OpenSSL 3.5.0 and older Vulnerabilities on Siteminder Access Gateway r12.9

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Siteminder Access Gateway r12.9 ships with OpenSSL 3.4.0. There have been a number of Vulnerabilities reported in OpenSSL 3.4.1 and lower.

NOTE: Siteminder Access Gateway r12.8.8.1 and Older are bundled with OpenSSL 1.0.2. This KB is not applicable to Access Gateway r12.8.8.1 and older.

For OpenSSL fixes for Siteminder Access Gateway r12.8.8.1 and older use the following KB:

Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Access Gateway r12.8.x

Environment

PRODUCT: Symantec Siteminder

COMPONENT: Access Gateway

VERSION: r12.9 (ONLY)

Cause

CVE-2024-12797: RFC7250 handshakes with unauthenticated servers don't abort as expected

SEVERITY: High

DESCRIPTION: TLS and DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients

IMPACTED: 3.4.1 and older

REMEDIATED: 3.5.1

CVE-2024-13176: Timing side-channel in ECDSA signature computation

SEVERITY: Low

DESCRIPTION: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency.

IMPACTED: 3.4.1 and older

REMEDIATED: 3.5.1

Resolution

Verifying the OpenSSL version on Siteminder Access Gateway

NOTES:

1) OpenSSL 3.5.1 is only applicable to Siteminder Access Gateway r12.9. For Access Gateway r12.8.8.1 and older use the following KB:

Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Access Gateway r12.8.x

2) Upgrade Apache to 2.4.65 on Siteminder Access Gateway r12.9 at the same time this KB is being applied. Use KB 407918

KB407918: Vulnerability in Apache 2.4.64 and older in Siteminder Access Gateway r12.9

###### UPGRADE INSTRUCTIONS ######

LINUX

1) Copy "openssl3.5.1_Linux_12.9.zip" to the Access Gateway Server

2) Unzip "openssl3.5.1_Linux_12.9.zip"

Unzip openssl3.5.1_Linux_12.9.zip

3) Stop the Access Gateway Server.

4) Navigate to the '<InstallDir>/CA/secure-proxy/' directory.

5) Note the permissions on the contents of the '<InstallDir>/CA/secure-proxy/SSL/bin' directory.

6) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/bin' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/bin/c_rehash
<InstallDir>/CA/secure-proxy/SSL/bin/openssl

7) Copy the contents of the '/openssl3.5.1_Linux_12.9/openssl3.5.1_patch/bin/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/bin/ directory.

CONTENTS:

c_rehash
openssl

EXAMPLE: cp -r /openssl3.5.1_Linux_12.9/openssl3.5.1_patch/bin/* /<InstallDir>/CA/secure-proxy/SSL/bin/

8) Backup either the entire '<InstallDir>/CA/secure-proxy/SSL/lib/' directory, or the following files:

<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.a
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so
<InstallDir>/CA/secure-proxy/SSL/lib/libcrypto.so.3
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.a
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so
<InstallDir>/CA/secure-proxy/SSL/lib/libssl.so.3

9) Copy the contents of the '/openssl3.5.1_Linux_12.9/openssl3.5.1_patch/lib64/' folder to the '/<Intall_Dir>/CA/secure-proxy/SSL/lib/' directory.

CONTENTS:

libcrypto.a
libcrypto.so
libcrypto.so.3
libssl.a
libssl.so
libssl.so.3

EXAMPLE: cp -r /openssl3.5.1_Linux_12.9/openssl3.5.1_patch/lib64/* ./<InstallDir>/CA/secure-proxy/SSL/lib/

10) Re-set the permissions on the copied files.

11) Re-source the environment variables;

. ./ca_sps_env.sh

13) Re-start the Access Gateway.

./proxy-engine/sps-ctl start

WINDOWS

NOTE: OpenSSL 3.5.1 for Access Gateway on WINDOWS applies to Access Gateway 12.9 and higher

1) Copy "openssl351_win64_129.zip" to the Access Gateway Server

2) Unzip "openssl351_win64_129.zip"

3) Stop the Access Gateway server

4) Browse to the "<Install_Dir>\CA\secure-proxy\SSL\bin\" directory in Access Gateway

Default: <Install_Dir> = C:\Program Files\

5) Back-up either the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory, or the following files:

<Install_Dir>\CA\secure-proxy\SSL\bin\openssl.exe
<Install_Dir>\CA\secure-proxy\SSL\bin\libeay32.dll
<Install_Dir>\CA\secure-proxy\SSL\bin\ssleay32.dll

6) Copy the contents of '\openssl351_win64_129\' folder to the '<Install_Dir>\CA\secure-proxy\SSL\bin\' directory.

CONTENTS:

c_rehash.pl
libcrypto-3-x64.dll
libcrypto-3-x64.pdb
libssl-3-x64.dll
libssl-3-x64.pdb
openssl.exe
openssl.pdb

7) Back-up either the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory, or the following files:

c_rehash.pl
libcrypto-3-x64.dll
libcrypto-3-x64.pdb
libssl-3-x64.dll
libssl-3-x64.pdb
openssl.exe
openssl.pdb

8) Copy the contents of '\openssl351_win64_129\' folder to the '<Install_Dir>\CA\secure-proxy\httpd\bin\' directory.

CONTENTS:

c_rehash.pl
libcrypto-3-x64.dll
libcrypto-3-x64.pdb
libssl-3-x64.dll
libssl-3-x64.pdb
openssl.exe
openssl.pdb

9) Start the Access Gateway server

Additional Information

OpenSSL Vulnerabilities 3.4.x

Vulnerabilities in OpenSSL 1.0.2zk and Older on Siteminder Access Gateway r12.8.x

Vulnerability in Apache 2.4.64 and older in Siteminder Access Gateway r12.9

CVE's related to OpenSSL 3.4.0

CVE-2024-12797
CVE-2024-13176

Attachments

openssl351_win64_129.zip get_app

openssl3.5.1_Linux_12.9.zip get_app