 |
Advisories
|
Managed PKI Client SQL Security Vulnerability Alert
November 10th, 2005
The following is a technical alert that describes
the potential security vulnerability of your VeriSign Managed PKI Local
Hosting with Automated Administration deployment (using an ODBC database
as the user authentication repository) and its corresponding VeriSign
patch solution. Please read the follow Issue description and Solution
carefully and apply the recommended patch accordingly.
Issue
The Web-based certificate enrollment form of
the VeriSign Digital ID center provides a possibility for a user to
enter ill-intended or unintended SQL statements into particular fields
of the form. For example, a SQL-savvy hacker could construct and inject
SQL statement to query all records in the user authentication database
or delete records without authorization. The consequences of such
malicious and misused SQL statements are undue load on the database
(i.e., resulting in “denial of service” attack) or unwanted modification
of database data during the user verification and certificate registration
processes.
Note that injection of malicious or unintended
SQL statements into the certificate enrollment form is highly unlikely
and requires hackers to be aware of such vulnerability and know to construct
the correct malicious SQL statements. To-date VeriSign has not
received reports of any malicious SQL-related incidence stemming from
this vulnerability.
Impacted Customers
VeriSign Managed PKI 6.0, 5.0 and 4.6.1 customers
using Local Hosting and Automated Administration with OBDC database
(e.g., Oracle 9i, Microsoft SQL) as the user authentication store.
Customers using directory (LDAP or Active Directory) as the user authentication
and certificate registration repository are NOT affected.
To determine the version of your installed
Managed PKI solution (i.e., Local Hosting site kit or Automated Administration
Server), use a text editor and open the Local Hosting file located at
<Local_Hosting_Install_Dir>/htmldocs/client/help/faq/version.htm,
which will have a line stating the version of the Local Hosting site
kit or the Auto Admin file located at <AA_dir>/version.txt, which
will have a line stating the version of the Automated Administration
Server.
Note: If neither of the aforementioned Local
Hosting nor Auto Administration file exists, you are using a Managed
PKI 4.6.1 version or older (aka OnSite 4.6.1 or older). Versions prior
to OnSite 4.6.1 are no longer supported. OnSite 4.6.1 is supported
through July 2006. If you are using OnSite 4.6.1 or older and
have not yet planned your upgrade to the latest version of Managed PKI,
please contact VeriSign.
Solution
VeriSign has created a software patch to address
the aforementioned SQL Injection vulnerability. Please log into the
VeriSign Control Center using your Managed PKI administrator certificate
to download the correct platform patch and follow the instructions in
the release notes (posted in the same Control Center location) to install
the software patch.
Following are steps to log into the VeriSign
Control Center and navigate to the downloadable software section for
the patch titled “SQL Injection Patch for Local Hosting Sitekits”.
- https://onsite-admin.verisign.com/OnSiteHome.htm
(Note: You must have your VeriSign Managed PKI administrator certificate
for the login).
- Click
on the “Download” tab located horizontally across the frame.
- Click
on the “Software” tab located vertically on the “Download” navigation
frame
- Scroll
down to “Optional Updates and Service Packs” section of the HTML page
- Download
the appropriate MPKI version of the "SQL Injection Patch” for your
OS platform and follow the installation instructions in the release
notes.
For More Information
If you have any questions or concerns or need
support for this product, please contact VeriSign Technical Support
at 1-800-579-2848 for US customers and +1 650-426-3535 for international
customers or enterprise-pkisupport@verisign.com.
Sincerely,
VeriSign Product Management
|
