Environment
NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 Support Pack 1 HF 2 applied
NetIQ Access Manager 4.0 Admin Console server
NetIQ Access Manager 4.0 Identity Server
NetIQ Access Manager 4.0 SSLVPN server
CVE-2014-5216
NetIQ Access Manager 4.0 Support Pack 1 HF 2 applied
NetIQ Access Manager 4.0 Admin Console server
NetIQ Access Manager 4.0 Identity Server
NetIQ Access Manager 4.0 SSLVPN server
CVE-2014-5216
Situation
The following URLs demonstrate different Reflected Cross Site Scripting (XSS) flaws in the
administration interface and the user interface of Access Manager 4.0.
// Admin Console Server
https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b'
https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E
// Identity Server
https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
// SSLVPN Server
https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
// Admin Console Server
https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b'
https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E
// Identity Server
https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
// SSLVPN Server
https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
Resolution
Apply Access Manager 4.0.1 HF3 to address all the above issues except for the following two URLs:
# https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
# https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E
The cross site scripting for these two iManager URLs require that the admin user be logged in before accessing these URLs for the vulnerability to happen. As a best practice, the Administrator of an Access Management solution should avoid browsing sites in the same browser that is being used to manage the NAM setup. Although viewed as a lower priority vulnerability, the NAM team nevertheless plans to fix this in the next release of the product (NAM 4.1).
# https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
# https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E
The cross site scripting for these two iManager URLs require that the admin user be logged in before accessing these URLs for the vulnerability to happen. As a best practice, the Administrator of an Access Management solution should avoid browsing sites in the same browser that is being used to manage the NAM setup. Although viewed as a lower priority vulnerability, the NAM team nevertheless plans to fix this in the next release of the product (NAM 4.1).
Additional Information
NetIQ thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.