Cisco Umbrella Dashboard Session Expiration Issue

Available Languages

Updated:March 16, 2018
Document ID:1521217289804438

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Security Advisory

Cisco Umbrella Dashboard Session Expiration Issue

Informational
Advisory ID:
cisco-sa-20180316-umb
First Published:
2018 March 16 16:00 GMT
Version 1.0:
Final
Workarounds:
No workarounds available
Cisco Bug IDs:
CSCvi10813
CWE-284
CWE-284

Summary

  • Cisco Umbrella uses the internet infrastructure to block connections to malicious destinations before any connections to those destinations can be established. Cisco Umbrella also provides visibility into internet activity across all devices and all ports, even when users are no longer connected to the corporate network. Cisco Umbrella is configured and managed by using a browser-based interface, the Cisco Umbrella Dashboard.

    On March 14, 2018, the Cisco Umbrella Dashboard was updated to enforce new default session timeout values that impact idle and absolute timeouts for all Cisco Umbrella Dashboard sessions. The session timeout values were changed in response to a report by an external researcher who was concerned about session-timer exploitation. Additionally, these changes better align with OWASP recommendations. The new values impact idle and absolute timeouts for all Cisco Umbrella Dashboard sessions.

    Additional Information

    The new timeout values for all Cisco Umbrella Dashboard sessions have been set to the following:

    • Idle timeout: 20 minutes
    • Absolute timeout: 16 hours

    Additional information is available on the Cisco Umbrella Announcements page at https://support.umbrella.com/hc/en-us/articles/360000384363.

    Cisco Security Procedures

    Complete information about reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available from the Cisco Security Vulnerability Policy. This includes instructions for press inquiries regarding Cisco security incidents. All Cisco Security Advisories are available from https://www.cisco.com/go/psirt.

Source

  • Cisco would like to thank George Delaportas for reporting this vulnerability.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

URL

Revision History

  • Version Description Section Status Date
    1.0 Initial public release. Final 2018-March-16
    Show Less

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications