Access Manager and CVE-2015-0204 OpenSSL Vulnerability aka “FREAK”

  • 7016273
  • 09-Mar-2015
  • 09-Mar-2015

Environment

NetIQ Access Manager 3.1
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0

Situation

A bug in the openssl libraries allows a client to accept a weaker export grade RSA key. This is only applicable in scenarios where the server supports the EXPORT cipher suites. This allows a man in the middle to negotiate a weaker protocol with the server than the client asked for and then “trick” the client into accepting the weaker key. With the weaker encryption in place, the traffic between the client and server can be more easily decrypted using known attacks on the RSA export encryption. Although Access Manager components (Admin Console (AC), Identity Server (IDP) and Access Gateway(AG)) support EXPORT level ciphers on the server side, they are not enabled by default on the Admin Console and Identity Server.

From Mitre:
The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before  1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force  decryption by offering a weak ephemeral RSA key in a noncompliant role. 
   
Severity: Low 

Resolution

Make sure that the OS that the NAM components run on are patches with the updated openssl libraries. For the Access Gateway and Access Manager appliance, the SLES security update channel has included the latest openssl libraries with the fix for this issue. Make sure you apply the OS security updates.

If for any reason OS updates are not available, one can easily disable EXPORT level ciphers per component. As mentioned above, the IDP and AC connectors in the server.xml do NOT have these ciphers enabled. The Access Gateway however may be able to negotiate an export level cipher. To mitigate this risk, make sure that the EXPORT level ciphers are disabled with the SSLCipherSuite Advanced Option e.g include the !EXPORT entry as shown below.

SSLCipherSuite ALL:!EXPORT


The same applies for customers running NAM 3.1 and the LAG. Make sure that the LAG is on 3.1.5 platform, and modify the SSLCipherSuite to remove the EXPORT level ciphers as per https://www.netiq.com/documentation/novellaccessmanager31/accessgatewayhelp/data/b13kkkzo.html#b13kkkzo.