Problem
Micro Focus Enterprise Server provides the Digital Certificate Authentication Service (DCAS), which allows users to authenticate to Enterprise Server using an X.509 digital certificate. DCAS is an optional feature which is not enabled by default; it must be explicitly configured in an enterprise server region and enabled for each certificate and associated user.
In older versions of Enterprise Server, DCAS is insufficiently secured, and a knowledgeable attacker might be able to use it to impersonate Enterprise Server users and gain access to the region.
These deficiencies have been addressed for Enterprise Server 5.0 (when fully patched) and later, but DCAS must be configured properly to be secure. For these versions of Enterprise Server, see the product documentation topic DCAS Security for more information.
It is not feasible to implement the same security measures in older Enterprise Server releases. Customers running versions of Enterprise Server which do not have these improvements and who are using DCAS should follow the mitigations described in this article to reduce their exposure.
Additional background
DCAS is used primarily for TN2370 authentication. It may be used with TN3270 Express Login Facility (ELF), also known as Certificate Express Login (CEL). In this configuration the TN3270 listener receives a client certificate from the TN3270 emulator, and invokes DCAS to authenticate the user. DCAS may also be used by an intermediary service which authenticates users and then invokes DCAS remotely to get temporary user credentials. Micro Focus Host Access for Cloud's Automated Sign-on for Mainframe feature is an example of such a service.
DCAS is not used by Enterprise Server CICS Web Interface or CICS Web Services. Those use the same certificate-authentication mechanism as DCAS, but do not require a DCAS listener.
DCAS is not enabled by default. An enterprise server instance (aka "region") has DCAS enabled if it has a communications listener with the conversation type field set to Custom, and "dcas" in the associated text field.
Vulnerability information by release:
- Enterprise Server 2.2 and older: DCAS feature is not present in these releases. Not vulnerable.
- Enterprise Server 3.0: Vulnerable. Do not enable DCAS, or use the manual mitigations described below.
- Enterprise Server 4.0: Vulnerable. Do not enable DCAS, or use the manual mitigations described below.
- Enterprise Server 5.0 prior to Patch Update 9: Vulnerable. Upgrade to the current Patch Update, do not enable DCAS, or use the manual mitigations described below.
- Enterprise Server 5.0 Patch Update 9 or later: Consult "DCAS Security" in the product documentation to learn how to secure DCAS.
- Enterprise Server 6.0: Consult "DCAS Security" the product documentation to learn how to secure DCAS.
Solution
Mitigations for the DCAS vulnerability are described below. Micro Focus recommends customers apply some or all of these to reduce or eliminate the possibility of the DCAS feature being abused.
- Upgrade to Enterprise Server 5.0 Patch Update 9 or later, then follow the advice in the DCAS Security documentation topic.
- DCAS is used almost exclusively for TN3270 sign-on, either using client certificates or with an external authentication server such as Host Access for Cloud. If you have DCAS enabled but do not actually need it, disable it. This eliminates the issue.
- Restrict communications access to the DCAS listener:
- If DCAS is used only for TN3270 ELF (aka CEL):
- Configure it to bind to localhost, by changing the endpoint in the listener configuration from e.g. "*:*" to "localhost:*". This will prevent connections to DCAS from other systems, and confine the exposure to attackers able to run DCAS clients on the system Enterprise Server is running on.
- Alternatively (or in addition), use the Micro Focus Communication Server Conversation Filtering (firewall) feature to block all connections. When DCAS is used by ELF, the TN3270 listener submits the request directly to it, not over a network connection. So you can use a filter rule such as "deny:**" to prevent any connections to DCAS. This will eliminate the issue.
- If DCAS must permit remote connections (e.g. for Automated Sign-on for Mainframe):
- Use Conversation Filtering to restrict connections to IP address(es) of legitimate clients (preferred), or
- Restrict connections by DNS name patterns if addresses aren't known.
- If DCAS is used only for TN3270 ELF (aka CEL):
Either of these measures will make the vulnerability more difficult to attack.
- Restrict the type of requests DCAS will allow, using the "allowed formats" configuration setting. See the documentation topic DCAS Conversation Type.
- If you are only using DCAS for ELF, configure it to allow only Format 1 requests. This makes DCAS much more difficult to abuse.
- If you are only using DCAS with an external security service such as Automated Sign-on for Mainframe, configure it to allow only Format 2 requests. This makes DCAS somewhat more difficult to abuse.
- If you must allow remote connections to the DCAS listener, enable TLS for it and require client certificates. Use a minimal root certificate collection, preferably a single root certificate controlled by your organization and used to sign the certificates for DCAS client systems such as HAC. This mitigation requires significant effort (due to the complications of configuring TLS and administering certificates and keys), but makes DCAS significantly more difficult to abuse.
- Restrict which users can get credentials through DCAS to those who actually need it:
- Using the cascertreg utility (or by removing files from the certificate-mapping directory), remove certificate mappings for users who do not need certificate authentication through DCAS or CICS Web Interface.
- If you use the MLDAP ESM Module as part of your Enterprise Server security configuration, restrict which users can use passtokens using the [Passtoken] configuration section and the per-user microfocus-MFDS-User-CreateToken and microfocus-MFDS-User-UseToken LDAP attributes.
Customers with questions about this subject should open an incident with Micro Focus Customer Care.
#Server
#Enterprise
#EnterpriseServer
