OpenSSL 1.0.2zd vulnerability on Siteminder Access Gateway r12.8.x.

Symantec Siteminder Access Gateway bundles OpenSSL 1.0.2 with all versions of r12.8.x

r12.8.1: OpenSSL 1.0.2q
r12.8.1: OpenSSL 1.0.2q
r12.8.2: OpenSSL 1.0.2q
r12.8.3: OpenSSL 1.0.2r
r12.8.4: OpenSSL 1.0.2u
r12.8.5: OpenSSL 1.0.2x
r12.8.6: OpenSSL 1.0.2za
r12.8.6a: OpenSSL 1.0.2za

Vulnerabilities have been reported on various versions of OpenSSL 1.0.2 all the way through to 1.0.2zd.  This impacts all GA versions of Symantec Siteminder Access Gateway up to and including r12.8.6a.

CVE-2022-1292 

Component: OpenSSL
Versions Impacted: 1.0.2 - 1.0.2zd
Severity: Moderate

DESCRIPTION:

The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Reported by Elison Niven (Sophos).

Fixed in OpenSSL 1.0.2ze

Release : 12.8.6a

Component : Siteminder Access Gateway

Upgrade the OpenSSL in all Siteminder Access Gateways to OpenSSL 1.0.2ze

NOTE: 

WINDOWS
r12.8.6 and higher on Windows: openssl102ze_win64_12806.zip
r12.8.5 and Lower on Windows: openssl102ze_win64_12805.zip
r12.8.6a and lower on Linux: openssl1.0.2ze_linux64bit.zip

###### UPGRADE INSTRUCTIONS ######

---------------------------------------------------
OpenSSL 1.0.2ze on Linux Installation Instructions
---------------------------------------------------

1) Copy "openssl1.0.2ze_linux64bit.zip" to the Access Gateway Server

2) Unzip "openssl1.0.2ze_linux64bit.zip"

Unzip openssl1.0.2ze_linux64bit.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy' directory.

5) Note the permissions on the '<InstallDir>/CA/secure-proxy/SSL/' directory.

6) Backup the '<InstallDir>/CA/secure-proxy/SSL/' directory.

7) Copy '/1.0.2ze_linux64bit/Release/bin/openssl' to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/bin drectory.

cp -r /1.0.2ze_linux64bit/Release/bin/openssl /<InstallDir>/CA/secure-proxy/SSL/bin/openssl

8) Copy the library files from '/1.0.2ze_linux64bit/Release/lib/' to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

cp -r /Release_openssl102ze_linux64/Release/lib/lib* ./<InstallDir>/CA/secure-proxy/SSL/lib/

9) Re-set the permissions on the copied files.

10) Re-source the environment variables;

. ./ca_sps_env.sh

11) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

---------------------------------------------------
   OpenSSL 1.0.2ze Windows Installation Instructions
---------------------------------------------------

1) Stop the Access Gateway server

2) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\SSL\

3) Back-up the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

4) Replace with the files from "openssl_102ze_win64bit.zip"

5) Browse to the "<Install_Dir>\CA\secure-proxy\HTTPD\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\HTTPD\

6) Back-up the following files:

<Install_Dir>\CA\secure-proxy\HTTPD\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\HTTPD\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\HTTPD\bin\ssleay32.dll

7) Replace with the files from "openssl_102ze_win64bit.zip"

8) Start the Access Gateway server