[NEWS] iChain Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/30/04

  • Next message: SecuriTeam: "[NT] Titan FTP Server Heap Overflow" 
    To: list@securiteam.com
Date: 30 Aug 2004 18:06:25 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      iChain Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    Novell's <http://www.novell.com/products/ichain/> iChain "provides
    identity-based web security services that control access to application
    and network resources across technical and organizational boundaries".

    Multiple vulnerabilities have been discovered in Novell's iChain. These
    vulnerabilities include, cross-site scripting, authentication bypassing
    and denial of service.

    DETAILS

    Vulnerable Systems:
     * iChain 2.3 Support Pack 1 Beta 1 version 2.3.251 and prior

    Immune Systems:
     * iChain 2.3 Support Pack 1 Beta 1 version 2.3.252 or newer

    Security Issues/Alert(s):
    1) ACLCHECK Security hole with overlong UTF-8 encoding where access
    control rules could be bypassed using escape sequences.

    2) Cross-site scripting (XSS) vulnerability where login credentials could
    have been sent to another host.

    3) DoS attack on iChain server when URL contains specific string.

    4) Security concern with VIA header and the displaying of the iChain build
    version. Added "viaheaderbuildversion=" option to /etc/proxy/proxy.cfg to
    modify the build version sent in the VIA header. Example: Add the
    following to the proxy.cfg file:

        [HTTP Headers]
        viaheaderbuildversion=2.3

    This will show up as (iChain 2.3) in the via header. Otherwise it will
    show up with the standard build version such as (iChain 2.2.252).

    5) iChain Administration GUI no longer binds and listens on all assigned
    IP addresses.

    6) iChain passes iChain username/password credentials in authorization
    basic header instead of the OLAC configured ICHAIN_UID/ICHAIN_PWD when
    LDAP server pointed to by ACLCHECK profile is DOWN.

    7) Set default for Telnet to disabled.

    Defects Fixed:
    1) "Forward iChain cookie to web server" not working for child
    accelerators.

    2) Customization of iChain error pages not displaying custom images
    correctly

    3) Cannot access PUBLIC resource when two accelerators pointed to same
    origin server over http and https.

    4) Abend in SSO while unloading and an SSO request is being processed.

    5) Removed the set "alturl" in the CLI to redirect error pages to another
    URL.

    6) Authenticating with original URL containing "(" or ")" causing the URL
    to be rewritten incorrectly with invalid escape sequences.

    7) Invalid request-line URI error during authentication when URL includes
    ampersand (&) characters.

    8) RADCHALN.HTM would only load from sys:/etc/proxy/data directory and
    cannot be customized.

    9) Novinet header was not always passed to back-end, breaking Single
    Sign-On.

    10) Proxy mishandling the "100 continue" HTTP response header from origin
    server and causing Formfill to fail.

    11) SAML SSL mutual connection failing against Oblix server.

    12) iChain sending multiple CONNECTION HTTP headers in GET request.

    13) iChain rewrites iChain session cookies (beginning with ZNPCQ002) used
    by back end application when "Load Balance at session level only" is
    enabled.

    14) Abend on iChain Authentication server if tree name started with "T".

    15) Authentication looping during login to iChain going from secure to
    non-secure connections when going through session broker.

    16) Abend in PROXY.NLM when Rewriter enabled.

    17) Abend in PROXY.NLM when client chunking active.

    18) Failed login with basic authentication would redirect user to the
    iChain login page form.

    19) "Return error if host name sent by browser does not match above DNS
    name" not returning error when mismatch in DNS names existed between
    browser and iChain.

    20) Could not authenticate to iChain when user credentials were split
    between multiple TCP segments.

    21) Removed "Domain=" portion of the session (ZNPCQ002) cookie.

    22) Secondary IP addresses disappearing after an apply.

    23) Updated messages.cfg file to include better instructions.

    24) Cannot login to iChain with Mozilla due to encoding of user
    credentials containing "@" to "%40".

    25) Abend in SSO.NLM when <maskedPost/> used in Formfill policy.

    26) Abend in LIBC.NLM|strcpy caused by Formfill.

    27) Abend in Proxy when "DNS IPQuery Waiting For UDP Send Complete"
    message appears on system console.

    28) iChain server hangs when downed due to SMTP alerting being enabled.

    29) iChainFormFillCrib values not filling into form if form credentials
    sent back was split across multiple TCP segments.

    30) Abend in Proxy.nlm due to invalid bufseg when user submits login
    credentials to iChain.

    31) X-Forwarder header randomly getting dropped and client IP address
    getting mixed into cookie instead.

    32) Abend in PROXY.NLM|TCPGetSendData().

    33) User DN sent instead of CN in OLAC Header after purge cache performed.

    34) Fixed memory leak in ACLCHECK.NLM.

    35) OLAC parameters from the LDAP data source are not sent to the web
    server after SAML Authentication is performed.

    36) SAML server getting a 500 error back from iChain on a "/cmd/mutExt"
    artifact request.

    37) Abend importing NAS is SAML authentication server information included
    in ISO object.

    38) Abend in NWUTIL.NLM|Alloc() when iChain handles HTTP POST request
    containing more than 4kB of data.

    39) "REGJNI: getStringValue not NULL terminated" error on iChain Java
    Interpreter screen.

    40) Expired certificates reported as 'auto' in iChain GUI instead of
    expired.

    41) Cannot access iChain services after importing NAS file.

    42) Cannot access iChain CLI when TCPIP.CFG is corrupt.

    43) Upper/lowercase issues with SPEED= setting in current.nas

    44) "Set eth primary address" was not working correctly.

    45) Abend in AUTOVOL.NLM during installation on GL380G3.

    46) OCSP problems validating responses signed by multiple Certificate
    Authorities.

    47) Cannot connect to remote Web server when Secure Exchange is enabled on
    public resource.

    48) OLAC gets a java exception when enabled through a NAS file.

    49) COS file system not getting created during install on system with
    large amount of disk space.

    50) Changes to Xtier Realm name case did not get saved.

    Enhancements:
    1) Added the ability to enable the secure bit on cookies.
        - Edit APPSTART.NCF to load PROXY.NLM with the -cs switch.
          Syntax: load proxy -cs
        - All accelerators must have secure exchange enabled to utilize this
    feature.

    2) Added additional field (Load Line Parameters) for board settings in
    Admin GUI for Gigabit card support.

    3) Removed SOCKS client setting from the Gateway panel.

    4) Remove Filtering/WCCP modules that iChain does not use.

    5) Raised number of Trusted Roots limit supported from 32 to 64.

    6) Fixed browser error "Chained certs causing basic constraint violation
    messages" with chained client certificate whose path length constraint set
    to 0.

    7) Added an Evaluation License Reset function. Call Novell Technical
    Support and reference internal TID 10090910 for instructions and unlock
    code.

    8) Add option to insert/remove sub path in Cookies when using Path Based
    Multi-homing.
        Syntax: removesubpathincookie = [yes/no]

    9) Support to store Form Fill Policies on local file system.
        Syntax: Add the following to the Form Fill Policy on the ISO object:

        <LocalPolicy>{Filename}</LocalPolicy>

        *If {FileName} does not contain \ / or : it is a file expected to be
    in SYS:ETC\Proxy\Appliance\Config\User\Formfill - otherwise it will take
    it as an absolute path. You can use multiple tags like this... But the
    maximum size is limited to 1MB.

    10) Now validate administrator Formfill XML against existing XML Tags to
    make sure syntax and cases are correct.

    11) Added iChain set command to turn off CRL checking.
        Syntax:
        set authentication <profile_name> mutual disablerevocationchecks =
    [yes/no]

    12) Option to disable telnet posting listener on TCP port 23.
        Syntax: set listener telnet enable = [on/off]

    13) Made an Admin GUI setting for non-exportability of Certificates.

    14) Improved OTWUG install to differentiate between iChain product
    versions.

    15) Caching improvements when .js, .jpg,.jpeg,.png files referenced in
    customized login pages.

    16) DNS error messages added to the messages.cfg file.

    17) Added "Please Login" string from login pages to the messages.cfg for
    translation.

    Known Issues:
    Users coming in through Mutual SSL Authentication may get a certificate
    error if they try to hit the site while their userid is in the 0 TTL
    state. During the 0 TTL state a user's session has timed out but there is
    a maximum 60 second window where the userid is still registered with the
    IAGENT database.

    Installation:
    Recommendations: Prior to placing b1ic23sp1.exe in a production
    environment, test in an environment that mirrors the production
    environment.

    b1ic23sp1.exe is a self-extracting file that will extract into three
    files:
    b1ichain23sp1.zip, b1ichain23sp1.txt and b1ic23sp1.txt.
    b1ichain23sp1.zip is the OTWUG (Over The Wire Upgrade).
    b1ichain23sp1.txt is the installation file for the OTWUG.
    b1ic23sp1.txt is the readme for the patch.

    Installing b1ic23sp1.exe

    1) Special notes for this OTWUG:
    This OTWUG will upgrade an iChain 2.2 server to iChain 2.3
    If you are upgrading to 2.3, you will be prompted to accept the 2.3
    license during the install. Therefore, console access is necessary to
    accept the license agreement and upgrade.

    Additionally, during the upgrade all drivers (and many other files that
    you may have customized) currently running on the iChain 2.2 server will
    be replaced. Review the drivers and files in the b1ichain23sp1.zip file to
    verify that they are correct for your hardware and environment. Examples
    of such files include:

    NCPIP.NLM
    For security reasons, C:/NWSERVER/NCPIP.NLM was renamed to NCPIP.OLD. If
    login to the iChain server is desired NCPIP.NLM will have to be re-named
    to the original file name after the OTWUG completes.

    OAC.PROPERTIES
    When you install this support pack, any OLAC custom plug-ins will be
    overwritten. To avoid this issue, back up your oac.properties file before
    installing this support pack, then copy the file back over once the
    support pack is successfully installed. If you have not modified the file
    previously, skip this step.

    APPSTART.NCF
    Make note of any customized load lines in appstart.ncf prior to applying
    the patch. Do NOT include "load logevent" and "load lcache" if they appear
    in your current file.

    MESSAGES.CFG will be updated.

    TELNET will be disabled by default for security reasons. If TELNET is used
    for administrative purposes you will need to re-enable it after applying
    this patch. Import the TELNETON configuration file from the ADMIN GUI
    under the System | Import/Export tab.

    2) Back-up all configuration files and third-party certificates.
    a. If the iChain server has a cloned drive (multiple drives), a clone
    update should be preformed prior to the upgrade, or
    b. Export the CURRENT.NAS, TUNE.NCF, APPSTART.NCF, MESSAGES.CFG (if
    customized), any third-party certificates, and any other customized login
    pages or files to floppy for backup purposes. Remove the floppy.

    3) Copy b1ichain23sp1.zip & b1ichain23sp1.txt to a directory on a Web
    Server that can be accessed by the iChain appliance and a workstation that
    will run the iChain Appliance Configuration GUI.

    4) Temporarily disable all accelerators or block public traffic.

    5) If "Allow administration from specified clients" has been configured,
    add the IP address of the iChain server to the list.

    6) Modify the URL line in the b1ichain23sp1.txt file so that it contains
    the appropriate path/URL to the b1ichain23sp1.zip file. Example: If the
    zip file was placed at the default/root directory of a Web Server with the
    IP address 10.10.10.1 then change url=http://**
    location**/b1ichain23sp1.zip to url=http://10.10.10.1/b1ichain23sp1.zip.

    7) In the Appliance Configuration GUI under System | Upgrade | Install
    from URL, put in the matching URL to the .txt file. Using the example
    above: http://10.10.10.1/b1ichain23sp1.txt. NOTE: Point to the .txt
    installation file, not the .zip file.

    8) Check the "Enable download" and "Enable install" boxes.

    9) Specify times to begin the download and install.

    10) Click on "Apply".

    ADDITIONAL INFORMATION

    The information has been provided by Novell Product Security.
    The original article can be found at:
    <http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969621.htm>
    http://support.novell.com/cgi-bin/search/searchtid.cgi?/2969621.htm

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Titan FTP Server Heap Overflow"

    Relevant Pages