Vulnerability in CAPKI 5 on Siteminder Policy Server r12.8.8.1 and older
Article ID: 409211
Updated On:
Products
Issue/Introduction
A security scan may return a flag for the following files on the Siteminder Policy Server
LINUX:
/<Install_Dir>/CA/siteminder/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_ssl.so
/<Install_Dir>/CA/siteminder/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_crypto.so
WINDOWS:
<Install_Dir>\CA\siteminder\etpki-install\CAPKI5\Windows\amd64\64\lib\libcaopenssl_ssl.so
<Install_Dir>\CA\siteminder\etpki-install\CAPKI5\Windows\amd64\64\lib\libcaopenssl_crypto.so
CAPKI (Previously known as ETPKI) is a C language-based Software Development Kit (SDK) that provides CA Development Community with features required to implement Information Security services in its products. CAPKI is a wrapper on OpenSSL which is robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
NOTE: Siteminder r12.9 Policy Server uses CAPKI 6.
.
Environment
PRODUCT: Symantec Siteminder
COMPONENT: Policy Server
VERSION: r12.8.8.1 and Older
OPERATING SYSTEM: Windows and Linux
Cause
CAPKI is a wrapper on OpenSSL. The Siteminder Policy Server r12.8.8.1 is shipped with CAPKI 5.2.14.0. CAPKI 5.2.14.0 is compiled with version of OpenSSL BEFORE 1.0.2ZL. OpenSSL 1.0.2ZK and older have a number of Common Vulnerabilities and Exposures (CVE's) published for them which are remediated in OpenSSL 1.0.2ZL
The following CVE's have been published impacting OpenSSL 1.0.2ZK and older
CVE-2024-13176 "Timing side-channel in ECDSA signature computation"
SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zk
CVE-2024-9143 "Low-level invalid GF(2^m) parameters lead to OOB memory access"
SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zk
CVE-2024-5535 "SSL_select_next_proto buffer overread"
SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zj
See OpenSSL 1.0.2 Vulnerabilities for a complete list of CVE's
Resolution
CAPKI 5.2.16 has been compiled with OpenSSL 1.0.2ZL. Upgrade CAPKI to CAPKI 5.2.16 on the r12.8.8.1 and older Siteminder Policy Server
LINUX
1) Download "etpki-install_5216_rhel.zip" from this KB.
2) Copy "etpki-install_5216_rhel.zip" to the Siteminder Policy Server on Linux and decompress it.
3) Stop the Policy Server
4) Change to the following directory:
/<Install_Dir>/CA/siteminder/
5) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'
mv CAPKI CAPKI.BAK
6) Copy the '/etpki-install/' directory from "etpki-install_5216_rhel.zip" to /<Install_Dir>/CA/siteminder/
7) Change to the following directory*:
/<Install_Dir>/CA/SharedComponents/
* This directory may not exist in your system
8) (If Exists) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'
mv CAPKI CAPKI.BAK
9) Modify the $CAPKIHOME variable in the environment variable script:
/<Install_Dir>/CA/siteminder/ca_ps_env.ksh
CAPKIHOME=/<Install_Dir>/CA/SharedComponents/CAPKI
export CAPKIHOME
10) Run the updated Access Gateway Environment variable script.
cd /<Install_Dir>/CA/siteminder/
. ./ca_ps_env.ksh
11) Change to the following directory:
/<Install_Dir>/CA/siteminder/etpki-install/redist/
12) Ensure the user has execute permissions on the installation media (setup)
13) Run the following command:
./setup install caller=ps12
NOTE: This will create a new '/<Install_Dir>/CA/SharedComponents/CAPKI/CAPKI5/' directory
14) Start the Policy Server
15) Validate Policy Server functionality
16) Delete the following files:
/<Install_Dir>/CA/siteminder/CAPKI.BAK
(If Exists) /<Install_Dir>/CA/SharedComponents/CAPKI.BAK
WINDOWS
1) Download "etpki-install_5216_win64bit.zip" from this KB.
2) Copy "etpki-install_5216_win64bit.zip" to the Policy Server on Windows and decompress it.
3) Stop the Policy Server
4) Change to the following directory:
<Drive>:\<Install_Dir>\CA\siteminder\
5) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'
ren CAPKI CAPKI.BAK
6) Copy the '/etpki-install/' directory from "etpki-install_5216_win64bit.zip" to <Drive>:\<Install_Dir>\siteminder\
7) Change to the following directory*:
<Drive>:\<Install_Dir>\CA\SC\
* This directory may not exist in your system
8) (If Exists) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'
ren CAPKI CAPKI.BAK
9) Open a command prompt using cmd.exe as an administrator (Run As Administrator)
10) Change to the following directory:
<Drive>:\<Install_Dir>\CA\siteminder\etpki-install\redist\
11) Run the following command:
setup.exe install caller=ps12
NOTE: This will create a new '<Drive>:\<Install_Dir>\CA\SC\CAPKI\CAPKI5\' directory
12) Start the Policy Server
13) Validate Policy Server functionality
14) Delete the following files:
<Drive>:\<Install_Dir>\CA\siteminder\CAPKI.BAK
<Drive>:\<Install_Dir>\CA\SC\CAPKI.BAK
Additional Information
Vulnerability in CAPKI 5 on Siteminder Web Agents
Vulnerability in CAPKI 5 on Siteminder Sharepoint Agent r12.8.x
Vulnerability in CAPKI 5 on Siteminder Policy Server r12.8.8.1 and older
Vulnerability in CAPKI 5 on Siteminder Access Gateway Server r12.8.8.1 and Older
OpenSSL 1.0.2zl remediates the following CVE's:
CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559
Attachments
Feedback
