NetIQ Acceess Manager Gateway version 4.2.1 vulnerability CVE-2016-2107 still exists after installing "novell-nacm-apache-extra-4.0.8-1.0.1t"

  • Document ID:7017881
  • Creation Date:26-Jul-2016
  • Modified Date:21-Jun-2017
    • Micro Focus Products:
      Access Manager (NAM)

Environment

  • NetIQ Access Manager 4.2
  • NetIQ Access Gateway Appliance 4.2.1

Situation

  • "novell-nacm-apache-extra-4.0.8-1.0.1t" has been installed as document in KB 7017580 in order to address: "CVE-2016-2107"

  • during the lifetime of the system OpenSSL had been installed with NAM 4.0 due to the need for TLS1.2 as documented at: "https://www.netiq.com/documentation/netiqaccessmanager4/enable_tls_nam40/data/enable_tls_nam40.html".

Resolution

  • change the shared library search order from within the "/etc/ld.so.conf" file.
    -------------------------------------------------------------------------------------
    /usr/X11R6/lib64/Xaw3d
    /usr/X11R6/lib64
    /usr/lib64/Xaw3d
    /usr/X11R6/lib/Xaw3d
    /usr/X11R6/lib
    /usr/lib/Xaw3d
    /usr/x86_64-suse-linux/lib
    /usr/local/lib
    /opt/kde3/lib
    /usr/local/lib64
    /opt/kde3/lib64
    include /etc/ld.so.conf.d/*.conf
    /lib64
    /lib
    /usr/lib64
    /usr/lib
    -------------------------------------------------------------------------------------
  • run: "ldconfig -v" once more and check the order has been chagnged so the "/opt/novell/ssllib" got processed first.
  • after you are sure the order is correct restart Apache.

Cause

Due to the shared library search order an unknown the wrong OpenSSL libraries got loaded by Apache
-----------------------------------------------------------------------------------------------------------
httpd   5210 root  mem    REG    8,5   488095 1388801 /usr/lib64/libssl.so.1.0.0
-----------------------------------------------------------------------------------------------------------

The OpenSSL version shipped with the Access gateway are located at: "/opt/novell/ssllib/"

Additional Information

Troubleshooting

  • run: "ps aux | grep httpd"
    --------------------------------------------------------------------------------------------
    root      5210  0.0  0.5 257996 25516 ?     Ssl  Jul20   0:11 /opt/novell/apache2/sbin/httpd
    wwrun    13106  0.0  0.5 326780 24876 ?     Sl   Jul20   0:20 /opt/novell/apache2/sbin/httpd
    wwwrun   13127  0.0  0.7 2813936 37112 ?    Sl   Jul20   0:24 /opt/novell/apache2/sbin/httpd
    wwwrun   13444  0.0  0.7 2748536 37156 ?    Sl   Jul20   0:23 /opt/novell/apache2/sbin/httpd
    wwwrun   13748  0.0  0.7 2748676 36760 ?    Sl   Jul20   0:22 /opt/novell/apache2/sbin/httpd
    wwwrun   14050  0.0  0.7 2747312 36128 ?    Sl   Jul20   0:23 /opt/novell/apache2/sbin/httpd
    wwwrun   14353  0.0  0.7 2748720 37920 ?    Sl   Jul20   0:24 /opt/novell/apache2/sbin/httpd
    wwwrun   14657  0.0  0.7 2746736 36036 ?    Sl   Jul20   0:24 /opt/novell/apache2/sbin/httpd
    wwwrun   14963  0.0  0.7 2747264 36572 ?    Sl   Jul20   0:23 /opt/novell/apache2/sbin/httpd
    wwwrun   15266  0.0  0.7 2746968 36156 ?    Sl   Jul20   0:23 /opt/novell/apache2/sbin/httpd
    wwwrun   15570  0.0  0.7 2746340 35756 ?    Sl   Jul20   0:24 /opt/novell/apache2/sbin/httpd
    wwwrun   15874  0.0  0.7 2748832 37184 ?    Sl   Jul20   0:24 /opt/novell/apache2/sbin/httpd
    --------------------------------------------------------------------------------------------

  • use the first http process id to run:: "lsof -P -T -p [PID] of httpd]  | grep ssl
    Example: "lsof -P -T -p 5210  | grep ssl"
    --------------------------------------------------------------------------------------------
    httpd   5210 root  mem    REG    8,5   488095 1388801 /usr/lib64/libssl.so.1.0.0
    httpd   5210 root  mem    REG    8,5   182184 2044376 /opt/novell/apache2/libexec/mod_ssl.so
    --------------------------------------------------------------------------------------------
    In this case the wrong library has been loaded

  • If the correct libraries would have been loaded the list would look like:
    --------------------------------------------------------------------------------------------
    httpd   18983 root  mem    REG                8,5  2644624   911888 /opt/novell/ssllib/libcrypto.so.1.0.0
    httpd   18983 root  mem    REG                8,5   456427   911889 /opt/novell/ssllib/libssl.so.1.0.0
    httpd   18983 root  mem    REG                8,5   182152   912007 /opt/novell/apache2/libexec/mod_ssl.so
    --------------------------------------------------------------------------------------------

    run: "rpm -qf  /usr/lib64/libssl.so.1.0.0"
    --------------------------------------------------------------------------------------------
    file /usr/lib64/libssl.so.1.0.0 is not owned by any package
    ls -la /usr/lib64/libssl.so.1.0.0
    -r-xr-xr-x 1 root root 488095 Aug 19  2015 /usr/lib64/libssl.so.1.0.0
    --------------------------------------------------------------------------------------------

  • the Access Gateway Appliance does not ship the library at: "/usr/lib64/libssl.so.1.0.0""
  • the "/etc//ld.so.conf" stores all the directories which should be used as library search.
  • there is an include command at the very end of this file: "include /etc/ld.so.conf.d/*.conf" therefore the the library search path for the NAM OpenSSL version will match as the very last one. If there is any additional OpenSSL library path which would match before the NAM OpenSSL libs will not get loaded.