Correcting the XML External Entity(XXE) exploit in CA Access Gateway

book

Article ID: 7489

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

It has been determined that CA Access Gateway 12.52 SP1 b499 is vulnerable to the XML External Entity(XXE) exploit. An attacker exploiting this vulnerability is able to retrieve confidential data and access sensitive files on the server, e.g. the "passwd" file. 

SiteMinder's "affwebservices" part contains two SOAP services: router and session. You can send a SOAP request to the endpoints with an external entity reference inside the parameter, this will cause an exception when the service tries to parse the contents of a requested system file (/etc/passwd, for example) into a valid date/timestamp.  Exception from service object: Unparseable date: is obtained followed by the data from /etc/passwd. 

Environment

PS 12.52 SP1 CR02 build 766 SPS 12.52 SP1 build 499

Resolution

Issue is corrected in CA Access Gateway R12.51 CR10 Build#1612

As a workaround, the following workarounds are also suggested

  • add & ampersand to BadCSSChars 
  • add string validation for the accessTimestamp to check for integers and/or proper date formatting