Environment
NetIQ Access Manager 3.1
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
Situation
A bug in the openssl libraries allows a client to
accept a weaker export grade RSA key. This is only applicable in
scenarios where the server supports the EXPORT cipher suites. This
allows a man in the middle to negotiate a weaker protocol with the
server than the client asked for and then “trick” the client into
accepting the weaker key. With the weaker encryption in place, the
traffic between the client and server can be more easily decrypted using
known attacks on the RSA export encryption. Although Access Manager components (Admin Console (AC), Identity Server (IDP) and Access Gateway(AG)) support EXPORT level ciphers on the server side, they are not enabled by default on the Admin Console and Identity Server.
From Mitre:
From Mitre:
The
ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd,
1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers
to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate
brute-force decryption by offering a weak ephemeral RSA key in a
noncompliant role.
Severity: Low
Resolution
Make sure that the OS that the NAM components run on are patches with the updated openssl libraries. For the Access Gateway and Access Manager appliance, the SLES security update channel has included the latest openssl libraries with the fix for this issue. Make sure you apply the OS security updates.
If for any reason OS updates are not available, one can easily disable EXPORT level ciphers per component. As mentioned above, the IDP and AC connectors in the server.xml do NOT have these ciphers enabled. The Access Gateway however may be able to negotiate an export level cipher. To mitigate this risk, make sure that the EXPORT level ciphers are disabled with the SSLCipherSuite Advanced Option e.g include the !EXPORT entry as shown below.
The same applies for customers running NAM 3.1 and the LAG. Make sure that the LAG is on 3.1.5 platform, and modify the SSLCipherSuite to remove the EXPORT level ciphers as per https://www.netiq.com/documentation/novellaccessmanager31/accessgatewayhelp/data/b13kkkzo.html#b13kkkzo.
If for any reason OS updates are not available, one can easily disable EXPORT level ciphers per component. As mentioned above, the IDP and AC connectors in the server.xml do NOT have these ciphers enabled. The Access Gateway however may be able to negotiate an export level cipher. To mitigate this risk, make sure that the EXPORT level ciphers are disabled with the SSLCipherSuite Advanced Option e.g include the !EXPORT entry as shown below.
SSLCipherSuite ALL:!EXPORTThe same applies for customers running NAM 3.1 and the LAG. Make sure that the LAG is on 3.1.5 platform, and modify the SSLCipherSuite to remove the EXPORT level ciphers as per https://www.netiq.com/documentation/novellaccessmanager31/accessgatewayhelp/data/b13kkkzo.html#b13kkkzo.