ESB-2018.3848 - [Appliance] IBM Security Access Manager: Multiple vulnerabilities 2018-12-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3848
           IBM Security Access Manager receives security updates
                             12 December 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security Access Manager
Publisher:         IBM
Operating System:  Network Appliance
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Root Compromise                 -- Existing Account            
                   Access Privileged Data          -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
                   Denial of Service               -- Existing Account            
                   Access Confidential Data        -- Remote/Unauthenticated      
                   Provide Misleading Information  -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-3646 CVE-2018-3639 CVE-2018-3620
                   CVE-2018-1887 CVE-2018-1886 CVE-2018-1815
                   CVE-2018-1814 CVE-2018-1813 CVE-2018-1805
                   CVE-2018-1804 CVE-2018-1803 CVE-2018-1740
                   CVE-2018-1653 CVE-2017-1000407 CVE-2017-1000252
                   CVE-2017-18017 CVE-2017-16939 CVE-2017-15906
                   CVE-2017-15670 CVE-2017-12154 CVE-2017-12132
                   CVE-2016-3506 CVE-2016-3092 CVE-2015-5180
                   CVE-2014-9402  

Reference:         ASB-2018.0204
                   ASB-2017.0118
                   ESB-2018.3049
                   ESB-2018.2355
                   ESB-2018.2028
                   ESB-2018.1858
                   ESB-2016.2261
                   ESB-2016.2179
                   ESB-2016.1583
                   ESB-2015.0428

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=ibm10787785

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple Security vulnerabilities have been fixed in the IBM
Security Access Manager Appliance

Document information
Software version: 9.0.1.0, 9.0.2.0, 9.0.3.0, 9.0.4.0, 9.0.5.0
Operating system(s): Appliance
Reference #: 0787785
Modified date: 11 December 2018

Summary

IBM Security Access Manager Appliance has addressed the following
vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-15906
DESCRIPTION: OpenSSH is vulnerable to a denial of service, caused by an error
in the process_open() function when in read-only mode. A remote authenticated
attacker could exploit this vulnerability to create zero-length files and cause
a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133128 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1653
DESCRIPTION: IBM Security Access Manager Appliance is vulnerable to cross-site
scripting. This vulnerability allows users to embed arbitrary JavaScript code
in the Web UI thus altering the intended functionality potentially leading to
credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
144726 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2017-1000407
DESCRIPTION: Linux Kernel, built with the KVM virtualization(CONFIG_KVM)
support, is vulnerable to a denial of service, caused by improper validation of
user-supplied input at the diagnostic port. By flooding the diagnostic port
0x80, a remote authenticated attacker could exploit this vulnerability to cause
the system to crash.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
136235 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-1000252
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an
assertion failure in the KVM subsystem in arch/x86/kvm/vmx.c and virt/kvm/
eventfd.c. By using a specially-crafted guest_irq value, a local authenticated
attacker could exploit this vulnerability to cause the hypervisor hang or
crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
132620 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-18017
DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a
use-after-free flaw in the tcpmss_mangle_packet function in net/netfilter/
xt_TCPMSS.c. By leveraging the presence of xt_TCPMSS in an iptables action, a
remote attacker could exploit this vulnerability to cause a denial of service
condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
137122 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-12154
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to bypass
security restrictions, caused by a flaw in the prepare_vmcs02 function in arch/
x86/kvm/vmx.c. By sending a specially-crafted request, an attacker could
exploit this vulnerability to obtain read and write access to the hardware CR8
register.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
132621 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

CVEID: CVE-2017-15670
DESCRIPTION: GNU C Library is vulnerable to a heap-based buffer overflow,
caused by improper bounds checking by the glob function in glob.c. By sending a
specially-crafted string, a remote attacker could overflow a buffer and execute
arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
133915 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-12132
DESCRIPTION: GNU C Library (aka glibc or libc6) could allow a remote attacker
to conduct spoofing attacks, caused by a flaw in the DNS stub resolver. An
attacker could exploit this vulnerability to perform off-path DNS spoofing
attacks.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
129949 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-5180
DESCRIPTION: glibc is vulnerable to a denial of service, caused by a NULL
pointer dereference in the res_query function in libresolv. By using a
malformed pattern, a remote attacker could cause the process to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
130620 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2014-9402
DESCRIPTION: glibc is vulnerable to a denial of service, caused by an error in
the getanswer_r() function. If the DNS backend is activated, a remote attacker
could exploit this vulnerability to cause the application to enter into an
infinite loop.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
99289 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

CVEID: CVE-2017-16939
DESCRIPTION: Linux Kernel could allow a remote attacker to gain elevated
privileges on the system, caused by an use-after-free in the Netlink socket
subsystem XFRM. By sending a specially-crafted request, an attacker could
exploit this vulnerability to gain privileges.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
135317 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1740
DESCRIPTION: IBM Security Access Manager Appliance is vulnerable to cross-site
scripting. This vulnerability allows users to embed arbitrary JavaScript code
in the Web UI thus altering the intended functionality potentially leading to
credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148419 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1814
DESCRIPTION: IBM Security Access Manager Appliance uses weaker than expected
cryptographic algorithms that could allow an attacker to decrypt highly
sensitive information.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
150018 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1803
DESCRIPTION: IBM Security Access Manager Appliance could allow a remote
attacker to hijack the clicking action of the victim. By persuading a victim to
visit a malicious Web site, a remote attacker could exploit this vulnerability
to hijack the victim's click actions and possibly launch further attacks
against the victim.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
149702 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1804
DESCRIPTION: IBM Security Access Manager Appliance does not set the secure
attribute on authorization tokens or session cookies. This could allow an
attacker to obtain sensitive information using man in the middle techniques.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
149703 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-1805
DESCRIPTION: IBM Security Access Manager Appliance generates an error message
that includes sensitive information about its environment, users, or associated
data.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
149704 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-1815
DESCRIPTION: IBM Security Access Manager for Enterprise Single-Sign On is
vulnerable to cross-site scripting. This vulnerability allows users to embed
arbitrary JavaScript code in the Web UI thus altering the intended
functionality potentially leading to credentials disclosure within a trusted
session.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
150019 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1813
DESCRIPTION: IBM Security Access Manager Appliance uses incomplete blacklisting
for input validation which allows attackers to bypass application controls
resulting in direct impact to the system and data integrity.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
150017 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2016-3506
DESCRIPTION: An unspecified vulnerability in multiple Oracle products could
allow an unauthenticated attacker to take control of the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
115131 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1886
DESCRIPTION: IBM Security Access Manager Appliance discloses sensitive
information to unauthorized users. The information can be used to mount further
attacks on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
152021 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-1887
DESCRIPTION: IBM Security Access Manager Appliance contains hard-coded
credentials, such as a password or cryptographic key, which it uses for its own
inbound authentication, outbound communication to external components, or
encryption of internal data.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
152078 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2016-3092
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an
error in the Apache Commons FileUpload component. By sending file upload
requests, an attacker could exploit this vulnerability to cause the server to
become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-3646
DESCRIPTION: Multiple Intel CPU's could allow a local attacker to obtain
sensitive information, caused by a flaw in the CPU speculative branch
instruction execution feature. By conducting targeted cache side-channel
attacks and via a terminal page fault, an attacker with guest OS privilege
could exploit this vulnerability to leak information residing in the L1 data
cache and read data belonging to different security contexts.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148319 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-3620
DESCRIPTION: Multiple Intel CPU''s could allow a local attacker to obtain
sensitive information, caused by a flaw in the CPU speculative branch
instruction execution feature. By conducting targeted cache side-channel
attacks and via a terminal page fault, an attacker could exploit this
vulnerability to leak information residing in the L1 data cache and read data
belonging to different security contexts. Note: This vulnerability is also
known as the "L1 Terminal Fault (L1TF)" or "Foreshadow" attack.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
148318 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

CVEID: CVE-2018-3639
DESCRIPTION: Multiple Intel CPU's could allow a local attacker to obtain
sensitive information, caused by utilizing sequences of speculative execution
and speculative execution of memory reads before the addresses of all prior
memory writes are known. By conducting targeted cache side-channel attacks, an
attacker could exploit this vulnerability to bypass security restrictions and
gain read access to privileged memory. Note: This vulnerability is the
Speculative Store Bypass (SSB), also known as Variant 4 or "SpectreNG".
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
143569 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Affected Products and Versions

+--------------------------------------------------------+
|Affected IBM Security Access Manager     |Affected      |
|Appliance                                |Versions      |
|-----------------------------------------+--------------|
|IBM Security Access Manager              |9.0.1.0 -     |
|                                         |9.0.5.0       |
+--------------------------------------------------------+

Remediation/Fixes

+-----------------------------------------------------------------------------+
|Product            |VRMF      |APAR        |Remediation                      |
|-------------------+----------+------------+---------------------------------|
|IBM Security Access|9.0.1.0 - |-           |1. For versions prior to 9.0.6.0,|
|Manager            |9.0.5.0   |            |upgrade to 9.0.6.0:              |
|                   |          |            |                                 |
|                   |          |            |9.0.6-ISS-ISAM-FP0000            |
+-----------------------------------------------------------------------------+

Workarounds and Mitigations

None

Acknowledgement

IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan
Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza

Change History

11 December 2018: First Publish

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


                          Cross reference information
        Product          Component Platform           Version           Edition
  IBM Security Access              Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0,
    Manager for Web                          9.0.4.0, 9.0.5.0
  IBM Security Access              Appliance 9.0.1.0, 9.0.2.0, 9.0.3.0,
   Manager for Mobile                        9.0.4.0, 9.0.5.0

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXBCQI2aOgq3Tt24GAQgq+xAAzgysARNM+gIE0e2y2Ph2BM+ZRTNFUmEo
9xkh+Q/Kqaz19n7Xw9cnzSf18djwi/v9m/t4+Vc4WYwnBES+FTICL6QcMHaQ2n+D
Yd1K6wYa8N0dBOaCl/XR1WGpfWGFQ3mFTKqwFxT0ip17C2huYxPbnKHcmSn97I5v
3ZC10L4LtVgNKvBl9PVg0YG/PX9OK45vBKixqkRCUBlhCnyJd7wCHAM8MAiogEi3
xUV7PwbQa7X48Y2F4W/egLfjBUADDGmCKNUCaYeeBMCIkiSuEBZDw4PQ1y6hOxEV
RdEm6GI8fEwF4ACwmvI83nZ9CPynFGLQ78n/8Gge6n5cRjFb4YO5S6HqIbcz2uzP
ZUQlsQ9Hhjr7Vhbtwc/nhQgPfuuXGVBeYKCpGMuvxvQSzPVi68ZNqqdF6caXi92U
a/sYtMun7ouRgBsYh52oxA2xrghqHdSFbtkhebtcHalQu9svkoQgh2Sqc/7REsXS
cPRVw/homzYN8dhCeJvFWPvbmHNVJpAwA+J+UgbZxzG5wPQHVKSrYuRHDgMMOzsN
vlwkHnPEPp96TWKcUDfu9sRm+VLCxWxuoo4mltBQhDxC9h9MtXXnepbcjPwp9DV3
C+/c3yiPZPkNu40mJcsuv6PvZnKOLqdj9H8yS3d7mvG29nOgrokLl0qgam2N1ntn
lLBxTVhSaMA=
=/Rhi
-----END PGP SIGNATURE-----

« Back to bulletins