Cross site Request Forgery script can be used to change Admin Console logged in user password via URL - CVE-2014-5217

  • 7015997
  • 15-Dec-2014
  • 17-Dec-2014

Environment

NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 Support Pack 1 HF2 applied
NetIQ Access Manager 4.0 Admin Console
CVE-2014-5217

Situation

An attacker is able to change the administration password to '12345' by issuing a GET request in the context of an authenticated administrator:

https://<host>:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=doSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=admin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=12345


Resolution

Reported to engineering and will be fixed in next release of NAM (NAM 4.1).

The issue exists when the admin user executes the above script after authenticating as the admin user first. The link cannot be replayed from an unauthenticated iManager session. The Access Manager administrator must make sure that they understand links being opened from unsolicited messages prior to clicking to avoid the problem.

As a best practice, the Administrator of an Access Management solution should avoid browsing sites in the same browser that is being used to manage the NAM setup. Although viewed as a lower priority vulnerability, the NAM team nevertheless plans to fix this in the next release of the product (NAM 4.1).

Additional Information

NetIQ thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.