CA20131024-01 Security Notice for CA SiteMinder - CA Technologies
{{search ? 'Close':'Search'}}

CA20131024-01: Security Notice for CA SiteMinder

Issued: October 24, 2013
Last Updated: October 31, 2013

CA Technologies Support is alerting customers to a potential vulnerability in CA SiteMinder that can be mitigated by utilizing existing product functionality. The vulnerability, CVE-2013-5968, can potentially allow a remote attacker to conduct a reflected cross-site scripting attack and execute script in the security context of the SiteMinder domain. Customers should review their SiteMinder deployments to verify that the vulnerability mitigating functionality is enabled.

Risk Rating

Medium

Platform

All platforms

Affected Products

CA SiteMinder 12.51
CA SiteMinder 12.5
CA SiteMinder 12.0
CA SiteMinder 6 Web Agents

How to determine if the installation is affected

Ensure cross-site scripting checking is enabled and the BadCSSChars setting contains the hexadecimal double quote, "%22". Alternatively, for SiteMinder 12.51, verify that FCCHTMLEncoding is enabled. See the solution section for details.

Solution

CA Technologies support is referring customers to guidance provided in the product documentation that describes how to protect against this vulnerability.

SiteMinder 12.51 only:

Enable FCC HTML encoding with FCCHTMLEncoding. For more information on this configuration setting, see the section titled "Prevent Cross-Site Scripting Attacks in Web Agent FCC Pages" in the Web Agent Configuration Guide 12.51.

Example:

FCCHTMLEncoding="YES"

SiteMinder 6, 12.0, 12.5, and as an alternative to the above solution for 12.51:

These instructions are derived from the CA SiteMinder Web Agent Configuration Guide 12.5. Review the sections titled "Protect Web Sites Against Cross-Site Scripting" and "Configure the Web Agent to Check For Cross Site-Scripting" starting on page 65 for more information.

  1. Add the hexadecimal equivalent for the double quote character, "%22", to the BadCSSChars setting.

    Example:

    BadCSSChars="<,>,%22"

    *Note: Setting BadCSSChars overrides the default cross-site scripting character set. SiteMinder administrators need to carefully review the setting to ensure all cross-site scripting characters are blocked for their specific environment.

  2. Enable cross-site scripting checking by setting CSSChecking to yes.

    Example:

    CSSChecking="YES"

References

CVE-2013-5968 - SiteMinder CSS

Acknowledgement

CVE-2013-5968 - Zachary Pritchard, Cigital

Change History

Version 1.0: Initial Release
Version 1.1: 2013-10-25 Updated the description to specify the type of cross-site site scripting; reflected.
Version 1.2: 2013-10-30 Updated the Solution section to include an alternate configuration solution for SiteMinder 12.51

If additional information is required, please contact CA Technologies Support at https://support.ca.com/.

If you discover a vulnerability in CA Technologies products, please report your findings to the CA Technologies Product Vulnerability Response Team.

Chat with CA

Just give us some brief information and we'll connect you to the right CA Expert.

Our hours of availability are 8AM - 5PM CST.

All Fields Required

connecting

We're matching your request.

Unfortunately, we can't connect you to an agent. If you are not automatically redirected please click here.

  • {{message.agentProfile.name}} will be helping you today.

    View Profile


  • Transfered to {{message.agentProfile.name}}

    {{message.agentProfile.name}} joined the conversation

    {{message.agentProfile.name}} left the conversation

  • Your chat with {{$storage.chatSession.messages[$index - 1].agentProfile.name}} has ended.
    Thank you for your interest in CA.


    How Did We Do?
    Let us know how we did so that we can maintain a quality experience.

    Take Our Survey >

    Rate Your Chat Experience.

    {{chat.statusMsg}}

agent is typing