Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(578366-2)
Описание
Up to and including EP 5.0 SP4, when a user logged on to the portal with a client certificate, the client parser took the CN of the X.500 name of the certificate owner and used this as the portal user. For example, if the X.500 name of the certificate was 'CN=Smith, OU=Marketing, O=MyCompany Ltd., C=DE', this certificate would be mapped to the portal user 'Smith'.
This parser can lead to insufficient security as the CN alone is used to determine the user. It would, for example, be possible for two people to obtain a certificate with CN=Smith from two different certification authorities (CAs). In the same way, two people from different countries or even just different organizational units in the same company could obtain a certificate with CN=Smith from the same certification authority. In all cases, the users would be mapped to the portal user Smith. This could lead to unauthorized users gaining access to the Enterprise Portal.
This parser can lead to insufficient security as the CN alone is used to determine the user. It would, for example, be possible for two people to obtain a certificate with CN=Smith from two different certification authorities (CAs). In the same way, two people from different countries or even just different organizational units in the same company could obtain a certificate with CN=Smith from the same certification authority. In all cases, the users would be mapped to the portal user Smith. This could lead to unauthorized users gaining access to the Enterprise Portal.
Как исправить
As of EP 5.0 SP5, the Enterprise Portal is shipped with a new parser that solves this problem. The new parser can be configured using entries in the Windows registry to further restrict the users that are accepted by the parser.
Create the following entries in the current user management configuration in the Windows registry:
"Certificate Params": Contains value for which the parser checks in the certificate owner's name. For example, if you set the value to 'O=MyCompany', only certificate owner names with this entry, for example 'CN=Smith, OU=Marketing, O=MyCompany, C=DE' will be allowed access to the portal. A certificate with a certificate owner such as 'CN=Smith, OU=Marketing, O=Hacker Ltd., C=DE' will not be allowed access the portal.
Note that the parser searches the certificate owner's name for the exact string in "Certificate Params". For this reason, you should take great care with spaces, commas, and so on. Examples of valid values for "Certificate Params" are:
'OU=Marketing, O=MyCompany'
'OU=MArketing, O=MyCompany, C=DE'
Create the following entries in the current user management configuration in the Windows registry:
"Certificate Params": Contains value for which the parser checks in the certificate owner's name. For example, if you set the value to 'O=MyCompany', only certificate owner names with this entry, for example 'CN=Smith, OU=Marketing, O=MyCompany, C=DE' will be allowed access to the portal. A certificate with a certificate owner such as 'CN=Smith, OU=Marketing, O=Hacker Ltd., C=DE' will not be allowed access the portal.
Note that the parser searches the certificate owner's name for the exact string in "Certificate Params". For this reason, you should take great care with spaces, commas, and so on. Examples of valid values for "Certificate Params" are:
'OU=Marketing, O=MyCompany'
'OU=MArketing, O=MyCompany, C=DE'
Ссылки