Entrust Security Bulletin E01-005 ================================= Entrust GetAccess(tm) Access Service Vulnerability SUMMARY: ======== A vulnerability has been identified in Entrust GetAccess that could allow unauthorized retrieval of files on certain GetAccess web servers. Entrust recommends installation of the patch described below, which addresses this vulnerability. Impact of vulnerability: This vulnerability could potentially result in the unauthorized retrieval of some files hosted on impacted web servers. Servers running the GetAccess Access Service are impacted; others running GetAccess runtimes and other services are not. Typical customer deployments store sensitive content on GetAccess runtime servers, therefore reducing the impact of this vulnerability. Solution: Entrust has a made a patch available on the GetAccess support extranet at the location listed below. A workaround also exists, described below. Affected Configurations: - Versions: Entrust GetAccess, all versions - Platforms: All - Services: Entrust GetAccess Access Service TECHNICAL DETAILS: ================== GetAccess provides a localization mechanism that allows its HTML pages (used for logout sequences, error messages, timeout messages, and the like) to be localized using different language-specific templates. This mechanism takes in as an argument a query string name-value pair of the format "LOCALE=XX_XX", where XX_XX corresponds to the name of the sub-directory within the GetAccess directory structure that contains the appropriate HTML templates. GetAccess uses this information to build the directory path and select the appropriate files. The vulnerability arises if a user manually substitutes an arbitrary directory path for the XX_XX value. The localization mechanism is vulnerable in the following GetAccess Access Service capabilities: - The process which drives localized user help during login (if the user clicks the "Help" link on a login screen) - The process which drives the "About" screen that drives GetAccess version information. All other GetAccess processes that support the localization mechanism do not contain this vulnerability. MITIGATING FACTORS: =================== - The only files that are potentially exposed are the ones that the web server has permission to access. - This vulnerability is limited to file retrieval only. It is not possible to exploit this vulnerability to upload files/data or to execute arbitrary code on the web server. - Only files on the Access Service machine(s) are potentially at risk of exposure. The most common deployment architecture segregates the Access Service from web servers hosting any sensitive application data. PATCH AVAILABILITY: =================== A patch is available now on the GetAccess support extranet at the following address: https://login.encommerce.com/private/docs/techSupport/Patches-BugFix WORK-AROUNDS: ============= If the patch above is applied, the following work-arounds are not required. - The following files can be removed from GetAccess Access Service hosts, eliminating the vulnerability. Note that the patch above corrects the vulnerability in these scripts and eliminates the need to delete the scripts. helpwin.gas.bat: this script is referenced by the "Help" link on GetAccess login screens. These links could be replaced with alternative HTML help pages not driven by the GetAccess help script. AboutBox.gas.bat: This script drives the "About" box that displays GetAccess version information. - As part of normal security policy, customers should not store sensitive data on GetAccess Access Service hosts. Web servers hosting such data should be secured using the GetAccess Runtime, which is not affected by this vulnerability. Almost all Entrust GetAccess customers choose to deploy in this sort of configuration even in the absence of this vulnerability. - If the Access Service component is co-located on a web server hosting sensitive files, the Access Service can be segregated to a dedicated server in order to minimize the potential exposure. - File permissions should be set such that all files not explicitly needed by the web server are inaccessible to the user account under which the web server runs (in keeping with industry best practice). - Impacted Components: Only GetAccess servers running the Access Service component are affected. Web servers hosting secure content protected by the GetAccess Runtime are not affected. SUPPORT: ======== Entrust customer support, including after hours service is available by phone as follows: North America: 1-877-754-7878 Elsewhere: +1-613-270-3700 ACKNOWLEDGMENT: =============== Entrust acknowledges the assistance of Rudi Carell, who worked with us to eliminate this vulnerability. Copyright (c) 2001 Entrust Inc. security@entrust.com
