Steps to secure Single Sign-On Servers with Directory SNMP vulnerability

Document ID : KB000049936
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Issue: A vulnerability has been identified with CA Directory, which can allow a remote attacker to cause a denial of service condition. The vulnerability, CVE-2011-3849, occurs due to insufficient bounds checking. An attacker can send a SNMP packet that can cause a crash.

Affected Products: CA Directory r12 SP1-SP7 and CA Directory 8.1

The vulnerability is related to CA Directory parsing of SNMP packets. To mitigate the risk, the SNMP port can be disabled by removing the "snmp-port" line from the DSA's knowledge configuration section. This is considered a workaround until the latest release of Single Sign-On server is certified with CA Directory r12.0 SP7 CR1 or later.

Solution:

On each of your SSO servers go to your knowledge folder. The default locations on Unix and Windows are below.

  • Windows: %DXHOME%\config\knowledge

  • Unix: $DXHOME/config/knowledge

Edit ALL the dxc files starting with PS_Your_server_hostname.dxc and comment out the snmp-port line by putting a pound sign at the beginning of the line. You can also remove the line altogether.

  • snmp-port = 13389

Change to

  • # snmp-port = 13389

  • Perform the same task for the file "PSTD_Your_server_hostname.dxc" as well.

  • snmp-port = 13390

Change to

  • # snmp-port = 13390

  • You will need to repeat these steps if your SSO solution is in a farm setup for each PS_xxx.dxc and PSTD_xxx.dxc file in the knowledge folder on every server.

  • There is no need to edit any External LDAP router files as the snmp port is not a feasible option for external directory sources.

  • Once this setting is changed and saved in each of the PS and PSTD dxc files, the CA Directory services need to be re-initialized from the command line using the command below to take effect. This command will only instruct the dsa to reread its configuration files allowing the change to initialize without restarting services.

  • dxserver init all

  • Note: If you are on Unix you will first need to su to the dsa user (or Directory service user defined in your install) with the below command.

    su - dsa
  • The snmp traffic should now be turned off and the vulnerability closed.

  • If you wish to verify the snmp traffic is now off you can test the commands below from the following folders based on your OS.

  • Windows: %DXHOME%\ samples\snmp

  • Unix: $DXHOME/samples/snmp

  • If the traffic is off it should now timeout and report "Target Unreachable"

  • dxsnmp -r2 localhost/13389

  • dxsnmp -r2 localhost/13390

See below example:

  • C:\Program Files\CA\Directory\dxserver\samples\snmp>dxsnmp -r2 localhost/13389

  • Here is an example of an updated knowledge .dxc file:
    set dsa PS_SSO-SERVER = { prefix = <o "PS"> dsa-name = <o "PS"><cn PS_SSO-SERVER> dsa-password = "secret" address = tcp "sso-server.acme.com" port 13389 disp-psap = DISP cmip-psap = CMIP #snmp-port = 13389 console-port = 13379 ssld-port = 1112 auth-levels = anonymous, clear-password dsp-idle-time = 60 dsa-flags = multi-write trust-flags = allow-check-password, trust-conveyed-originator };  

As always if you have any concerns or questions regarding the content provided in this technical document, please do not hesitate to open a case with CA Support Online.