Environment
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Admin Console
iManager
CVE-2016-5758
NetIQ Access Manager 4.1
Access Manager Admin Console
iManager
CVE-2016-5758
Situation
Access Manager setup and working fine. To validate the security of the system, a PEN test was performed on all NAM components and a cross site request forgery (CSRF) vulnerability was uncovered against iManager under heavy load.
The test application (burp suite) simulates multiple replayed upload request to iManager, changing the 'imanuasess' token. In this case, the upload was triggered during the client certificate creation process ie. go to NetIQ Certificate Access -> User Certificate and importing a new user certificate). This event triggers a POST request to "/nps/servlet/frameservice?Autoparse=true" with following parameters
DNList
Filename File Name="logoutSuccess_legacy.jsp"
fileType CERT
Frame_Hidden_PB_Navigation
imanuasess 1211289096589909853
InitialPageID
PanelID PKI.WizardPage_CreateCert_Import
TaskAction NewFile
taskId PKI.ViewUserCertificates
TaskParam
During the PEN test the we replayed this upload function as a cross-site-request forgery attack by changing the imanuasess-Token to a invalid number.
A CSRF attack was detected when the request was POSTed more than a 100 times a second with an invalid imanuasess token set to an invalid number eg. 1111111111111111111
The test application (burp suite) simulates multiple replayed upload request to iManager, changing the 'imanuasess' token. In this case, the upload was triggered during the client certificate creation process ie. go to NetIQ Certificate Access -> User Certificate and importing a new user certificate). This event triggers a POST request to "/nps/servlet/frameservice?Autoparse=true" with following parameters
DNList
Filename File Name="logoutSuccess_legacy.jsp"
fileType CERT
Frame_Hidden_PB_Navigation
imanuasess 1211289096589909853
InitialPageID
PanelID PKI.WizardPage_CreateCert_Import
TaskAction NewFile
taskId PKI.ViewUserCertificates
TaskParam
During the PEN test the we replayed this upload function as a cross-site-request forgery attack by changing the imanuasess-Token to a invalid number.
A CSRF attack was detected when the request was POSTed more than a 100 times a second with an invalid imanuasess token set to an invalid number eg. 1111111111111111111
Resolution
Fixed in NAM 4.2.2 (for NAM 4.2) or NAM 4.1.2 Hot Fix 1 (for NAM 4.1) with iManager updates.