OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Eric Skinner (Eric.Skinnerentrust.com)
Date: Mon Nov 05 2001 - 08:23:56 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Entrust Security Bulletin E01-005
    =================================

    Entrust GetAccess(tm) Access Service Vulnerability

    SUMMARY:
    ========

    A vulnerability has been identified in Entrust GetAccess that could allow
    unauthorized retrieval of files on certain GetAccess web servers. Entrust
    recommends installation of the patch described below, which addresses this
    vulnerability.

    Impact of vulnerability:

    This vulnerability could potentially result in the unauthorized retrieval of
    some files hosted on impacted web servers. Servers running the GetAccess
    Access Service are impacted; others running GetAccess runtimes and other
    services are not. Typical customer deployments store sensitive content on
    GetAccess runtime servers, therefore reducing the impact of this
    vulnerability.

    Solution:

    Entrust has a made a patch available on the GetAccess support extranet at
    the location listed below. A workaround also exists, described below.

    Affected Configurations:

    - Versions: Entrust GetAccess, all versions
    - Platforms: All
    - Services: Entrust GetAccess Access Service

    TECHNICAL DETAILS:
    ==================

    GetAccess provides a localization mechanism that allows its HTML pages (used
    for logout sequences, error messages, timeout messages, and the like) to be
    localized using different language-specific templates. This mechanism takes
    in as an argument a query string name-value pair of the format
    "LOCALE=XX_XX", where XX_XX corresponds to the name of the sub-directory
    within the GetAccess directory structure that contains the appropriate HTML
    templates. GetAccess uses this information to build the directory path and
    select the appropriate files.

    The vulnerability arises if a user manually substitutes an arbitrary
    directory path for the XX_XX value. The localization mechanism is
    vulnerable in the following GetAccess Access Service capabilities:

    - The process which drives localized user help during login (if the user
      clicks the "Help" link on a login screen)
    - The process which drives the "About" screen that drives GetAccess
      version information.

    All other GetAccess processes that support the localization mechanism do not
    contain this vulnerability.

    MITIGATING FACTORS:
    ===================

    - The only files that are potentially exposed are the ones that the web
      server has permission to access.
    - This vulnerability is limited to file retrieval only. It is not
      possible to exploit this vulnerability to upload files/data or to execute
      arbitrary code on the web server.
    - Only files on the Access Service machine(s) are potentially at risk of
      exposure. The most common deployment architecture segregates the Access
      Service from web servers hosting any sensitive application data.

    PATCH AVAILABILITY:
    ===================

    A patch is available now on the GetAccess support extranet at the following
    address:
    https://login.encommerce.com/private/docs/techSupport/Patches-BugFix

    WORK-AROUNDS:
    =============

    If the patch above is applied, the following work-arounds are not required.

    - The following files can be removed from GetAccess Access Service hosts,
      eliminating the vulnerability. Note that the patch above corrects the
      vulnerability in these scripts and eliminates the need to delete the
      scripts.
         
         helpwin.gas.bat: this script is referenced by the "Help" link on
         GetAccess login screens. These links could be replaced with
         alternative HTML help pages not driven by the GetAccess help script.

         AboutBox.gas.bat: This script drives the "About" box that displays
         GetAccess version information.

    - As part of normal security policy, customers should not store sensitive
      data on GetAccess Access Service hosts. Web servers hosting such data
      should be secured using the GetAccess Runtime, which is not affected
      by this vulnerability. Almost all Entrust GetAccess customers choose
      to deploy in this sort of configuration even in the absence of this
      vulnerability.

    - If the Access Service component is co-located on a web server hosting
      sensitive files, the Access Service can be segregated to a dedicated
      server in order to minimize the potential exposure.

    - File permissions should be set such that all files not explicitly needed
      by the web server are inaccessible to the user account under which the web

      server runs (in keeping with industry best practice).

    - Impacted Components: Only GetAccess servers running the Access Service
      component are affected. Web servers hosting secure content protected
      by the GetAccess Runtime are not affected.

    SUPPORT:
    ========

    Entrust customer support, including after hours service is available by
    phone as follows:

    North America: 1-877-754-7878
    Elsewhere: +1-613-270-3700

    ACKNOWLEDGMENT:
    ===============

    Entrust acknowledges the assistance of Rudi Carell, who worked with us to
    eliminate this vulnerability.

    Copyright (c) 2001 Entrust Inc.

    securityentrust.com