7/14/09

Multiple Authentication Bypass Vulnerabilities within IBM WAS

Multiple Authentication Bypass Vulnerabilities within IBM WebSphere Application Server

OVERVIEW:
Two vulnerabilities in IBM WebSphere Application Server have recently been made public. IBM WebSphere Application Server is a software application server that uses web technologies and can be implemented on many common operating systems. Both vulnerabilities may allow malicious users to bypass authentication required to access a service running on the vulnerable server. Successful exploitation may allow attackers to gain unauthorized access to the service, which may lead to other attacks.

SYSTEMS AFFECTED:
The vulnerability identified by IBM in PK72138 (Bugtraq ID 35594):
* IBM WebSphere Application Server 7.0 1
* IBM WebSphere Application Server 6.1 23
* IBM WebSphere Application Server 6.1 22
* IBM WebSphere Application Server 6.1 21
* IBM WebSphere Application Server 6.1 20
* IBM WebSphere Application Server 6.1 19
* IBM WebSphere Application Server 6.1 18
* IBM WebSphere Application Server 6.1 17
* IBM WebSphere Application Server 6.1 15
* IBM WebSphere Application Server 6.1 13
* IBM WebSphere Application Server 6.1 12
* IBM WebSphere Application Server 6.1 10
* IBM WebSphere Application Server 6.1 .9
* IBM WebSphere Application Server 6.1 .7
* IBM WebSphere Application Server 6.1 .6
* IBM WebSphere Application Server 6.1 .5
* IBM WebSphere Application Server 6.1 .3
* IBM WebSphere Application Server 6.1 .2
* IBM WebSphere Application Server 6.1 .14
* IBM WebSphere Application Server 6.1 .1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 6.1
* IBM WebSphere Application Server 7.0

The vulnerability identified by IBM in PK75992 (Bugtraq ID 35610):
* IBM WebSphere Application Server 7.0 1
* IBM WebSphere Application Server 6.1 21
* IBM WebSphere Application Server 6.1 19
* IBM WebSphere Application Server 6.1 17
* IBM WebSphere Application Server 6.1 15
* IBM WebSphere Application Server 6.0.2 31
* IBM WebSphere Application Server 6.0.2 29
* IBM WebSphere Application Server 6.0.2 27
* IBM WebSphere Application Server 6.0.2 .25
* IBM WebSphere Application Server 7.0

RISK:
Government:
* Large and medium government entities: High
* Small government entities: High

Businesses:
* Large and medium business entities: High
* Small business entities: High

Home users: N/A

DESCRIPTION:
IBM has confirmed the existence of two vulnerabilities that may allow a remote attacker to bypass application server authentication. Exploiting these vulnerabilities could allow an attacker to access restricted services, which may then lead to other attacks. Both vulnerabilities are associated with WS-Security, which is the security implementation within the Java API for XML Web Services (JAX-WS).
The first vulnerability discovered within WS-Security, referenced and addressed by IBM in PK72138, can only be exploited when the security policy is implemented at the 'Operational Level'. When this policy is established, WS-Security does not properly handle inbound requests that lack a SOAPAction or WS-Addressing Action. An attacker can craft a malicious inbound request to exploit this vulnerability. Successful exploitation may allow attackers to bypass certain security restrictions, which may then lead to other attacks.
The second vulnerability, referenced and addressed by IBM in PK75992, arises in the way WS-Security validates the 'UsernameToken' object. It is possible for WS-Security to incorrectly validate these tokens, allowing a malicious user to bypass the authentication process. This may allow a malicious user to conduct further attacks.

RECOMMENDATIONS:
We recommend the following actions be taken:
* Apply appropriate patches provided by IBM to vulnerable systems immediately after appropriate testing.
* Deploy network intrusion detection systems to monitor network traffic for malicious activity.

REFERENCES:

IBM:
http://www-01.ibm.com/support/docview.wss?rs=180&context=SSEQTP&dc=D600&uid=swg21367223&loc=en_US&cs=UTF-8&lang=en&rss=ct180WebSphere

Security Focus:
http://www.securityfocus.com/bid/35594
http://www.securityfocus.com/bid/35610

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0903

No comments: