accessed or if there were
any invalid login attempts made in the recent past.|
|Recommendation| | | | |
|Enforce validation in the application to allow only one login per user ID at a
time, or display Last Logged In’ and ‘Failed Login Attempt’ information during
the login process so that users can be alerted in case of any unauthorized
access of their accounts. Consider invalidating current user sessions
server-side upon subsequent user login. Notification can also be made to the
terminated session along with pertinent information such as the IP address of
the new session holder as well as contact information for the site’s security
administration.|
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
