Date: 01 August 2012
References: ESB-2012.0467 ESB-2012.0801 ESB-2012.0916 ESB-2012.0933 ESB-2012.0976 ESB-2012.1044.2 ESB-2013.0078 ESB-2013.0547
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0726
Two GKIT vulnerabilities impact Rational Directory Server 5.2.x (Tivoli)
1 August 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Rational Directory Server (Tivoli)
Publisher: IBM
Operating System: AIX
Linux variants
Solaris
Windows
Impact/Access: Access Privileged Data -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2333 CVE-2012-2191
Reference: ESB-2012.0467
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21606145
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Alert: Two GKIT vulnerabilities impact Rational Directory Server 5.2.x
Tivoli)
Flash (Alert)
Abstract
Notice of two GKIT vulnerabilities which impact IBM Rational Directory Server
5.2.x (Tivoli) along with instructions to resolve the issue.
Content
Two GKIT vulnerabilities impact Rational Directory Server 5.2.x (Tivoli):
1. PKCS#12 Trust Anchor Insertion Vulnerability (IBM20120527-2322-56 Advisory
DB ID = 355, )
2. GSKit Encrypted Record Length Vulnerability (CVE-2012-2191)
Vulnerabilities:
IBM20120527-2322-56 Advisory DB ID: 355
Description: PKCS#12 is used both as a Key Transport Facility and also as an
Operational KeyStore with GSKit. PKCS#12 has the ability to not only store
Private Keys but also store Certificate objects. It goes without saying that
the storage of Private Keys is very secure as they are stored encrypted in a
format described by RFC 5208.
However, this is not true in relation to Certificate objects. The reason for
this not being true is that the PKCS#12 file integrity itself is optional as
shown here:
PFX ::= SEQUENCE { version INTEGER {v3(3)}(v3,...), authSafe ContentInfo,
macData MacData OPTIONAL }
As this integrity control is optional it can be removed and the contents of the
file altered without detection or warning. Thus no access control is required
to add Certificate Objects. In this case Certificates are used in a SSL PKI as
Trust Anchors and as such it is possible for an attacker to insert Trust
Anchors of the Attackers Certificate Authority (CA) into these files without
requiring any form of access control authorization information.
Once the Attacker Trust Anchor (CA Root Certificate) is inserted into the
victim System it will trust and validate any Attacker Certificate (Credentials)
presented that are issued by the Attackers CA. Additionally, this attack can
also be mounted by a Man in The Middle (MiTM) who intercepts PKCS#12 files
during transport and inserts hostile Trust Anchors. In this case the attack
can also work against systems that do not use the PKCS#12 file as a Key Store,
but has the downside that the attack path can be detected after the fact.
In the Key Store case; GSKit is unable to determine if the Certificate Objects
were added by an authorized user or in an unauthorized manner.
**Note**: The attack is most likely to target Servers
CVSS:
CVSS Base Score: 2 (Using CVSS V2)
CVSS Vector: (AV:A/AC:L/Au:N/C:C/I:C/A:P/E:H/RL:O/RC:C/CDP:LM/TD:L/CR:ND/IR:ND/AR:ND)
CVE ID: CVE-2012-2191
Description: SSL/TLS depends on in information in the Record Layer to determine
how much data is available for processing in the Encrypted Record. The
Encrypted Record itself is subject to a number of potential attacks for which
GSKit has implemented standard defences. In the case of the Vaudenay SSL CBC
Timing attack GSKit hides timing leakage by continuing processing when errors
with data sizes exist.
The defence considers the padding attack, but incorrectly made assumptions
about the overall sanity of incoming data when calculating parameters for the
defence. Additionally, in GSKit V8 the AEAD Cipher logic incorrectly assumes
that sufficient data exists for the Explicit Nonce. In both cases a small range
of values exits for which a possible Segmentation Violation can occur.
This vulnerability can be triggered remotely and is classified as a Denial of
Service attack._
**Notes** - Remote Code Execution is not apparent. - The attack was discovered
by investigation of CVE-2012-2333. Vulnerable Platforms
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75996 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
AFFECTED PLATFORMS: Rational Directory Server versions 5.2.x (Tivoli)
REMEDIATION: The recommended solution is to apply the fix for each named
product as soon as practical. Review the information below on the fixes
available.
Rational Directory Server 5.2.x (Tivoli) customers should install GSKIT
8.0.14.22. This version of GSKIT has been tested and verified by the Rational
Directory Server SVT team.
Download GSKIT 8.0.14.22
http://www-01.ibm.com/support/search.wss?rs=0&apar=include&q1=8.0.14.22-ISS-GSKIT&loc=en_US&cs=utf-8&lang=&sort=rk&p=1
Note: Make certain to select a GSKIT Download with a version of
GSKIT 8.0.14.22.
Review the instructions for installing GSKIT for more details.
http://www.ibm.com/support/docview.wss?uid=swg21577384
Cross reference information
Segment Product Component Platform
Software Development Rational Change AIX, Linux, Solaris, Windows
Software Development Rational DOORS Linux, Solaris, Windows
Software Development Rational Synergy AIX, Linux, Solaris, Windows
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUBjLtu4yVqjM2NGpAQJfwxAAqaXShljiy6PsoiodmX37EdjTIvNisLZP
mHVgBiW4l3Z1rSgqf/IehPfp25pmWEO3oXeHHu6w8Svb6KXDkq3j4xvLSwC8WuxV
jN0zDxAFB86n7e6of2xwuFOyRE8NRP+rGk4zfFv7E7/P/bT6rlD0OVMXWSfGKK3f
jMNUflDIfWmweeO2jPfJhuB3xbspR0ZYDAx2qpVKs3Y7CtCz6Qdekf7SoDM95tg6
+MiHYPdFEupgoYf9ErQhxxSzCcO/ObledRfZHQRHf26s5dKr8i+WLUg6A+GbDWSB
hPQrdfJ5CU0pA8NVh2czIn1EQON4sBeQnp7/Hpb8dKYjWKM0X7iCrqdu3XRhL8vz
3teHn8UPG2+u7OMrD1FIZehhwO8nadllX4P/Y2xgZOIMfSnXLo1TJrotC9b2/Dmn
v4XKYtPF6cQNQthCtI9YFR1Qj5ldmfaG2MD8T8Ecwoa13Kv30cCeWvqyW+YnrRp2
NpgYWf/sRbqGozy+x8zffcYivooDJNF5EakEFkw7NkkQtwNuuOLFErfxBG3QvanT
nZunFIORcCiVbFE8D25QZVhckPVxhQ8gBqdDnW8ewdMKHc8hIXTd2KOYRmZCza2y
faxt6wOmx71LqIADxOCUfWfXhaqyorWDUaA8LuFotDmu/ecG6iBgVE/fAycw9iHE
c1C6yD23rrg=
=2ETG
-----END PGP SIGNATURE-----
|