[NEWS] Websphere MQ Security Exit Authentication Bypass Vulnerability

2008-04-15T00:00:00
ID SECURITYVULNS:DOC:19657
Type securityvulns
Reporter Securityvulns
Modified 2008-04-15T00:00:00

Description

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html


Websphere MQ Security Exit Authentication Bypass Vulnerability

SUMMARY

<http://www-306.ibm.com/software/integration/wmq/> Websphere MQ is an Enterprise level application that can be used to provide a unified platform for messaging within an organisation. IBM describes their technology as follows: "WebSphere MQ provides an award-winning messaging backbone for deploying your enterprise service bus (ESB) today as the connectivity layer of a service-orientated architecture (SOA)".

The Websphere MQ service can be used to transfer messages between systems and applications. It is possible to protect the channels within the Queue Manager with a security exit which requires that an authentication check be passed before a connection can be established. A method of bypassing Websphere MQ Security authentication mechanism has been discovered which would enable unauthorised access to be gained.

DETAILS

Vulnerable Systems: * Websphere MQ version 5.1 up to version 5.3 (Solaris)

Immune Systems: * Websphere MQ version 6.0.0 (Windows)

Impact: The vulnerability could enable an attacker to bypass a security exit that has been applied to a channel. This would enable an attacker to gain full access to all queues defined within the queue manager with full read and write access. Additionally, an attacker could perform remote fingerprinting of the software, alter the Queue Manager configuration and potentially execute Operating System commands through the creation of an appropriate trigger process.

The latter is dependent on the presence of a running trigger monitor process on the system.

Cause: The vulnerability arises from an error in the process for checking whether a connection has successfully passed the authentication check enforced by a security exit. A connection can be established to the Queue Manager if an authentication packet is not sent before the connection is established.

Interim Workaround: The only workaround at the present time is to use network filtering to restrict access to Websphere MQ services to trusted IP addresses only. It is also possible that correctly deploying and mandating the use of SSL client certificates will prevent an attacker from accessing the channels that are protected by the Security Exit. IBM have released a fix pack that addresses this vulnerability.

Solution: IBM has released the following fix Pack: <http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037#1> http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037#1

CVE Information: <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1130> CVE-2008-1130

ADDITIONAL INFORMATION

The information has been provided by
<mailto:Elspeth.Levi@mwrinfosecurity.com> Elspeth Levi. The original article can be found at:
<http://www.mwrinfosecurity.com/publications/mwri_websphere-mq-authentication-bypass-advisory_2008-03-26.pdf> http://www.mwrinfosecurity.com/publications/mwri_websphere-mq-authentication-bypass-advisory_2008-03-26.pdf

========================================

This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.