Possible Security vulnerability on NAM Identity Server using the DOCTYPE XML element to point to external references

  • Document ID:7018160
  • Creation Date:17-Oct-2016
  • Modified Date:18-Oct-2016
    • Micro Focus Products:
      Access Manager (NAM)

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
NetIQ Access Manager 4.0

Situation

It is possible to reference external resources within an incoming http(s) requests to the Access Manager Identity Server using the DOCTYPE XML Element

Example: If an incoming HTTP header referenced the following XML header

==============================================
<?xml version="1.0" standalone="no" ?>
<!DOCTYPE test SYSTEM "http://<any URL>/path">
<test></test>
==============================================
the IDP server would generate a GET request to "http://<any URL>/path".

This can lead into running any kind of action by just calling URL - the link at https://support.microfocus.com/kb/doc.php?id=7017797 shows a practical example of how this can happen. The most common way of triggering the issue with Access Manager's IDP server is to generate a SAML AuthnRequest with a DOCTYPE reference such as
 
<?xml version="1.0" standalone="no" ?> <!DOCTYPE test SYSTEM https://www.google.ie> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" AssertionConsumerServiceURL="https://nam42sba.lab.novell.com/nidp/saml2/spassertion_consumer" Consent="urn:oasis:names:tc:SAML:2.0:consent:unavailable" ForceAuthn="false" ID="idNqtfikaCU7XhCJPK0eQ-6ZZB740" IsPassive="false" IssueInstant="2016-08-01T11:12:53Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0" > <saml:Issuer>https://nam42sba.lab.novell.com/nidp/saml2/metadata</saml:Issuer> <samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" /> </samlp:AuthnRequest>

Resolution

Fixed in 4.3. In earlier versions it is possible to define a whitelist of trusted URL domains that the IDP can communicate with, to avoid being redirected to an invalid domain.
 
With 4.3, whenever an XML request comes in with a DOCTYPE pointing to a remote location, we would see the following error on the browser:
 
"Unable to complete request at this time"
 
and the catalina log file on IDP would log the following (where URL would change depending on DOCTYPE value):
 
<amLogEntry> 2016-08-01T11:20:37Z INFO NIDS Application: AM#500105039: AMDEVICEID#A63A9C005D90E708: AMAUTHID#B099E3FF8616059BCC9916B167CA7D95:  Error on session id B099E3FF8616059BCC9916B167CA7D95, error org/xml/features/disallow-doctype-decl" set to true.-A63A9C005D90E708, Unable to complete request at this time.:DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.: </amLogEntry>