What is NetIQ?s position on the reported vulnerability to a canonicalization attack on the iSeries p (NETIQKB47048)

  • 7747048
  • 02-Feb-2007
  • 08-Oct-2007

Resolution

goal
What is NetIQ?s position on the reported vulnerability to a canonicalization attack on the iSeries platform within NetIQ Security Manager and NetIQ Security Solutions for iSeries?

goal
Is NetIQ Security Manager vulnerable to a canonicalization attack on the iSeries platform?

goal
Are NetIQ Security Solutions for iSeries vulnerable to a canonicalization attack on the iSeries platform?

fact
Security Manager 5.x

fact
VigilEnt Security Agent for iSeries 7.5

fact
VigilEnt Security Agent for iSeries 5.4/7.0

fix

Reports of a vulnerability within NetIQ products have recently appeared in security forums (including BugTraq and Secunia.com) concerning a canonicalization attack on iSeries platforms.  Where NetIQ products are concerned, further research and investigations has proven that neither NetIQ Security Manager nor NetIQ Security Solutions for iSeries are vulnerable to this attack.  The report is incorrect and without foundation, and retractions have been posted where the vulnerability is known to be reported. 

The vulnerability was reported by Mr. Shalom Carmel of Veneral.com after he performed research using the attack on the default FTP service on iSeries platforms.  While the report does not detail any specific NetIQ product it does imply the NetIQ Security Solutions for iSeries are susceptible, and Secunia.com does report the vulnerability being within the NetIQ Security Manager product.  It should be noted that while the discovered vulnerability was associated with these NetIQ products, empirical testing was never performed. 

NetIQ Security Manager and the NetIQ Security Solutions for iSeries are not vulnerable to this exploit for the following reasons:

  • NetIQ Security Manager is a security event and log consolidation product that aggregates and normalizes logs from Windows, Unix, Linux and iSeries platforms, as well as from other point-security solutions and network devices. Since NetIQ Security Manager is hosted on a Windows-based platform, it is not susceptible to the attack detailed in Mr. Carmel?s research.
  • NetIQ Security Solutions for iSeries have multiple components for auditing, security, and detecting misconfigurations and vulnerabilities on iSeries.  The PSSecure module actually prevents this type of attack by parsing the path to the object level and validating user access.  Other vendor solutions that validate object access at the application level (e.g., FTP) are susceptible to the canonicalization attack since they do not correctly parse the path to the object.

Mr. Carmel indicated that he attempted to contact vendors, including NetIQ, and after failing to elicit a response from NetIQ he issued the report.  Unfortunately, the wording of the report provides a strong indication that products from vendors who did not respond to him are subject to the vulnerability.   

NetIQ has requested that Mr. Carmel update his findings and issue a retraction of the vulnerability report wherever posted.  At the time of posting of this KB article, Secunia.com has already revoked its advisory (see http://secunia.com/advisories/15102/).



Additional Information

Formerly known as NETIQKB47048