Vulnerability in CAPKI 5 on Siteminder Sharepoint Agent r12.8.x
Article ID: 409254
Updated On:
Products
Issue/Introduction
A security scan may return a flag for the following files on the Siteminder Sharepoint Agent r12.8.x
LINUX
/<Install_Dir>/CA/Agent-for-SharePoint/agentframework/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_ssl.so
/<Install_Dir>/CA/Agent-for-SharePoint/agentframework/CAPKI/CAPKI5/Linux/amd64/64/lib/libcaopenssl_crypto.so
WINDOWS
/<Install_Dir>\CA\Agent-for-SharePoint\agentframework\CAPKI\CAPKI5\Windows\amd64\64\lib\libcaopenssl_ssl.so
/<Install_Dir>\CA\Agent-for-SharePoint\agentframework\CAPKI\CAPKI5\Windows\amd64\64\lib\libcaopenssl_crypto.so
CAPKI (Previously known as ETPKI) is a C language-based Software Development Kit (SDK) that provides CA Development Community with features required to implement Information Security services in its products. CAPKI is a wrapper on OpenSSL which is robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols.
Environment
PRODUCT: Symantec Siteminder
COMPONENT: Sharepoint Agent
VERSION: r12.8.7 & r12.8.8
OPERATING SYSTEM: Windows and Linux
Cause
CAPKI is a wrapper on OpenSSL. The Siteminder Agent for Sharepoint r12.8.8 is shipped with CAPKI 5.2.12.0 CAPKI 5.2.12.0 is compiled with version of OpenSSL BEFORE 1.0.2ZL. OpenSSL 1.0.2ZK and older have a number of Common Vulnerabilities and Exposures (CVE's) published for them which are remediated in OpenSSL 1.0.2ZL
The following CVE's have been published impacting OpenSSL 1.0.2ZK and older
CVE-2024-13176 "Timing side-channel in ECDSA signature computation"
SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zk
CVE-2024-9143 "Low-level invalid GF(2^m) parameters lead to OOB memory access"
SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zk
CVE-2024-5535 "SSL_select_next_proto buffer overread"
SEVERITY: Low
IMPACTED: OpenSSL 1.0.2 - 1.0.2zj
See OpenSSL 1.0.2 Vulnerabilities for a complete list of CVE's
Resolution
CAPKI 5.2.16 has been compiled with OpenSSL 1.0.2ZL. Upgrade CAPKI to CAPKI 5.2.16 on the r12.8.x Siteminder Sharepoint Agent Server
LINUX
1) Download "etpki-install_5216_rhel.zip" from this KB.
2) Copy "etpki-install_5216_rhel.zip" to the Siteminder Sharepoint Agent Server on Linux and decompress it.
3) Stop the Sharepoint Agent Server
4) Change to the following directory:
/<Install_Dir>/CA/Agent-for-SharePoint/agentframework/
5) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'
mv CAPKI CAPKI.BAK
6) Copy the '/etpki-install/' directory from "etpki-install_5216_rhel.zip" to /<Install_Dir>/CA/Agent-for-SharePoint/agentframework/
7) Change to the following directory*:
/<Install_Dir>/CA/SharedComponents/
* This directory may not exist in your system
8) (If Exists) Backup the '/CAPKI/' directory by renaming it '/CAPKI.BAK'
mv CAPKI CAPKI.BAK
9) Modify the $CAPKIHOME variable in the environment variable script:
/<Install_Dir>/CA/Agent-for-SharePoint/ca_sps_env.sh
CAPKIHOME=/<Install_Dir>/CA/SharedComponents/CAPKI
export CAPKIHOME
10) Run the updated Access Gateway Environment variable script.
cd /<Install_Dir>/CA/Agent-for-SharePoint/
. ./ca_sps_env.sh
10) Change to the following directory:
/<Install_Dir>/CA/Agent-for-SharePoint/agentframework/etpki-install\redist\
11) Ensure the user has execute permissions on the installation media (setup)
12) Run the following command:
./setup install caller=spa12
NOTE: This will create a new '/<Install_Dir>/CA/SharedComponents/CAPKI/CAPKI5/' directory
13) Start the Sharepoint Agent Server
14) Validate Sharepoint Agent Server functionality
15) Delete the following files:
/<Install_Dir>/CA/Agent-for-SharePoint/agentframework/CAPKI.BAK
(If Exists) /<Install_Dir>/CA/SharedComponents/CAPKI.BAK
WINDOWS
1) Download "etpki-install_5216_win64bit.zip" from this KB.
2) Copy "etpki-install_5216_win64bit.zip" to the Sharepoint Agent Server on Windows and decompress it.
3) Stop the Sharepoint Agent Server
4) Change to the following directory:
<Drive>:\<Install_Dir>\CA\Agent-for-SharePoint\agentframework\
5) Backup the '\etpki-install\' directory by renaming it '\etpki-install.BAK\'
ren etpki-install etpki-install.BAK
6) Copy the '/etpki-install/' directory from "etpki-install_5216_win64bit.zip" to '<Drive>:\<Install_Dir>\CA\Agent-for-SharePoint\agentframework\'
7) Change to the following directory*:
<Drive>:\<Install_Dir>\CA\SC\
* This directory may not exist in your system
8) (If Exists) Backup the '\CAPKI\' directory by renaming it '\CAPKI.BAK\'
ren CAPKI CAPKI.BAK
9) Open a command prompt using cmd.exe as an administrator (Run As Administrator)
10) Change to the following directory:
<Drive>:\<Install_Dir>\CA\Agent-for-SharePoint\agentframework\etpki-install\redist\
11) Run the following command:
setup.exe install caller=spa12
NOTE: This will create a new '<Drive>:\<Install_Dir>\CA\SC\CAPKI\CAPKI5\' directory
12) Start the Sharepoint Agent Server
13) Validate Sharepoint Agent Server functionality
14) Delete the following files:
<Drive>:\<Install_Dir>\CA\Agent-for-SharePoint\agentframework\CAPKI.BAK
<Drive>:\<Install_Dir>\CA\SC\CAPKI.BAK
Additional Information
Vulnerability in CAPKI 5 on Siteminder Web Agents
Vulnerability in CAPKI 5 on Siteminder Sharepoint Agent r12.8.x
Vulnerability in CAPKI 5 on Siteminder Policy Server r12.8.8.1 and older
Vulnerability in CAPKI 5 on Siteminder Access Gateway Server r12.8.8.1 and Older
OpenSSL 1.0.2zl remediates the following CVE's:
CVE-2024-13176
CVE-2024-9143
CVE-2024-5535
CVE-2024-0727
CVE-2023-5678
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-3817
CVE-2023-3446
CVE-2023-0465
CVE-2023-0466
CVE-2023-0464
CVE-2023-0286
CVE-2023-0215
CVE-2022-4304
CVE-2022-2068
CVE-2022-1292
CVE-2022-0778
CVE-2021-4160
CVE-2021-3712
CVE-2021-23841
CVE-2021-23840
CVE-2021-23839
CVE-2020-1971
CVE-2020-1968
CVE-2019-1551
CVE-2019-1563
CVE-2019-1547
CVE-2019-1552
CVE-2019-1559
Attachments
Feedback
