Admin Console Cross-Site-Request-Forgery Prevention not Working properly under heavy load (CVE-2016-5758)

  • 7017817
  • 05-Jul-2016
  • 29-Aug-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Admin Console
iManager
CVE-2016-5758

Situation

Access Manager setup and working fine. To validate the security of the system, a PEN test was performed on all NAM components and a cross site request forgery (CSRF) vulnerability was uncovered against iManager under heavy load.

The test application (burp suite) simulates multiple replayed upload request to iManager, changing the 'imanuasess' token. In this case, the upload was triggered during the client certificate creation process ie. go to NetIQ Certificate Access -> User Certificate and importing a new user certificate). This event triggers a POST request to "/nps/servlet/frameservice?Autoparse=true" with following parameters

DNList           
Filename    File Name="logoutSuccess_legacy.jsp"   
fileType    CERT   
Frame_Hidden_PB_Navigation   
imanuasess    1211289096589909853   
InitialPageID       
PanelID    PKI.WizardPage_CreateCert_Import   
TaskAction    NewFile   
taskId    PKI.ViewUserCertificates   
TaskParam       

During the PEN test the we replayed this upload function as a cross-site-request forgery attack by changing the imanuasess-Token to a invalid number.

A CSRF attack was detected when the request was POSTed more than a 100 times a second with an invalid imanuasess token set to an invalid number eg. 1111111111111111111

Resolution

Fixed in NAM 4.2.2 (for NAM 4.2) or NAM 4.1.2 Hot Fix 1 (for NAM 4.1) with iManager updates.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.