Novell iChain Mutual Authentication Configuration May Let Remote User Authenticate to the System
|
|
SecurityTracker Alert ID: 1013011
|
|
SecurityTracker URL: http://securitytracker.com/id?1013011
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 26 2005
|
Impact: User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 2.2, 2.3
|
Description: A vulnerability was reported in iChain. In certain situations involving mutual authentication, a remote user may be able to authenticate to iChain.
Novell reported that if mutual authentication is enabled, auth certificates are used on iChain accelerators, and multiple iChain
environments are installed, then a remote user can authenticate to iChain using mutual authentication certificates.
A remote
user can create a client certificate signed by a Novell iChain server certificate authority. If the remote user can match an attribute
from the target eDir LDAP database, the remote user may be successfully authenticated.
|
Impact: A remote user may be able to authenticate to iChain.
|
Solution: Novell has provided the following workaround [quoted]:
When setting up iChain for mutual authentication, make sure the following
processes are in place:
- create externally signed certificates for any accelerator using mutual authentication. These externally
signed certificates include certificates generated by other Novell CAs in your network.
- never ever import the ICS_TREE CA Selfsigned
Certificate to iChains Trusted Root store
|
Vendor URL: support.novell.com/cgi-bin/search/searchtid.cgi?/10096315.htm (Links to External Site)
|
Cause: Authentication error, Configuration error
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 26 Jan 2005 04:08:02 -0500
Subject: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096315.htm
|
Novell reported a vulnerability in iChain.
If mutual authentication is enabled, auth certificates are used on iChain
accelerators, and multiple iChain environments are installed, then a remote user can
authenticate to iChain using mutual authentication certificates.
A remote user can create a client certificate signed by a Novell iChain server
certificate authority. If the remote user can match an attribute from the target eDir
LDAP database, the remote user may be successfully authenticated.
> A user certificate signed by ANY iChain appliance's ICS_TREE CA can be used to
> authenticate against ANY iChain appliance if the following conditions are met:
>
> - Accelerator uses auto-created SSL certificate
> - OR Accelerator uses internally signed SSL certificate
> - OR Accelerator uses external signed SSL certificate but Customer has imported the
> ICS_TREE Selfsigned Certificate to iChains TrustedRoot Store (although there is
> no reason to do so)
>
> - AND Certificate Mapping matches an internal user (this is very likely when the
> user's email address is known fix
Novell has provided the following workaround [quoted]:
When setting up iChain for mutual authentication, make sure the following processes are in place:
- create externally signed certificates for any accelerator using mutual
authentication. These externally signed certificates include certificates generated by
other Novell CAs in your network.
- never ever import the ICS_TREE CA Selfsigned Certificate to iChains Trusted Root
store
> Document Title: Invalid user authenticates to iChain using
> Document ID: 10096315
> Solution ID: NOVL100684
> Creation Date: 24JAN2005
> Modified Date: 25JAN2005
> Novell Product Class: iChain
|
|
