The following security advisory is sent to the securiteam mailing list, and can be found at the
SecuriTeam web site: http://www.securiteam.com

• • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

Websphere MQ Security Exit Authentication Bypass Vulnerability

SUMMARY

<http://www-306.ibm.com/software/integration/wmq/&gt; Websphere MQ is an
Enterprise level application that can be used to provide a unified
platform for messaging within an organisation. IBM describes their
technology as follows:
"WebSphere MQ provides an award-winning messaging backbone for deploying
your enterprise service bus (ESB) today as the connectivity layer of a
service-orientated architecture (SOA)".

The Websphere MQ service can be used to transfer messages between systems
and applications. It is possible to protect the channels within the Queue
Manager with a security exit which requires that an authentication check
be passed before a connection can be established. A method of bypassing
Websphere MQ Security authentication mechanism has been discovered which
would enable unauthorised access to be gained.

DETAILS

Vulnerable Systems:

• Websphere MQ version 5.1 up to version 5.3 (Solaris)

Immune Systems:

• Websphere MQ version 6.0.0 (Windows)

Impact:
The vulnerability could enable an attacker to bypass a security exit that
has been applied to a channel. This would enable an attacker to gain full
access to all queues defined within the queue manager with full read and
write access. Additionally, an attacker could perform remote
fingerprinting of the software, alter the Queue Manager configuration and
potentially execute Operating System commands through the creation of an
appropriate trigger process.

The latter is dependent on the presence of a running trigger monitor
process on the system.

Cause:
The vulnerability arises from an error in the process for checking whether
a connection has successfully passed the authentication check enforced by
a security exit. A connection can be established to the Queue Manager if
an authentication packet is not sent
before the connection is established.

Interim Workaround:
The only workaround at the present time is to use network filtering to
restrict access to Websphere MQ services to trusted IP addresses only. It
is also possible that correctly deploying and mandating the use of SSL
client certificates will prevent an attacker from accessing the channels
that are protected by the Security Exit. IBM have released a fix pack that
addresses this vulnerability.

Solution:
IBM has released the following fix Pack:
<http://www-1.ibm.com/support/docview.wss?rs=171&amp;uid=swg27006037#1&gt;
http://www-1.ibm.com/support/docview.wss?rs=171&amp;uid=swg27006037#1

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1130&gt;
CVE-2008-1130

ADDITIONAL INFORMATION

The information has been provided by
<mailto:[email protected]> Elspeth Levi.
The original article can be found at:
<http://www.mwrinfosecurity.com/publications/mwri_websphere-mq-authentication-bypass-advisory_2008-03-26.pdf&gt;
http://www.mwrinfosecurity.com/publications/mwri_websphere-mq-authentication-bypass-advisory_2008-03-26.pdf

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
[email protected]
In order to subscribe to the mailing list, simply forward this email to:
[email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages.