7020258: Nessus reports “SSL 64-bit Block Size Cipher Suites Supported” potential Vulnerability against TCP 1443

This document (7020258) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 4.3

NetIQ Access Manager 4.2

NetIQ Access Manager Admin Console

Situation

A Nessus scan was run against NAM 4.3.1 and the following vulnerability in relation to some weakerciphers (DES) used in some of the internal communication port like (1443) was reported. Since these protocols and ciphers do not appear to be configurable using any configuration file, should I be worried.

Synopsis

The remote service supports the use of 64-bit block ciphers.

Description

The remote host supports the use of a block cipher with 64-bit blocks in one or more cipher suites. It is, therefore, affected by a vulnerability, known as SWEET32, due to the use of weak 64-bit block ciphers. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a ‘birthday’ attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session.

Proof-of-concepts have shown that attackers can recover authentication cookies from an HTTPS session in as little as 30 hours.

Note that the ability to send a large number of requests over the same TLS connection between the client and server is an important requirement for carrying out this attack. If the number of requests allowed for a single connection were limited, this would mitigate the vulnerability. However, Nessus has not checked for such a mitigation.

See Also

https://sweet32.info
https://www.openssl.org/blog/blog/2016/08/24/sweet32/

Solution

Reconfigure the affected application, if possible, to avoid use of all 64-bit block ciphers. Alternatively, place limitations on the number of requests that are allowed to be processed over the same TLS connection to mitigate this vulnerability.

Resolution

Fixed in NAM 4.4.

The SSL session tcp port 1443 is triggered when the Admin Console (AC) pushes and update to the IDP/AG, or when healthcheck information is being sent back to AC. Without access to this communication path, one cannot intercept the traffic. To further lock down security, one can use iptables on IDP/AG to only allow communication on TCP 1443 from the AC.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7020724: Kerberos fallback login page sent as payload of the HTTP 401 message by the NIDP server does not get localized for JP and other Asian languages

This document (7020724) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 4.3

NetIQ Access Manager 4.2

Situation

Kerberos authentication enabled on the NAM IDP server. To allow non kerberos users authenticate using the same contract, the fallback configuration is setup. When this is applied and users access the kerberos contract on IDP server without any tokens, the HTTP 401 response message returned by the IDP includes the Fallback login page as payload as expected.

In the case where users falling back from Kerberos are using languages like Japanese or Chinese, the page is rendered incorrectly with many by questionmarks (“?”) – see the “labelshow” below:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

<table border=0>

<tr>

<td align=left>

<label>????:</label>

</td>

<td align=left>

<label>????:<br></label>

<input type=”text” name=”Ecom_User_ID” value=”” >

</td>

</tr>

<tr>

<td align=left>

<label>?????:</label>

</td>

<td align=left>

<label>?????:<br></label>

<input type=”password” name=”Ecom_Password” >

</td>

</tr>

<tr>

<td align=right colspan=2>

<input alt=”????” border=”0″ name=”loginButton2″ src=”/nidp/images/ja/btnlogin_ja.gif” type=”image” value=”Login” onClick=”return imageSubmit()”>

</td>

</tr>

</table>

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Resolution

Apply NAM 4.3 SP2.

Additional Information

Question marks not displayed after applying patch:

<tbody><tr> <td align="left"> <label>ユーザ名:</label> </td> <td align="left"> <label>ユーザ名:<br></label> <input name="Ecom_User_ID" value="" type="text"> </td> </tr><tr> <td align="left"> <label>パスワード:</label> </td> <td align="left"> <label>パスワード:<br></label> <input name="Ecom_Password" type="password"></td> </tr><tr><td colspan="2" align="right"> <input alt="ログイン" name="loginButton2" src="/nidp/images/ja/btnlogin_ja.gif" value="Login" onclick="return imageSubmit()" type="image" border="0"></td> </tr></tbody>

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7020720: HTTP requests with URL larger than 1531 character’s return 403 forbidden on access gateway service on windows

log file snippet:

GET /custom/service/evam_v0_1/rest.php?method=get_logements_by_requerants&input_type=JSON&response_type=JSON&rest_data=%221891,12370,2633,3655,13554,12369,17713,18466,18469,13745,14162,20522,14283,3702,15750,15751,14938,16090,16091,14734,15525,15526,15527,15671,15528,31939,14020,25432,60180,26495,30305,28142,32022,66320,42280,42281,38574,38575,39472,42411,42420,42421,42422,23007,23008,43762,23682,23684,23685,43347,43398,43424,56402,39471,35699,40973,37702,57181,39996,40056,35534,38899,38901,41673,48891,48348,63176,46044,46045,49555,56304,52697,52967,51076,51077,53470,55426,55427,46337,44135,44136,52559,51468,51470,58009,58010,54489,54490,58301,58890,58893,55521,55522,55523,46338,64115,64443,57503,44912,58252,54216,58368,44724,62590,45907,64480,64481,64482,64483,64873,49952,47873,50157,45385,76192,71249,71250,78216,79590,76909,80551,82974,83044,67724,67725,67726,66844,67502,67904,79820,79879,67399,65408,65409,71077,71803,72084,72670,80229,80231,69481,69482,72984,72985,80656,80657,72986,72989,67414,81167,59582,59583,59584,57535,57536,69098,69099,69100,67665,74565,74692,81501,81502,81573,80270,81740,67854,67855,67856,67857,67860,66982,66983,76706,76707,81966,65293,71873,71874,77217,74051,82127,82293,66443,66444,78173,82349,68878,71207,65233,78383,67278,71156,71161,67708,67709,67893,67894,75903,78942,81925,82621,82680,79042,79126,65986,86074,97398,85383,98158,98396,98397,99807,90158,84269,85884,95605,97564,89179,89180,92746,89785,96009,87865,86544,86550,96340,97665,86814,86816,1111%22

[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Host: dev2-asylog.netiq.dev

[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64;rv:51.0) Gecko/20100101 Firefox/51.0

[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Accept: */*

[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Accept-Language: null

[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Accept-Encoding: gzip, deflate, br

[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Cookie: ZNPCQ003-35343000=accee47a;PHPSESSID=grjjg5eal471secsj1b9vakev3; ZNPCQ003-33383000=b696a7c0

[Wed Feb 22 11:46:48 2017] [error] ID:2:1919:creq Connection: keep-alive

[Wed Feb 22 11:46:48 2017] [debug] mod_auth_liberty.c(715): AMEVENTID#2: Host Header is dev2-asylog.netiq.dev

###[Wed Feb 22 11:46:48 2017] [info] AM#504600000 AMDEVICEID#ag-6196023149112478: AMAUTHID#: AMEVENTID#2: Requ: GET https://dev2-asylog.netiq.dev/custom/service/evam_v0_1/rest.php?method=get_logements_by_requerants&input_type=JSON&response_type=JSON&rest_data=%221891,12370,2633,3655,13554,12369,17713,18466,18469,13745,14162,20522,14283,3702,15750,15751,14938,16090,16091,14734,15525,15526,15527,15671,15528,31939,14020,25432,60180,26495,30305,28142,32022,66320,42280,42281,38574,38575,39472,42411,42420,42421,42422,23007,23008,43762,23682,23684,23685,43347,43398,43424,56402,39471,35699,40973,37702,57181,39996,40056,35534,38899,38901,41673,48891,48348,63176,46044,46045,49555,56304,52697,52967,51076,51077,53470,55426,55427,46337,44135,44136,52559,51468,51470,58009,58010,54489,54490,58301,58890,58893,55521,55522,55523,46338,64115,64443,57503,44912,58252,54216,58368,44724,62590,45907,64480,64481,64482,64483,64873,49952,47873,50157,45385,76192,71249,71250,78216,79590,76909,80551,82974,83044,67724,67725,67726,66844,67502,67904,79820,79879,67399,65408,65409,71077,71803,72084,72670,80229,80231,69481,69482,72984,72985,80656,80657,72986,72989,67414,81167,59582,59583,59584,57535,57536,69098,69099,69100,67665,74565,74692,81501,81502,81573,80270,81740,67854,67855,67856,67857,67860,66982,66983,76706,76707,81966,65293,71873,71874,77217,74051,82127,82293,66443,66444,78173,82349,68878,71207,65233,78383,67278,71156,71161,67708,67709,67893,67894,75903,78942,81925,82621,82680,79042,79126,65986,86074,97398,85383,98158,98396,98397,99807,90158,84269,85884,95605,97564,89179,89180,92746,89785,96009,87865,86544,86550,96340,97665,86814,86816,1111%22 service:d-dev2-asylog (10.175.134.128:56199->10.176.99.29:443)

[Wed Feb 22 11:46:48 2017] [debug] mod_auth_liberty.c(715): AMEVENTID#3: Host Header is dev2-asylog.netiq.dev

[Wed Feb 22 11:46:48 2017] [info] AM#504600404 AMDEVICEID#ag-6196023149112478: AMAUTHID#: AMEVENTID#2: subreq dev2-asylog.netiq.dev:/NAGErrors/HTTP_FORBIDDEN.html.var

[Wed Feb 22 11:46:48 2017] [debug] mod_cache.c(175): Adding CACHE_SAVE filter for /NAGErrors/HTTP_FORBIDDEN.html.var

[Wed Feb 22 11:46:48 2017] [debug] mod_cache.c(182): Adding CACHE_REMOVE_URL filter for /NAGErrors/HTTP_FORBIDDEN.html.var

[Wed Feb 22 11:46:48 2017] [info] AMEVENTID#3: Cache miss

[Wed Feb 22 11:46:48 2017] [debug] mod_cache.c(701): cache: /NAGErrors/HTTP_FORBIDDEN.html.var not cached. Reason: C014:Response status 403

Related:

7020873: Admin Console install fails with FileNotFoundException after uninstall with NAM 4.3

This document (7020873) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 4.3

NetIQ Access Manager Administration Console Server

Situation

Running test Admin Console 4.3.1 server on SLES 12 SP2. To test a backup and restore disaster recovery scenario, an admin uninstalls the Admin Console component (uninstall option 1) before re-installing and restoring the backup. However, during the re-install of NAM 4.3.1, the following error is thrown before the install is aborted:

Installing the Novell iManager: failed

Error while installing iManager. Check the /tmp/novell_access_manager/install_iman_2017-06-08_17:37:53.log log file for more information.

Terminating Installation.

The install_iman file referenced shows:

java.io.FileNotFoundException: /var/opt/novell/tomcat7/webapps/nps/WEB-INF/config.xml (No such file or directory)

at java.io.FileInputStream.open0(Native Method)

at java.io.FileInputStream.open(FileInputStream.java:195)

at java.io.FileInputStream.<init>(FileInputStream.java:138)

at java.io.FileReader.<init>(FileReader.java:72)

at com.novell.application.iManager.install.LinuxInstallUtils.changeDefaultLoginProtocol(LinuxInstallUtils.java:520)

at com.novell.application.iManager.install.LinuxConfigureImanager.install(LinuxConfigureImanager.java:66)

at com.zerog.ia.installer.actions.CustomAction.installSelf(DashoA10*..)

at com.zerog.ia.installer.AAMgrBase.a(DashoA10*..)

at com.zerog.ia.installer.ConsoleBasedAAMgr.a(DashoA10*..)

at com.zerog.ia.installer.AAMgrBase.e(DashoA10*..)

at com.zerog.ia.installer.AAMgrBase.m(DashoA10*..)

at com.zerog.ia.installer.ConsoleBasedAAMgr.a(DashoA10*..)

at com.zerog.ia.installer.AAMgrBase.e(DashoA10*..)

at com.zerog.ia.installer.AAMgrBase.m(DashoA10*..)

at com.zerog.ia.installer.ConsoleBasedAAMgr.a(DashoA10*..)

at com.zerog.ia.installer.ConsoleBasedAAMgr.b(DashoA10*..)

at com.zerog.ia.installer.LifeCycleManager.a(DashoA10*..)

at com.zerog.ia.installer.LifeCycleManager.a(DashoA10*..)

at com.zerog.ia.installer.Main.main(DashoA10*..)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)

at com.zerog.lax.LAX.launch(DashoA10*..)

at com.zerog.lax.LAX.main(DashoA10*..)

LinuxRemoveRegistry: Removing the InstallAnywhere registry file.

Resolution

Uninstall the Admin Console with option 6 (forcefully remove all components)

Cause

The uninstall with option 1 does not remove a number of components – which causes the install to break. Uninstall 6 removes everything. The components that were not removed (shown below) can also be manually removed prior to re-installing.

novell-devman-doc-4.3.2.0-15novell-devman-jars-4.3.2.0-15novell-base-0.1.1-4novell-jdk-1.8.0_131-1novell-NOVLsubag-8.8.8.10-0novell-edirectory-xdaslog-8.8.8.10-0google-perftools-1.8.1-7.2netiq-patchtool-4.3.2.0-15

NAM 4.4 will fix this issue.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7020721: Access Gateway goes to update state without any change and update fails due to xml error

Administrator browsing Access Gateway (AG) configuration in iManager and goes back to check the server status without making any changes, to discover that the AG requests an update to the configuration. Clicking the update link causes the update to fail.

To uncover the steps that triggered, the same steps as before were done and the issue was duplicated. The steps followed to reproduce the issue were as follows:

1. Go to Path based proxy service

2. click on advanced option ( dont make any change)

3. click cancel

4. click ok to reach the AG cluster

5. You can see the AG in update state ( not expected behavior)

6. If you try to update server it gives xml validation error.

The same happens when you do the above steps for Domain Based proxy service, but only difference is update works well.

Comparing the difference between working and current config with an LDAP browser



Current -> ou=CurrentConfig,ou=ag-C36DD99DD9BDB7BD,ou=AppliancesContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell

Working-> ou=WorkingConfig,ou=ag-C36DD99DD9BDB7BD,ou=AppliancesContainer,ou=Partition,ou=PartitionsContainer,ou=VCDN_Root,ou=accessManagerContainer,o=novell

where C36DD99DD9BDB7BD is the device ID for the AG and will be different on each platform, we can see that config is updated at 2 places ( without any change). If we remove those changes in working and then try to update, update works successfully.

Related:

7020723: 404 Error in iManager trying to Edit “Data Entry Field” in Policies because of invalid URI characters

NAM administrator tries to change an existing Authorization policy within iManager and sees 404 errors reported in iManager. With some additional tests, the same 404 error was thrown not only with an edit operation but also the Copy Condition, Copy Group & Copy Action operations eg. open an existing Authorization Policy that restricts access on an IP address and select URL/IP Condition –> Change the Value to Data Entry Field. Clicking on the “Edit” pencil button and note that it doesn’t allow editing and you will see the 404 error.

Looking at the Admin console app_sc logs shows IllegalArgumentException:

java.lang.IllegalArgumentException: Illegal character in query at index 359: /roma/jsp/admin/policy/conditionedit.jsp?typecontainerid=9mtivrrqe2zam4&typepolicyid=AccessGateway&containerid=mastercdn&policycollectionid=xpemlPEP&policyid=PolicyID_xpemlPEP_AGAuthorization_1486358195975&policyname=test&rulenumber=1&set=1&condition=1&ruleid=RuleID_1486358195975&width=1600&datatype=url-path&operator=nxpeOperator_url-path-equals&display=URL Path: URL Path : Equals&oneruleonly=false

This is breaking the RFC (http://www.faqs.org/rfcs/rfc1738.html). When we click on edit, we generate a request to the above URL … if you scan for char 359, you will see it is the space between ‘URL’ and ‘Path’ which is not a valid URI character. We should be encoding these to avoid such an exception.

Related:

7020722: “Error on DNS mismatch” Access Gateway setting fails to work as expected in NAM 4.3 when disabled

Access Gateway (AG) Administrator wants multiple DNS names to resolve to the IP address of a proxy service. To avoid any errors sent back to users, the option for Web server configuration under the AG proxy has an option ‘Error on DNS mismatch’ which is enabled by default. Whenever a HTTP request comes into this proxy server where the HTTP host header does not match the published DNS name of the proxy service, an error will be returned by default.

To avoid this in the above use case, the ‘Error on DNS mismatch’ flag was disabled, enabling users with different Host HTTP headers resolving to this proxy service to be handled without error. Making these changes however always triggers the 403 error on browser eg.

– create an RP with valid name eg. www.novell.com

– under web server config, disable the ‘error on DNS mismatch’ flag

– under web server config, select to forward web server hostname

– modify /etc/hosts so that www2.novell.com resolves to IP address of above RP

– access the www2.novell.com hostname and confirm you see 403 mismatch error

Related:

7018494: Linux Replication Fails – could not add partition … to monitoring list: Could not load driver:…

This document (7018494) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ PlateSpin Forge 3.x, 4.x, 11.x

NetIQ PlateSpin Migrate 9.x, 11.x, 12.x

NetIQ PlateSpin Protect 10.x, 11.x,

Situation

An online Linux replication fails with the error, ERROR: “could not add partition … to monitoring list: Could not load driver: …”.

Resolution

Ensure the correct prerequisites are installed on the Linux source workload and rebuild the blkwatch.ko file on the Linux source workload according to https://www.netiq.com/support/kb/doc.php?id=D7005873.

Cause

The blkwatch.ko is compiled against a different kernel version than what is running on the source workload.

Additional Information

On, the source, go to the path specified in the error message for the blkwatch.ko.

Run modinfo blkwatch.ko.
The vermagic should be the same as the kernel version of the source and should show the compiler name and version.
Trying to manually load the driver by running insmod blkwatch.ko or modprobe blkwatch.ko should produce an error.
Dmesg should have a corresponding error, ERROR: “disagrees about version of symbol module_layout”, which relates to not being able to load blkwatch.ko.
Consult with the Linux source system administrator before trying to manually load blkwatch.ko.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7020140: WARNING Error (506D0201) occurred while saving the iPrint Manager database file on disk

This document (7020140) is provided subject to the disclaimer at the end of this document.

Environment

Micro Focus iPrint Appliance 2.x

Situation

Trying to back up the Print manager database from the PsmStatus tool (https://<iprint_server>/PsmStatus/Misc) results in no padbtxt.xml or psmdbsav.dat being created. The /var/opt/novell/log/iprint/ipsmd.log shows the following:

WARNING Error (506D0201) occurred while saving the iPrint Manager database file on disk.

Resolution

Some files within the Print Manager directory (/var/opt/novell/iprint/print_manager.iPrintAppliance.psm) have the wrong file system ownership assignments.

Incorrect assignments:

– -rw——- 1 root iprint padbtxt1.xml

– -rw——- 1 root iprint psmdbsav.dat

Correct assignments:

-rw——- 1 iprint iprint padbtxt1.xml

-rw——- 1 iprint iprint psmdbsav.dat

Use the following commands to correct the ownership assignments:

chown iprint.iprint /var/opt/novell/iprint/print_manager.iPrintAppliance.psm/padbtxt1.xml

chown iprint.iprint /var/opt/novell/iprint/print_manager.iPrintAppliance.psm/psmdbsav.dat

Cause

Unknown

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

7020763: MTA never restarts automatically on any changes made for the Exchange Address Book Synchronization service

This document (7020763) is provided subject to the disclaimer at the end of this document.

Environment

Novell GroupWise 2014 R2 Support Pack 2

Situation

MTA never restarts automatically on any changes made for theExchange Address Book Synchronization service
The GWMTA has to manually be restarted for it to pick up anychanges made for the Exchange Address Book Synchronizationservice
At
https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_exchcoexist/data/coex_addrbksync_mta_config.html#
On Step 6 – it states that “The MTA restartsautomatically.”

Resolution

This has been reported to engineering

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related: