IONA Security Advisory ISA130905 : Authentication/Authorization is bypassed if Artix router is run in pass-through mode You have received this e-mail because you are subscribed to the IONA Security Advisory Mailing List. This list is intended to provide prompt notification to IONA customers of issues that may affect the security of their systems, and to provide advice as to the appropriate remedial action. If you believe that you have been added to this list by mistake, unsubscription details are provided at the end of this e-mail. The advisory content body follows: Advisory Title -------------- Authentication and Authorization are bypassed in the Artix Switch when pass-through enabled Advisory Identifier: ISA130905 Date of Issue: 13th Sept 2005 Updated: 7th Jan 2008 Affected Systems ---------------- This advisory applies to all Artix versions prior to Artix 4.1 and to some patch releases of Artix 4.1. This issue is fixed in the latest patch release of Artix 4.1, however. The latest Artix version is currently Artix 5.1. If you are using a later version of Artix please check the release notes for confirmation that this issue has been addressed, or contact IONA customer support. The advisory only concerns customers that: 1) Use Artix router enabled in pass-through mode (which is the default) AND also 2) Use same binding at the incoming and outgoing port of the router. Issue Overview -------------- When pass-through mode is active in the Artix router, the received credentials are not authenticated or authorized by the security system. Description ----------- Pass through mode in the Artix router is active when routed calls have the same binding at the incoming and the outgoing port and the property plugins:routing:use_pass_through is set to true or not set at all. In pass-through mode the router optimizes calls by copying the received message, hereby referred to as the payload, into the outgoing port without actually processing the payload. As a result the request interceptor chains that process the payload, some of which enforce quality of service such as security, are not called. Impact ------ In the pass through mode the payload is not processed. As a result credentials at the request level (e.g. username password in the WS Security SOAP header) are ignored and left to be processed/security enforced at the actual endpoint. The transport level credentials (e.g. username/password in the HTTP basic authentication header) are extracted but not authenticated/authorized as the interceptors that enforce quality of service such as security interceptors are not called as explained earlier. Please note that enabling pass-through also disables the proxification of endpoint references. e.g. When a client requests a target server for its endpoint reference via router, the router overwrites the host and port information in the returned reference with it own host and port numbers. This enables subsequent communications from the client using the reference to go through the router. Disabling proxification results in these calls getting to the target server directly bypassing the router. The target server in such cases is responsible for its own security and cannot rely on router to act as a security proxy. Solution -------- If using Artix security disable the pass through mode in the Artix router by setting plugins:routing:use_pass_through to false. This would result in the processing of the entire payload and hence the enforcement of authentication and authorization. Disabling pass-through mode however would result in less than optimal performance for cases where the incoming and outgoing ports in the router have the same binding. An alternative to disabling pass-through is to use TLS authentication to connecting clients. TLS validation including any specified certificate constraints in configuration still apply. You would need to configure the router so that only TLS X.509 authenticated clients can connect to it. This solution is only applicable for HTTP based clients that actually have X.509 certificates, and so would not be suitable for all scenarios. Note: In a future release, IONA will modify the router implementation to guard against users accidentally enabling pass-through mode in the context of a secure environment. Potential Workarounds --------------------- You must set pass-through mode to false if you use Artix security. List [Un]Subscription Details ----------------------------- To subscribe additional e-mail addresses to the security-alert@iona.com mail list you should send an e-mail to listserver@iona.com with nothing in the Mail Subject. The body of the mail should contain one or more lines of the form: subscribe security-alert myemailaddress Similarly to unsubscribe the mail body should contain one or more lines of the form: unsubscribe security-alert myemailaddress Do not add any additional text to the body of the mail. If you have difficulty in subscribing or unsubscribing please contact IONA Customer Services for assistance.