HTTP, SSL and general vulnerabilities in CA Access Gateway (SPS), AdminUI and Web Agent
search cancel

HTTP, SSL and general vulnerabilities in CA Access Gateway (SPS), AdminUI and Web Agent

book

Article ID: 392777

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction


Running CA Access Gateway (SPS), Web Agent, and AdminUI, the following vulnerabilities are reported:

Deprecated SSH Cryptographic Settings
HTTP Security Header Not Detected
HTTP TRACE / TRACK Methods Enabled
SHA1 deprecated setting for SSH
TCP Sequence Number Approximation Based Denial of Service
Web Directories Listable Vulnerability
Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
Web Server Uses Plain-Text Form Based Authentication
EOL/Obsolete Software: Node.js 10.x Detected
Remote Management Service Accepting Unencrypted Credentials Detected(HTTP)
Spring Framework Denial of Service (DoS) Data Binding Vulnerability
Spring Framework Denial of Service (DoS) Vulnerability
Spring Framework Path Traversal Vulnerability
Web Server Uses Plain Text Basic Authentication
World-Writable Directories Should Have Their Sticky Bits Set
Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)
Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server supports Transport Layer Security (TLSv1.0)
Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)
SSL Certificate - Expired
SSL Certificate - Signature Verification Failed Vulnerability
SSL Server Allows Anonymous Authentication Vulnerability

Resolution


SSH and TCP problems:

These are OS related only, get in touch with the System Administrator and the OS provider to fix them.

Deprecated SSH Cryptographic Settings
SHA1 deprecated setting for SSH
TCP Sequence Number Approximation Based Denial of Service

HTTP Security Header Not Detected

SiteMinder doesn't have a direct and specific configuration to implement (1)(2).

HTTP TRACE / TRACK Methods Enabled

These can be turned off (3).

Web Directories Listable Vulnerability

Configuration modification will solve it (4).

Web Server Uses Plain-Text Form Based Authentication
Web Server Uses Plain Text Basic Authentication
Remote Management Service Accepting Unencrypted Credentials Detected(HTTP)

Disable the HTTP port (5)(6).

World-Writable Directories Should Have Their Sticky Bits Set

Set the sticky bit to the folders (7).

Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

This is related to the CVE-2016-2183, for which you can disable the DES ciphers from the CA Access Gateway (SPS) configuration in server.conf, where the values of "ciphers" and "fipsciphers" can be customized.

Also, modify the SSLCipherSuite from the httpd-ssl.conf file under httpd/conf/extra of CA Access Gateway (SPS);

Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server supports Transport Layer Security (TLSv1.0)(TLSv1.1)

Change the protocols (8)(9).

SSL Certificate - Expired", and "SSL Certificate - Signature Verification Failed Vulnerability

Renew the certificates, and ensure these are signed by a known "third-party Certificate Authority" (10)(11).

SSL Server Allows Anonymous Authentication Vulnerability

Disable the "Anonymous Diffie-Hellman (ADH) ciphers" from the CA Access Gateway (SPS) configuration server.conf, where the values of "ciphers" and "fipsciphers" can be customized.

Also, you can modify the SSLCipherSuite from the httpd-ssl.conf file under httpd/conf/extra of CA Access Gateway (SPS);

In AdminUI, this can be done in the file standalone-full.xml, in the property "enabled-cipher-suites".

 

Additional Information

Powered by Wolken Software