Environment
Access Manager 4.3
Access Manager 4.4
Access Manager Identity Server
Connector Toolkit
ZDI—CAN-5087
Situation
A bug exists in Identity Server when accessing a basic SSO connector and downloading the BasicSSO connector plugins on IE11 where an attacker can execute arbitrary code on the system.
Resolution
Fixed in NAM 4.3.3 and NAM 4.4.0 HF1 patches.
For those on earlier 4.3 builds that want to workaround the issue, one can modify the IDP web.xml file and remove the following entry:
<servlet>
<servlet-name>downloadBasicSSOServlet</servlet-name>
<servlet-class>com.netiq.ospui.server.OspUIBasicSSODownload</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>downloadBasicSSOServlet</servlet-name>
<url-pattern>/download</url-pattern>
</servlet-mapping>
Special thanks to rgod and kimiya working with Trend Micro's Zero Day Initiative for responsibly disclosing this information.
For those on earlier 4.3 builds that want to workaround the issue, one can modify the IDP web.xml file and remove the following entry:
<servlet>
<servlet-name>downloadBasicSSOServlet</servlet-name>
<servlet-class>com.netiq.ospui.server.OspUIBasicSSODownload</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>downloadBasicSSOServlet</servlet-name>
<url-pattern>/download</url-pattern>
</servlet-mapping>
Special thanks to rgod and kimiya working with Trend Micro's Zero Day Initiative for responsibly disclosing this information.