Admin Console Cross-Site-Request-Forgery Prevention not Working properly under heavy load (CVE-2016-5758)

  • 7017817
  • 05-Jul-2016
  • 29-Aug-2016


NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Admin Console


Access Manager setup and working fine. To validate the security of the system, a PEN test was performed on all NAM components and a cross site request forgery (CSRF) vulnerability was uncovered against iManager under heavy load.

The test application (burp suite) simulates multiple replayed upload request to iManager, changing the 'imanuasess' token. In this case, the upload was triggered during the client certificate creation process ie. go to NetIQ Certificate Access -> User Certificate and importing a new user certificate). This event triggers a POST request to "/nps/servlet/frameservice?Autoparse=true" with following parameters

Filename    File Name="logoutSuccess_legacy.jsp"   
fileType    CERT   
imanuasess    1211289096589909853   
PanelID    PKI.WizardPage_CreateCert_Import   
TaskAction    NewFile   
taskId    PKI.ViewUserCertificates   

During the PEN test the we replayed this upload function as a cross-site-request forgery attack by changing the imanuasess-Token to a invalid number.

A CSRF attack was detected when the request was POSTed more than a 100 times a second with an invalid imanuasess token set to an invalid number eg. 1111111111111111111


Fixed in NAM 4.2.2 (for NAM 4.2) or NAM 4.1.2 Hot Fix 1 (for NAM 4.1) with iManager updates.