Alert: Novell Patches Multiple iChain

Novell beta support pack fixes multiple “highly critical” vulnerabilities. We explain the problem and what you can do about it.

Novell released a beta service pack to fix three vulnerabilities in its iChain 2.x software.

Vulnerability information provider Secunia rates the vulnerabilities as “highly critical” since they can allow attackers “to hijack another user's session, cause a [denial of service attack], and maybe compromise a system.”

Novell’s iChain, according to the company, is a “secure identity management solution” used to provide “identity-based Web security services that control access to application and network resources.” In particular, iChain isolates security from Web services applications and servers to provide such things as single sign-on, multiple authentication levels for access, enforced access control lists, and centralized management of access privileges.

The iChain vulnerabilities could allow an attacker, says Secunia, to “hijack another user's session if the new user's session is opened on the same port.”

In addition, an unpatched iChain server could be crashed by using WGET—a method for mirroring or retrieving files from a remote site by using HTTP, HTTPS, or FTP—on a directory that has no files. That could lead to denial of service.

Finally, unpatched versions of iChain are “affected by the OpenSSL vulnerabilities in the ASN.1 parsing.” That is to say, SSL is used—notes CERT—“to provide authentication, encryption, and integrity services to higher-level network applications such as HTTP,” while ASN.1 objects represent cryptographic elements, such as digital certificates. The vulnerability arises from OpenSSL’s ASN1 library’s mishandling of untrusted digital certificates.

Though machines may be configured to not accept digital certificates, that doesn’t matter. Secunia notes that “an error causes OpenSSL to parse and handle client certificates even when OpenSSL isn't configured to do this.”

Attackers can strike using bogus certificates—against an affected application that uses the ASN1 library—in two ways. In the first kind of assault, an attacker sends a certificate that attempts to make a server connect to another server (under the attacker’s control). Once the connection is established, the attacker can execute arbitrary code on the remote system. Alternately the attacker can take control of a machine then force it to connect to the external server and receive a specially crafted digital certificate.

Another method of launching a denial of service is when attackers use a certificate to supply “unusual ASN.1 tag values,” says Secunia. If OpenSSL is in debug mode, “an invalid public key in a certificate may cause the verify code to crash; this could lead to a Denial of Service against systems running in debug mode.”

Prior to updating production machines, Novell advises companies to test the patch in an environment that mirror the production environment.

The current fix is to apply the Novell iChain 2.2 Support Pack 2 beta:http://support.novell.com/servlet/filedownload/sec/ftf/b1ic22sp2.exe

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.