Learn about the security vulnerability fixes for VIP Enterprise Gateway (VIP EG).

Also see the VIP documentation page.

Security fixes

• VIP Enterprise Gateway 9.8
• VIP Enterprise Gateway 9.7
• VIP Enterprise Gateway 9.6.1
• VIP Enterprise Gateway 9.5
• VIP Enterprise Gateway Versions - 9.0, 9.1, 9.2, 9.3, 9.4
• Security Fixes for VIP SSP IDP Proxy (9.7 and earlier)

VIP Enterprise Gateway 9.10.2

Vulnerabilities

• Cross SITE SCRIPTING (URL sanitation check)
• Using component with known (Jetty server upgrade)
• Cross Site Request Forgery (also named as 'Replay attack') The password can be captured from this vulnerability.

Solution:

Planned in VIP EG 9.11 release.

VIP Enterprise Gateway 9.8

Vulnerabilities

• XSS Reflected: VIP Enterprise Gateway - XSS Reflected vulnerability fix
• Apache Struts (resolved in VIP EG 9.8.4 and later): VIP Enterprise Gateway fix for the Struts 2 vulnerabilities  
• Sweet32 (resolved in VIP EG 9.8.4 and later):

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183

The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Solution

Upgrade to VIP EG 9.8.4 or later. If not possible, complete the following on the VIP Enterprise Gateway machine to update the Self Service Portal (SSP) IdP, VIP Manager IdP, and the VIP Enterprise Gateway components. These instructions are applicable only for VIP Enterprise Gateway 9.7 and VIP Enterprise Gateway 9.8 on Windows or Linux platforms.

1. Stop the following Services, if applicable:
   • Self Service Portal IdP
   • VIP Manager IdP
   • LDAP sync service
2. Download the weakciphers.properties file provided with this article into a temporary location.
3. Create a backup of the file weakciphers.properties in the <VIPEG_INSTALLATION>/conf/ folder, then replace it with the downloaded to the temporary folder in step 2.
4. Start all services stopped in step 1. 

Rollback procedures for VIP Enterprise Gateway 9.8

Perform these steps if the above solution fails to install properly:

1. Stop the following services, if applicable:
   • Self Service Portal IdP
   • VIP Manager IdP
   • LDAP sync service.
   • All Validation Services
   • VIP Enterprise Gateway Service
2. Restore the backed-up weakciphers.properties file to the <VIPEG_INSTALLATION>/conf/ folder.
3. Start all services.

VIP Enterprise Gateway 9.7

Vulnerabilities

• Apache Struts:
  Refer to https://support.symantec.com/en_US/article.TECH239874.html and  https://support.symantec.com/en_US/article.TECH239874.html
• Sweet32:
  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183
  The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack.

Solution

Complete the following on the VIP Enterprise Gateway machine to update the Self Service Portal (SSP) IdP, VIP Manager IdP, and the VIP Enterprise Gateway components. These instructions are applicable only for VIP Enterprise Gateway 9.7 and VIP Enterprise Gateway 9.8 on Windows or Linux platforms.

1. Stop the following Services, if applicable:
   
   • Self Service Portal IdP
   • VIP Manager IdP
   • LDAP sync service
2. Download the weakciphers.properties file provided with this article into a temporary location.
3. Create a backup of the file weakciphers.properties in the <VIPEG_INSTALLATION>/conf/ folder, then replace it with the downloaded to the temporary folder in step 2.
4. Start all services stopped in step 1. 

Rollback procedures for VIP Enterprise Gateway 9.7

Perform these steps if the above solution fails to install properly:

1. Stop the following services, if applicable:
   • Self Service Portal IdP
   • VIP Manager IdP
   • LDAP sync service.
   • All Validation Services
   • VIP Enterprise Gateway Service
2. Restore the backed-up weakciphers.properties file to the <VIPEG_INSTALLATION>/conf/ folder.
3. Start all services.

VIP Enterprise Gateway 9.6.1

Vulnerabilities

RC4 Bar Mitzvah Attack - NVD - CVE-2015-2808

This vulnerability exploits a weakness in the older, less secure RC4 encryption algorithm option in SSL/TLS, which is still supported in many browsers and servers.

VIP Enterprise Gateway components affected by these vulnerabilities

• VIP Enterprise Gateway Console
• VIP Manager IdP
• VIP Self Service Portal IdP – users accessing the portal inside the corporate network.

​Note: The communication from the VIP Enterprise Gateway to the corporate user store may also be vulnerable if the channel is protected with TLS. However, because clients other than the VIP Enterprise Gateway also access the corporate user store, Symantec recommends that you disable the specific cipher in TLS protocol on the user store. You must follow the solution provided by your LDAP server vendor for the remediation details.

Solution

Complete the following on the VIP Enterprise Gateway machine to update the Self Service Portal (SSP) IdP, VIP Manager IdP, and the VIP Enterprise Gateway components. These instructions are applicable only for VIP Enterprise Gateway 9.6.1 on Windows or Linux platforms.

1. Stop the following Services, if applicable:
   • Self Service Portal IdP
   • VIP Manager IdP
   • Enterprise Gateway Service
2. Download the file weakciphers.properties file provided with these instructions into a temporary location.
3. Create a backup of the file weakciphers.properties in the <VIPEG_INSTALLATION>/conf/ folder, then replace it with the downloaded to the temporary folder in step 2.
4. Start all services stopped in step 1.

Roll back for VIP Enterprise Gateway 9.6.1

Perform these steps if the solution fails to install properly:

1. Stop the following services, if applicable:
   • Self Service Portal IdP
   • VIP Manager IdP
   • LDAP sync service.
   • All Validation Services
   • VIP Enterprise Gateway Service
2. Restore the backed-up weakciphers.properties file to the <VIPEG_INSTALLATION>/conf/ folder.
3. Start all services.

VIP Enterprise Gateway 9.5

Vulnerabilities

• Drown vulnerability:
  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800
  A padding oracle flaw was found in the Secure Sockets Layer version 2.0 (SSLv2) protocol. An attacker can potentially use this flaw to decrypt RSA-encrypted cipher text from a connection using a newer SSL/TLS protocol version, allowing them to decrypt such connections. This cross-protocol attack is publicly referred to as DROWN.
• SSLv3 (POODLE) vulnerability:
  https://www.us-cert.gov/ncas/alerts/TA14-290A 
  This affects secure web connections using the SSL v3 protocol.
• RC4 Bar Mitzvah vulnerability:
  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2808 
  This exploits a weakness in the older, less secure RC4 encryption algorithm option in SSL/TLS, which is still supported in many browsers and servers.
• FREAK vulnerability:
  https://www.us-cert.gov/ncas/current-activity/2015/03/06/FREAK-SSLTLS-Vulnerability 
  This affects secure web connections using the TLS protocol. This vulnerability affects any SSL/TLS server that accepts ‘export-grade’ encryption in their communication and client/browser using the same encryption that is vulnerable to CVE -2015-0204.
• Logjam vulnerability:
  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000 
  This affects secure web connections using the TLS protocol 1.2 and earlier, when a DHE_EXPORT cipher suite is enabled which allows man-in-the-middle attackers to conduct cipher-downgrade attacks. This vulnerability affects any SSL/TLS server that accepts ‘export-grade’ encryption in their communication and client/browser using the same encryption that is vulnerable to CVE-2015-4000.

VIP Enterprise Gateway components affected by these vulnerabilities

• VIP Enterprise Gateway Console
• VIP Manager IdP
• VIP Self Service Portal IdP – users accessing the portal inside the corporate network
• Validation Service and LDAP Synchronization Service communications to VIP User Services.

Note: Client communications from the Validation Service and the LDAP Synchronization Service to the corporate user store (cloud) may become vulnerable if the channel is protected with SSL/TLS. Because other non-Symantec VIP applications access the corporate user store, Symantec recommends disabling the SSLv3 protocol and specific ciphers in the TLS protocol on the user store. Follow the solution provided by your LDAP server vendor for remediation details. 

Solution

Complete the following on the VIP Enterprise Gateway machine hosting the Self Service Portal (SSP) IdP, VIP Manager IdP, and the VIP Enterprise Gateway Console: 

1. Download the file VIP_EG_Windows.zip (see attached files below), then extract to a temporary folder. The following files should be extracted:
   • Engine.jar
   • vsauthwsclient.dll
2. Download the files VIP_EG_Linux_1.zip and VIP_EG_Linux_2.zip (see attached files below), then extract to a  temporary folder.The following files should be extracted:
   Engine.jar
   libvsauthwsclient.so
3. Stop the following applicable services:
   • Self Service Portal IdP
   • VIP Manager IdP
   • LDAP sync service
   • All Validation Services
   • VIP Enterprise Gateway Service
4. Delete the jetty work directory from the <INSTALL_DIR>/server/work.
5. Create a backup of the file engine.jar file located in <INSTALL_DIR>/server/ext, then replace it with the file extracted to the temporary folder in step 1.
6. Create a backup of the file vsauthwsclient.dll (Windows platform) or libvsauthwsclient.so (Linux platform) <INSTALL_DIR>/Validation/bin, then replace it with the file extracted to the temporary folder in step 1.
7. Download the file weakciphers.properties (see attached files below) to a temporary folder.
8. Create a backup of the file weakciphers.properties located in <VIPEG_INSTALLATION>/conf/, then replace it with the downloaded to the temporary folder in step 7. 
9. Start all services stopped in step 3.

Rollback for VIP Enterprise Gateway 9.5

Perform these steps if the solution fails to install properly:

1. Stop the following services, if applicable:
   • Self Service Portal IdP
   • VIP Manager IdP
   • LDAP sync service
   • All Validation Services
   • VIP Enterprise Gateway Service
2. Delete the jetty work directory from the <INSTALL_DIR>/server/work folder.
3. Restore the back-up file engine.jar to the <INSTALL_DIR>/server/ext folder
4. Restore the back-up file vsauthwsclient.dll (Windows platforms) OR libvsauthwsclient.so (Linux platforms) to the <INSTALL_DIR>/Validation/bin folder.
5. Restore the back-up version of weakciphers.properties to the <VIPEG_INSTALLATION>/conf/ folder.
6. Start all services stopped in step 1.
    

VIP Enterprise Gateway Versions 9.0, 9.1, 9.2, 9.3, 9.4

If you are running Enterprise Gateway 9.4 or older, Symantec recommends upgrading to the latest available version of VIP Enterprise Gateway

Security Fixes for VIP SSP IDP Proxy (9.7 and earlier)

For fixing the security vulnerabilities in VIP SSP IdP Proxy, see Security fixes for SSP IdP Proxy