The Domain gateway in BEA Tuxedo 7.1 does not perform authorization checks for imported services and qspaces on remote domains, even when an ACL exists, which allows users to access services in a remote domain.
BEA Tuxedo 7.1 is vulnerable to a critical authorization bypass, allowing unauthorized access to services and queues across domain boundaries. This flaw enables attackers to circumvent access control lists (ACLs), potentially leading to data breaches and system compromise. Exploitation requires no authentication, making it a high-priority risk.
Step 1: Target Identification: The attacker identifies a BEA Tuxedo 7.1 environment with configured domain gateways.
Step 2: Service Enumeration: The attacker enumerates available services and queue spaces on the remote domain, potentially using publicly available information or by probing the system.
Step 3: Crafting the Request: The attacker crafts a service request or queue access request targeting a service or queue on the remote domain. This request is formatted to be understood by the Tuxedo Domain gateway.
Step 4: Bypassing Authorization: The attacker sends the crafted request to the local domain's Domain gateway. Due to the vulnerability, the gateway forwards the request to the remote domain without proper authorization checks.
Step 5: Service Execution: The remote domain's service or queue processes the request, unaware of the lack of authorization on the local domain.
Step 6: Data Exfiltration/Manipulation: The attacker leverages the successfully invoked service or queue access to read, modify, or delete data, or to execute commands on the remote domain, depending on the service's functionality.
The vulnerability stems from a failure in the Domain gateway of BEA Tuxedo 7.1 to enforce authorization checks for imported services and queue spaces when interacting with remote domains. Specifically, the code responsible for validating access requests from remote domains bypasses the ACL checks configured on the local domain. This allows any user, regardless of their permissions, to invoke services or interact with queues hosted on the remote domain. The root cause is a missing or incorrect implementation of the authorization logic within the Domain gateway's service invocation and queue access handling routines. The gateway trusts the remote domain's service advertisement without verifying the user's authorization against the local domain's ACLs. This is a design flaw, not a specific coding error like a buffer overflow or race condition, but a fundamental failure to implement security checks.