[NEWS] Entrust GetAccess(tm) Access Service Vulnerability

From: support@securiteam.com
Date: 11/07/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Entrust GetAccess(tm) Access Service Vulnerability
Message-Id: <20011107213755.2444B138C0@mail.der-keiler.de>
Date: Wed,  7 Nov 2001 22:37:55 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Entrust GetAccess(tm) Access Service Vulnerability
------------------------------------------------------------------------

SUMMARY

A vulnerability has been identified in <http://www.entrust.com> Entrust
GetAccess that could allow unauthorized retrieval of files on certain
GetAccess web servers. Entrust recommends installation of the patch
described below, which addresses this vulnerability.

DETAILS

Affected configurations:
- Versions: Entrust GetAccess, all versions
- Platforms: All
- Services: Entrust GetAccess Access Service

Impact of vulnerability:
This vulnerability could potentially result in the unauthorized retrieval
of some files hosted on affected web servers. Servers running the
GetAccess Access Service are affected; others running GetAccess runtimes
and other services are not. Typical customer deployments store sensitive
content on GetAccess runtime servers, therefore reducing the impact of
this vulnerability.

Solution:
Entrust has a made a patch available on the GetAccess support extranet at
the location listed below. A workaround also exists, described below.

Technical details:
GetAccess provides a localization mechanism that allows its HTML pages
(used for logout sequences, error messages, timeout messages, and the
like) to be localized using different language-specific templates. This
mechanism takes in as an argument a query string name-value pair of the
format "LOCALE=XX_XX", where XX_XX corresponds to the name of the
sub-directory within the GetAccess directory structure that contains the
appropriate HTML templates. GetAccess uses this information to build the
directory path and select the appropriate files.

The vulnerability arises if a user manually substitutes an arbitrary
directory path for the XX_XX value. The localization mechanism is
vulnerable in the following GetAccess Access Service capabilities:

- The process that drives localized user help during login (if the user
clicks the "Help" link on a login screen)
- The process which drives the "About" screen that drives GetAccess
version information.

Not all other GetAccess processes that support the localization mechanism
contain this vulnerability.

Mitigating factors:
- The only files that are potentially exposed are the ones that the web
server has permission to access.
- This vulnerability is limited to file retrieval only. It is not possible
to exploit this vulnerability to upload files/data or to execute arbitrary
code on the web server.
- Only files on the Access Service machine(s) are potentially at risk of
exposure. The most common deployment architecture segregates the Access
Service from web servers hosting any sensitive application data.

Patch availability:
A patch is available now on the GetAccess support extranet at the
following address:
 <https://login.encommerce.com/private/docs/techSupport/Patches-BugFix>
https://login.encommerce.com/private/docs/techSupport/Patches-BugFix

Workarounds:
If the patch above is applied, the following workarounds are not required.

- The following files can be removed from GetAccess Access Service hosts,
eliminating the vulnerability. Note that the patch above corrects the
vulnerability in these scripts and eliminates the need to delete the
scripts.
   
helpwin.gas.bat: this script is referenced by the "Help" link on GetAccess
login screens. These links could be replaced with alternative HTML help
pages not driven by the GetAccess help script.

AboutBox.gas.bat: This script drives the "About" box that displays
GetAccess version information.

- As part of normal security policy, customers should not store sensitive
data on GetAccess Access Service hosts. Web servers hosting such data
should be secured using the GetAccess Runtime, which is not affected by
this vulnerability. Almost all Entrust GetAccess customers choose to
deploy in this sort of configuration even in the absence of this
vulnerability.

- If the Access Service component is co-located on a web server hosting
sensitive files, the Access Service can be segregated to a dedicated
server in order to minimize the potential exposure.

- File permissions should be set such that all files not explicitly needed
by the web server are inaccessible to the user account under which the web
server runs (in keeping with industry best practice).

- Impacted Components: Only GetAccess servers running the Access Service
component are affected. Web servers hosting secure content protected by
the GetAccess Runtime are not affected.

Example:
An HTTP-request to:
http://getAccessHostname/sek-bin/helpwin.gas.bat?

With the following parameters:
mode=
&draw=x
&file=x
&module=
&locale= [relative FILE/PATH] [Nullbyte/0x00] [Backslash/0x5c]
&chapter=

.. will lead to disclosure of [FILE/PATH]

Config-Filelist (depends heavily on configuration, and can be found 2
traversals back [../../]):

/config/acl-runtime.conf
/config/administration.conf
/config/applist.conf
/config/authmethod.conf
/config/clientCert.conf
/config/connection.conf
/config/directories.conf
/config/domainAuth.conf
/config/hook.conf
/config/license.conf
/config/log.conf
/config/login.conf
/config/misc.conf
/config/pmda.conf
/config/redirection.conf
/config/registry.conf
/config/serverCert.conf
/config/serverConnection.conf
/config/source_systems.conf
/config/version.conf
/config/serverReq.pem
/config/serverCert.pem
/config/certs

ADDITIONAL INFORMATION

The information has been provided by <mailto:Eric.Skinner@entrust.com>
Eric Skinner and <mailto:rudicarell@hotmail.com> rudi carell.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.