NetIQ Access Manager Cross-site request forgery vulnerablity reported againt IDP login page (CVE-2018-7677)

  • 7022725
  • 12-Mar-2018
  • 30-Aug-2019

Environment


  • Access Manager Identity Server 4.4
  • Access manager Identity Server 4.5


Situation

  • CVE-2018-767
  • Appscan test run against the Access Manager Identity Server where following message was returned
  • The request appears to be vulnerable to cross-site request forgery (CSRF) attacks against authenticated users.
  • The original request contains parameters that look like they may be anti-CSRF tokens. However the request is successful if these parameters are removed"


Resolution

  • This issue was been addressed with Access Manager 4.4.1
  • A CSRF protection mechanism as been implemented for TOTP and Form Based Login classes which will be enabled by adding the "LOGIN CSRF CHECK = true" IDP Cluster option (for further details please review the Access Manager Documentation).


Cause

A new dynamically generated Token called "AntiCSRFToken" is required while processing the IDP server login pages. In case the token is missing or the page has been modified the IDP server logs will report the following error:

<amLogEntry> 2019-08-30T12:30:25Z INFO NIDS Application: AM#500105039: AMDEVICEID#00118BC088481CE9: AMAUTHID#9e076f
324ff12cf1100d83fa9bb17c04c412789f2200fa01003da492e0613e33:  Error on session id 9e076f324ff12cf1100d83fa9bb17c04c412789f2200fa01003da492e0613e33,
error 500105051-00118BC088481CE9, Login denied. Contact your administrator.:A potential security threat was detected. Login denied.:A potential security threat ( CSRF ) was detected. Login denied.</amLogEntry>

Status

Security Alert