The IBM Internet Security Systems XForce team recently announced a buffer overflow vulnerability in WebSphere MQ client channels. According to the release, the vulnerability includes the possibility of remotely executing arbitrary code or “causing the application to crash.” It is not clear whether “application” in this case refers to the channel agent, channel pooling process or something else.
I’ve already fielded some questions on this alert. In particular, the following:
Note: This vulnerability can not be exploited on queue managers secured with security exits or authentication through SSL, unless an attacker has valid authentication credentials or a valid SSL certificate.
First, I think that the words “queue managers” here should be “channels”. A queue manager does not have SSL or security exits, channels do. And Ihave no reason to believe that enabling a security exit or SSL on one channel solves the problem for the entire queue manager so I think the scope is wrong. I’ve sent in a suggestion to fix that but haven’t heard back yet.
The second question I received was about how authentication prevents the exploit and whether it is necessary to apply the interim fix. The SSL handshake must be completed before the channel agent ever sees the connection so any connection rejected by SSL does not get deep enough into the MCA to hit the vulnerability. Similarly, the security exit is invoked fairly early on in the channel negotiation. If an attacker’s connection is rejected by either SSL or a security exit, the vulnerability cannot be exploited.
On the other hand, anyone who can complete the connection can execute the exploit. But is this dangerous and do I need to apply the fix? If the channel has a blank MCAUSER and the command server is running, then a legitimately connected connected user already has the same level of access by gaining administrative access and defining services. There are two conditions in which the fix could be important:
- The channel has no SSL or exits and relies on a low-privileged MCAUSER value for security. In this case, anonymous users are allowed connect but will ordinarily not have administrative access.
- The channel has SSL and/or exits to authenticate users and a low-privileged MCAUSER that would ordinarily limit the connected user from gaining administrative access and the legitimate users are not trusted. For example, when allowing client connections from outside the enterprise or when in a regulated environment in which application controls must be strictly enforced.
For now the fix is available separately but it will be incorporated into 6.0.2.6 and 7.0.1.0 releases of WebSphere MQ. Additional information may be found at APAR IZ50784.
Tags: News · security · WebSphere MQ · WMQ · WMQ Security
The subject of the UC Berkeley data breach was discussed on the May 15th Security Squad podcast. The thing that struck me was that the breach itself was not the topic of conversation but rather the debate was about whether the breach was in fact newsworthy. If you are not familiar with it, 160,000 Social Security numbers and medical information were stolen in the UC Berkeley data breach. This notion that breaches of the “trusted” internal network are so common that’s possible to discuss with a straight face whether a breach of this magnitude is newsworthy is itself worthy of some discussion.
In this episode of The Deep Queue, I tackle this topic as well as the idea of software “never events”. The term was coined in the medical professions to refer to preventable events with serious or deadly consequences. The kind of events that should never happen such as operating on the wrong body part or wrong person. the National Quality Foundation has developed a list of 28 such events which are used to report and track quality of care across the nation. Bob Charette guested on the CERT Security podcast to campaign for a similar set of events in the software industry. In this episode of The Deep Queue, I propose my own list of WebSphere MQ never events.
[Read more →]
Deep Queue #11: Security breaches are not news? [30:00m]:
Play Now |
Play in Popup |
Download
Deep Queue #11: Transcript:
Download
Tags: DeepQueue · Podcast · security · WebSphere MQ · WebSphere MQ Security · WMQ · WMQ Security
As you know, there are some security functions in WebSphere MQ that require an exit. By now everyone should be familiar with BlockIP2, the well known channel security exit. But there are a couple of other requirements that a channel exit can’t meet. In this post I’ll describe what those are and post some specs for an exit. I’m not qualified to write an exit but I’m hoping someone who is will do so. If ever these exits show up on the Internet, you can bet I’ll be posting links to them from my site and referring people to them in presentations…well for at least as long as IBM doesn’t have a solution that I can point to, anyway.
[Read more →]
Tags: Best Practices · design · security · WebSphere MQ · WMQ · WMQ Security
Well, this is the last day of IMPACT. It’s always lightly attended as many folks take Friday as a travel day. I have one more session this morning though. It’s the WMQ ESE introduction. Overall the WMQ security sessions were well attended. Even the small rooms were large, compared to past conferences, so my feeling is that interest in WMQ security seems to be rising. That’s a Good Thing.
I also met with many different folks in one-on-one meetings, Premium Support Zone and just walking around the hallways. It’s great to talk with you in person and is for me the most valuable part of the conference. Thanks so much for talking the time to stop and chat with me.
My theme for the conference has been “your feedback is essential”. Most of the exposures I talk about are things that could be fixed in implementation but generally are not. Whatever the reasons are that these are not being addressed (admin tooling to hard, desired functionality not there, requires really deep skills, etc.) needs to be reported to IBM if they are ever going to be prioritized to the top of the stack. So in every session I told attendees “your feedback is essential!” Morag tells me she heard from many of you during the conference. The plan is coming together! Keep up the good work.
I have a day at home this weekend to wash clothes, pack, do some lawn work and then back on the road to Boston. Monday evening when I finally come up for air I plan to work on a few new postings for the blog and start on the next Mission:Messaging column. So stay tuned, more news and content is coming. One of the things I want to do is post a “security feedback reporting kit” with links to the WMQ requirements form and a list of the Top 10 on my wish list as starting points. I hope there will be lots of comments adding to that post with more suggestions and letting us know what response you get from the lab.
That’s it for now – another customer meeting in 15 minutes to get to.
Tags: Conferences · Events · General · News · security · WebSphere MQ · WebSphere MQ Security · WMQ · WMQ Security
No, that’s not mortgage risk. Someone’s already done that and look where it got us. No,I’m talking about mortgaged risk – the act of saving time or money by accepting risk that is hard to measure but easy to hide or ignore. The risk is essentially a mortgage on your future. A hidden cost that will be paid eventually.
In this episode of The Deep Queue I consider just how much risk has been stuffed into the closet over the years. There’s a lot of unsecured MQ out there, after all. Up to now I’ve focused on what it means to the companies who are exposed. But this month I propose that this massive amount of deferred investment represents a great opportunity for companies positioned to perform assessments, implement remediations, or provide tools.
On the lighter side, listener email this month included a funny cartoon which I hope you enjoy.
Deep Queue #10: Cash in on mortgaged risk! [21:08m]:
Play Now |
Play in Popup |
Download
Deep Queue #10: Transcript:
Download
Tags: DeepQueue · Events · IBM · IBMIMPACT · Podcast · WebSphere MQ · WMQ Security
This post is really more for me than anyone else. I’ll be at IMPACT 2009 next week and need a handy place to track my schedule.
Sunday: 16:00 - 17:00 Premium Support Welcome Reception Venetian's Orchid Restaurant
Monday: 11:00 - 12:15 TMC-1054A Basic WMQ Security Delfino 4101B
Tuesday: 07:15 - 08:15 Breakfast meeting w/customer Dining hall
Tuesday: 12:00 - 13:00 Lunch Tweetup http://twtvite.com/8v0k9t
Tuesday: 13:30 - 14:45 TMC-1465A WMQ ESE Delfino 4101B
Tuesday: 19:00 - 20:30 Customer dinner Table 10
Wednesday: 08:30 - 09:45 TMC-1056A Advanced WMQ Security Lido 3003
Wednesday: 10:30 - 11:45 TMC-1054B Basic WMQ Security Delfino 4103
Wednesday: 12:00 - 13:30 Premium Zone Meet the Experts Veronese 2503
Wednesday: 16:45 - 18:00 TMC-1056B Advanced WMQ Security Delfino 4101B
Wednesday: 18:15 - 19:15 TMC-1486A WMQ BOF Marco Polo 703
Wednesday: 19:30 - 21:00 ISSW Conference team Sushi Samba
Thursday: 07:00 - 08:00 BPM Consultations Bassano 2704
Thursday: 09:00 - 10:00 Customer breakfast Grand Luxe Cafe
Thursday: 10:00 - 11:00 Customer meeting Phone
Thursday: 12:00 - 13:00 Lunch w/Adrian Dining hall
Thursday: 15:15 - 16:15 Customer meeting Cyber Cafe
Thursday: 16:45 - 18:00 Customer feedback session Marco Polo 706
Friday: 10:30 - 11:45 TMC-1465B WMQ ESE Delfino 4101B
See the IMPACT Tweet-ups at TWTVite by searching on Las Vegas. Join the IMPACT social network at Event Vue here.
Tags: Events · IBMIMPACT · News · WebSphere MQ
Rich Cumbers posted a mini how-to describing the procedure to install the WMQ File Transfer Edition plug-in into the stand-alone WebSphere MQ Explorer. Should be very useful.
Tags: Hursley · IBM · News · WebSphere MQ · WMQ · WMQ FTE
Resurrecting something I wrote back in 2003 over a lunch break:
MQ Message pick-up lines…
Your queue or mine?
What’s your sign-bit?
Is that a COA in your message descriptor, or are you just glad to see me?
What’s a message like you doing in a queue like this?
You look like you’ve got a good message header on your shoulders.
With your payload and my routing information, we could really go places!
Is this buffer taken?
You remind me of my first QMgr.
You make my HBINT go wild!
Does this channel go all the way to Chicago?
I must have expired because I’m looking at an angel!
Your message segments are in all the right places!
I’ll bet our code pages are compatible.
Don’t tell anyone, but I’m a message channel secret-agent.
Wanna be in my cluster?
MQ Message rejections…
I’m GET Disabled.
I could never commit to a message like you.
Come back when you have a higher priority.
Not even if you were the last message in the queue!
Your backout-count is showing.
I’m in a proprietary format and you could never parse me.
You are a Dead Letter entry waiting to happen.
Locked by another process.
Don’t let the message exit hit you on the ass on the way out!
You sure are persistent, aren’t you?
User-defined format? Right! Like I haven’t heard THAT before!
You’re ASCII and I’m EBCDIC. It would never work out.
You’ve expired and don’t even know it.
Sorry, no available BROWSE handles.
You’ve obviously mistaken me for an event message.
GET WAIT forever, buddy!
MQ Message Sour Grapes…
It was probably a poison message anyway.
That “Rules and Format Header” should’ve been my first clue.
Every time I meet a really nice message, it’s addressed to a remote node.
Messages. Give ‘em a K and they’ll take a MB.
Ok, new rule – never date a message from a queue-sharing group!
Well, I didn’t really want to convert just for the relationship.
Never trust a message with an alias queue name.
That other message was probably going to expire soon anyway.
That’s the last time I’ll ever bare my context information over a drink!
More like a hair-trigger message if you ask me!
Momma told me never to mix with MSMQ messages.
That message was too old a version for me anyway.
I guess we’ll always be in different units of work.
Seems like and the really good messages are under syncpoint.
Ok, that’s it. I’m giving up message affinities altogether!
Tags: Humor · WebSphere MQ · WMQ
Join me Wednesday April 15th @ Noon Eastern for a webinar hosted by the fine folks at PCI Knowledgebase.com on the topic of WebSphere MQ for QSA’s. Register for the webinar at this link. The slides have been posted here.
Tags: Events · News · PCI PCI-DSS · WebSphere MQ · WebSphere MQ Security · WMQ · WMQ Security
I will be presenting a webinar on April 15th, hosted by the fine folks at PCI Knowledgebase. The purpose of the webinar will be to introduce Qualified Security Assessors, or QSA’s as they are known, to the concept of WebSphere MQ and give them tools to audit the configurations.
If you have read anything I’ve EVER written you are probably aware that WMQ security is not well implemented in general. But I’ve recently worked with a number of clients who were either card payment processors or merchants, all of whom had been declared PCI compliant but were running WMQ wide open. It became clear to me that the assessment and enforcement folks could benefit from the same WMQ security outreach that has up to now I have directed to administrators and developers.
For more info or to sign up for the webinar, go to PCI Knowledgebase at this link.
Tags: News · presentation · WebSphere MQ · WebSphere MQ Security · WMQ · WMQ Security
