[23068] in bugtraq
Entrust Bulletin E01-005: GetAccess Access Service vulnerability
daemon@ATHENA.MIT.EDU (Eric Skinner)
Mon Nov 5 13:05:15 2001
Message-ID: <9A4F653B0A375841AC75A8D17712B9C901BA792C@sottmxs04.entrust.com>
From: Eric Skinner <Eric.Skinner@entrust.com>
To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
Date: Mon, 5 Nov 2001 09:23:56 -0500
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Entrust Security Bulletin E01-005
=================================
Entrust GetAccess(tm) Access Service Vulnerability
SUMMARY:
========
A vulnerability has been identified in Entrust GetAccess that could allow
unauthorized retrieval of files on certain GetAccess web servers. Entrust
recommends installation of the patch described below, which addresses this
vulnerability.
Impact of vulnerability:
This vulnerability could potentially result in the unauthorized retrieval of
some files hosted on impacted web servers. Servers running the GetAccess
Access Service are impacted; others running GetAccess runtimes and other
services are not. Typical customer deployments store sensitive content on
GetAccess runtime servers, therefore reducing the impact of this
vulnerability.
Solution:
Entrust has a made a patch available on the GetAccess support extranet at
the location listed below. A workaround also exists, described below.
Affected Configurations:
- Versions: Entrust GetAccess, all versions
- Platforms: All
- Services: Entrust GetAccess Access Service
TECHNICAL DETAILS:
==================
GetAccess provides a localization mechanism that allows its HTML pages (used
for logout sequences, error messages, timeout messages, and the like) to be
localized using different language-specific templates. This mechanism takes
in as an argument a query string name-value pair of the format
"LOCALE=XX_XX", where XX_XX corresponds to the name of the sub-directory
within the GetAccess directory structure that contains the appropriate HTML
templates. GetAccess uses this information to build the directory path and
select the appropriate files.
The vulnerability arises if a user manually substitutes an arbitrary
directory path for the XX_XX value. The localization mechanism is
vulnerable in the following GetAccess Access Service capabilities:
- The process which drives localized user help during login (if the user
clicks the "Help" link on a login screen)
- The process which drives the "About" screen that drives GetAccess
version information.
All other GetAccess processes that support the localization mechanism do not
contain this vulnerability.
MITIGATING FACTORS:
===================
- The only files that are potentially exposed are the ones that the web
server has permission to access.
- This vulnerability is limited to file retrieval only. It is not
possible to exploit this vulnerability to upload files/data or to execute
arbitrary code on the web server.
- Only files on the Access Service machine(s) are potentially at risk of
exposure. The most common deployment architecture segregates the Access
Service from web servers hosting any sensitive application data.
PATCH AVAILABILITY:
===================
A patch is available now on the GetAccess support extranet at the following
address:
https://login.encommerce.com/private/docs/techSupport/Patches-BugFix
WORK-AROUNDS:
=============
If the patch above is applied, the following work-arounds are not required.
- The following files can be removed from GetAccess Access Service hosts,
eliminating the vulnerability. Note that the patch above corrects the
vulnerability in these scripts and eliminates the need to delete the
scripts.
helpwin.gas.bat: this script is referenced by the "Help" link on
GetAccess login screens. These links could be replaced with
alternative HTML help pages not driven by the GetAccess help script.
AboutBox.gas.bat: This script drives the "About" box that displays
GetAccess version information.
- As part of normal security policy, customers should not store sensitive
data on GetAccess Access Service hosts. Web servers hosting such data
should be secured using the GetAccess Runtime, which is not affected
by this vulnerability. Almost all Entrust GetAccess customers choose
to deploy in this sort of configuration even in the absence of this
vulnerability.
- If the Access Service component is co-located on a web server hosting
sensitive files, the Access Service can be segregated to a dedicated
server in order to minimize the potential exposure.
- File permissions should be set such that all files not explicitly needed
by the web server are inaccessible to the user account under which the web
server runs (in keeping with industry best practice).
- Impacted Components: Only GetAccess servers running the Access Service
component are affected. Web servers hosting secure content protected
by the GetAccess Runtime are not affected.
SUPPORT:
========
Entrust customer support, including after hours service is available by
phone as follows:
North America: 1-877-754-7878
Elsewhere: +1-613-270-3700
ACKNOWLEDGMENT:
===============
Entrust acknowledges the assistance of Rudi Carell, who worked with us to
eliminate this vulnerability.
Copyright (c) 2001 Entrust Inc.
security@entrust.com
