NAM and OpenSSL SSL/TLS MITM vulnerability (CVE-2014-0224)

  • 7015158
  • 09-Jun-2014
  • 08-Jul-2014

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Gateway
NetIQ Identity Server
NetIQ SSLVPN server
NetIQ Admininstration Console Server

Situation

All of the NAM components with the exception of the Access Gateway are not impacted by the version of openssl shipping with the Operating System (SLES, RHEL or Windows). These non-AG components (AC and IDP ) are tomcat based and do not use OpenSSL at all. All these above operating systems have been patched and it is recommended that the NAM hosts be updated with the patched openssl versions as a best practice anyway.

With the Access Gateway the dependency on openssl depends on the type of platform you are running on, as well as whether or not the appliance or service is running. The following list acknowledges whether or not the issue exist, and how one can mitigate it:

1) Access Gateway Service (AGS)

AGS on SLES: Uses OpenSSL that comes with the base OS; SUSE updates will patch the vulnerability
AGS on RHEL: NAM includes OpenSSL 0.9.8 libraries. Needs to be patched through a NAM hotfix which is available in NAM 4.0.1 HF1, and in upcoming 3.2 SP3.
AGS on Windows: NAM includes OpenSSL 0.9.8 libraries. Needs to be patched through a NAM hotfix which will be available in NAM 4.0.2, and 3.2 SP3.

2) Access Gateway and Access Manager Appliance

3.2: NAM ships with openssl 0.98r. This needs to be updated via the NAM security update channel
4.0: NAM uses the openssl that ships with the OS. This needs to be updated via the NAM security update channel.

3) OpenSSL 1.0.1g based AG (only available with NAM 4.0 HF1 and newer). For those customers that have manually copied over the openssl files shipping with NAM 4.0 HF1 and greater, both the AG appliance and service are vulnerable and need to be updated to openssl 1.0.1h. This is fixed in 4.0.1 HF1 hotfix builds and greater.

Additional Information

             For Access Manager 3.1.5 to be exploited by the CVE-2014-0224 OpenSSL Vulnerability:
  • the network must be compromised - an attacker needs access to snoop SSL traffic
  • the client and server must BOTH be running susceptible version of OpenSSL for the vulnerability to be exploited
  • the NAM 3.1.5 LAG in server mode is NOT susceptible - when processing SSL requests from browsers
  • the NAM 3.1.5 LAG in client mode IS susceptible - when proxying requests to SSL Web servers
To mitigate the vulnerability when NAM 3.1.5 is in client mode, make sure that all back end SSL enabled Web servers have OpenSSL patches installed at the OS level. With this configuration both client and server are not running a susceptible version and the SSL connection cannot be exploited by this vulnerability.   The other 3.1.5 components (IDP and Admin Console) should upgrade openssl on the underlying OS to an unaffected version.