| Author |
Message
|
| bobgosling |
 Posted: Thu Jan 18, 2007 3:42 am Post subject: security breach |
 |
|
Novice
Joined: 16 Jan 2004
Posts: 12
Location: London , UK
|
Our Security Officer invited a defence testing company to attempt to connect to MQSeries and leave a test message on a queue just to see if it could be done.
It was a bit too easy for my liking.
We have v5.2 on Solaris with security implemented via a Security Exit on SYSTEM.DEF.SVRCONN
The hackers had a packet generator which they used to send packets to the TCP/IP port which the channel listens on.
They observed that the only difference between a QM with a Security Exit and one without was that a rejection message comes back when user/password credentials are invalid. So all they did was ignore the returning package and send the MQPUT package anyway. It worked. In other words it is only the way that the API ( JMS in our case ) handles connection refusals that keeps unauthorized users out !!!
Am I missing something obvious or is this a gaping big hole in MQSeries security ? |
|
| Back to top |
|
 |
| Vitor |
| Posted: Thu Jan 18, 2007 3:55 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
What level of Solaris?
What patch level of MQ 5.2, and why are you using an obsolete version?
Is the security exit roll-your-own or proprietory, and if the latter who's?
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| bobgosling |
| Posted: Thu Jan 18, 2007 4:03 am Post subject: more ... |
|
|
Novice
Joined: 16 Jan 2004
Posts: 12
Location: London , UK
|
Solaris 5.8
Can't upgrade just yet due to legacy system not working on v5.3 and higher ( Neon-MQSI )
Security exit is "kinda" ours. It was written by Neon consultants. Unfortunately the code has gone missing and we only have the object library  |
|
| Back to top |
|
|
| Vitor |
| Posted: Thu Jan 18, 2007 4:12 am Post subject: Re: more ... |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| bobgosling wrote: |
| Security exit is "kinda" ours. It was written by Neon consultants. Unfortunately the code has gone missing and we only have the object library |
Sounds like you need a better security exit, or 5.3 with SSL.
I leave it to others with more knowledge of exit programming and security ("Paging Mr Roger Lacroix. Will Mr Roger Lacroix please pick up"  ) to explain exactly why you're getting the behaviour you're getting. I have a theory, but it's not really my thing.
I'll also direct your attention to the Capitalware section, where a propriety solution is available. I'd be unhappy (even if it worked) with a home-grown exit of unknown function to which the source is not available..... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| jefflowrey |
| Posted: Thu Jan 18, 2007 5:00 am Post subject: |
|
|
Grand Poobah
Joined: 16 Oct 2002
Posts: 19981
|
You need to upgrade NEON-MQSI more than you need to upgrade MQ.
The MCA shouldn't be acting the way your consultants have shown it to be acting - but there have been so very very very many fixes between the version you're running and the current version.
First thing to do is upgrade to the last CSD of v5.2. The next thing to do is put a network level firewall around the machine, and ensure that only known valid ip addresses can establish ANY connections to the listener port.
The next thing to do is upgrade to at least WBIMB v5 - but you'll probably have to go straight to v6, which is not a bad thing. It's a much easier transition/migration process.
_________________
I am *not* the model of the modern major general. |
|
| Back to top |
|
|
| RogerLacroix |
| Posted: Thu Jan 18, 2007 8:57 am Post subject: Re: security breach |
|
|
Jedi Knight
Joined: 15 May 2001
Posts: 3264
Location: London, ON Canada
|
| bobgosling wrote: |
They observed that the only difference between a QM with a Security Exit and one without was that a rejection message comes back when user/password credentials are invalid. So all they did was ignore the returning package and send the MQPUT package anyway. It worked. In other words it is only the way that the API ( JMS in our case ) handles connection refusals that keeps unauthorized users out !!!
Am I missing something obvious or is this a gaping big hole in MQSeries security ? |
1) A bug in your security exit.
2) Yes, there are big security holes in MQ.
I've see this security exit bug before. Basically, the security is rejecting the connection attempt on MQXR_INIT_SEC invocation but the client-side redrives with MQXR_SEC_MSG invocation but the security exit most probably returns MQXCC_OK for all other invocations (i.e. MQXR_INIT, MQXR_TERM, etc...) Hence, the bug.
<Vendor_Plug>
You should have a look at Capitalware's Security Solutions to replace your existing security exit. (Capitalware's security solutions are very reasonably priced.)
</Vendor_Plug>
Regards,
Roger Lacroix
Capitalware Inc.
_________________
Capitalware: Transforming tomorrow into today.
Connected to MQ!
Twitter |
|
| Back to top |
|
|
|
|
