Release : 12.8.0 - r12.8.6a

Component :  Symantec Siteminder Access Gateway Server

CVE-2022-2068

Component: OpenSSL
Versions Impacted: 1.0.2 - 1.0.2ze
Severity: Moderate

DESCRIPTION:

(OpenSSL advisory) [Moderate severity] 21 June 2022: In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Reported by Chancen (Qingteng 73lab).

Fixed in OpenSSL 1.0.2zf (git commit) (Affected 1.0.2-1.0.2ze)

Upgrade the OpenSSL in all Siteminder Access Gateways to OpenSSL 1.0.2zf

NOTE: Windows has version specific solutions.  Note that the fix for r12.8.6 and higher is different than the fix for r12.8.5 and lower.

r12.8.6 and higher on Windows: openssl102zf_win64_12806.zip
r12.8.5 and Lower on Windows: openssl102zf_win64_12805.zip
r12.8.6a and lower on Linux: openssl1.0.2zf_linux64bit.zip

###### UPGRADE INSTRUCTIONS ######

---------------------------------------------------
OpenSSL 1.0.2zf on Linux Installation Instructions
---------------------------------------------------

1) Copy "openssl1.0.2zf_linux64bit.zip" to the Access Gateway Server

2) Unzip "openssl1.0.2zf_linux64bit.zip"

Unzip openssl1.0.2zf_linux64bit.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy' directory.

5) Note the permissions on the '<InstallDir>/CA/secure-proxy/SSL/' directory.

6) Backup the '<InstallDir>/CA/secure-proxy/SSL/' directory.

7) Copy '/1.0.2zf_linux64bit/Release/bin/openssl' to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/bin drectory.

cp -r /1.0.2zf_linux64bit/Release/bin/openssl /<InstallDir>/CA/secure-proxy/SSL/bin/openssl

8) Copy the library files from '/1.0.2zf_linux64bit/Release/lib/' to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

cp -r /Release_openssl102zf_linux64/Release/lib/lib* ./<InstallDir>/CA/secure-proxy/SSL/lib/

9) Re-set the permissions on the copied files.

10) Re-source the environment variables;

. ./ca_sps_env.sh

11) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

---------------------------------------------------
   OpenSSL 1.0.2zf Windows Installation Instructions
---------------------------------------------------

1) Stop the Access Gateway server

2) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\SSL\

3) Back-up the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

4) Replace with the files from "openssl_102zf_win64bit.zip"

5) Browse to the "<Install_Dir>\CA\secure-proxy\HTTPD\bin\" directory in Access Gateway

Default: C:\Program Files\CA\secure-proxy\HTTPD\

6) Back-up the following files:

<Install_Dir>\CA\secure-proxy\HTTPD\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\HTTPD\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\HTTPD\bin\ssleay32.dll

7) Replace with the files from "openssl_102zf_win64bit.zip"

8) Start the Access Gateway server

In Addition, See and Apply this fix as well:

https://knowledge.broadcom.com/external/article?articleId=245418

###### REFERENCES #####

https://www.openssl.org/news/vulnerabilities.html

https://nvd.nist.gov/vuln/detail/CVE-2022-2068

https://www.cve.org/CVERecord?id=CVE-2022-2068