Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0933 GSKit SSL/TLS Record Length vulnerability in Tivoli Access Manager for e-business 2 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tivoli Access Manager for e-business Publisher: IBM Operating System: Windows Linux variants HP-UX Solaris AIX Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-2191 Reference: ESB-2012.0726 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21612378 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: GSKit SSL/TLS Record Length vulnerability in Tivoli Access Manager for e-business (CVE-2012-2191) Flash (Alert) Abstract A vulnerability has been identified in the GSKit component utilized by Tivoli Access Manager for e-business (TAM). A specifically crafted malformed SSL/TLS data packet can cause the TAM server component using GSKit to segmentation fault. Remediation for the issue consists of upgrading affected GSKit 7 versions to version 7.0.4.42 or higher following the instructions at the end of this bulletin. Content VULNERABILITY DETAILS CVE ID: CVE-2012-2191 DESCRIPTION: TAM uses GSKit for SSL/TLS connections. The GSKit implementation of CBC and AEAD Cipher Suites are vulnerable to an attack from a specifically crafted malformed SSL/TLS data packet. There are several ciphers supported by TAM that are included in these Suites. An attacker would need to act as a man-in-the-middle, intercepting the SSL data stream between a client, such as a web browser, and a TAM server, such as WebSEAL, that was using an affected cipher, and inject a malformed data packet into the stream. Were an attacker able to do so, they could cause the TAM server process to crash. The attack does not require local network access nor does it require authentication, but highly specialized knowledge and techniques are required. An exploit would not impact the confidentiality of information or the integrity of data, however accessibility of the system could be compromised. CVSS: CVSS Base Score: 5 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Details: http://xforce.iss.net/xforce/xfdb/75996 AFFECTED PLATFORMS All supported Tivoli Access Manager versions are affected if they use GSKit 7.0.x.x builds before and including 7.0.4.40 REMEDIATION: 1. Determine the GSKit version on TAM systems. 2. If an affected version is present, upgrade to GSKit version 7.0.4.42 or higher as soon as possible. 3. Upgrade your GSKit version following the instructions at the end of this bulletin. WORKAROUNDS: No workaround INSTRUCTIONS FOR UPGRADING GSKIT TO VERSION 7.0.4.42 Note: IBM Global Security Toolkit (GSKit) version 7.0.4.33 and higher supports RFC 5746 (TLS Renegotiation Indication Extension). Therefore, the security exposure CVE-2009-3555 (TLS/SSL Protocol Vulnerability) is not applicable to these versions of GSKit. Upgrade the IBM Global Security Toolkit (GSKit) to version 7.0.4.42. The 32-bit version must be used regardless of system architecture. The updated GSKit installation packages may be downloaded at the URL: https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt Instructions for installing GSKit may also be found in the IBM Tivoli Access Manager for e-business Installation Guide, under the section "Reference information > Installing prerequisite products". To upgrade GSKit on AIX: 1. Install the patch: installp -a -X -g -d . gskta.rte for 64 bit also install installp -a -X -g -d . gsksa.rte 2. From the command line, run the following commands to stop and restart the Tivoli Access Manager processes: pd_start stop pd_start start 3. Confirm that the upgrade was successful by following the instructions in the section "Confirm that GSKit was updated". To upgrade GSKit on HP/UX: Note: On HP Integrity servers use gsk7bas32 instead of gsk7bas. 1. Uncompress and extract the file from gsk7bas.tar.Z 2. Install the patch: swinstall -s $PATH/gsk7bas gsk7bas where $PATH is the directory with gsk7bas package. 3. Ensure that you set and verify that the following path has been set in your .profile: SHLIB_PATH=/usr/lib To set this path, enter the following command: export SHLIB_PATH=/usr/lib;$SHLIB_PATH After you install GSKit, no configuration is necessary. Note that the SHLIB_PATH is only required to run the iKeyman key management utility (gsk7ikm), which is installed with the GSKit package. This enables you to create key databases, public-private key pairs, and certificate requests. For more information about gsk7ikm, see the Secure Sockets Layer Introduction and iKeyman User's Guide. 4. From the command line, run the following commands to stop and restart the Tivoli Access Manager processes: pd_start stop pd_start start 5. Confirm that the upgrade was successful by following the instructions in the section "Confirm that GSKit was updated". To upgrade GSKit on Linux: 1. Install the patch: At the command prompt, enter the following: rpm -U <patchname> where <patchname> is one of the following: Linux on xSeries(R) Red Hat gsk7bas-7.0.4.42.i386.rpm Suse SLES8 gsk7bas-7.0.4.42.i386.rpm Linux on zSeries gsk7bas-7.0.4.42.s390.rpm Linux on pSeries(R) and iSeries gsk7bas-7.0.4.42.ppc32.rpm If Tivoli Access Manager is already configured, you might need to install with the --noscripts flag: rpm -U --noscripts <patchname> 2. From the command line, run the following commands to stop and restart the Tivoli Access Manager processes: pd_start stop pd_start start 3. Confirm that the upgrade was successful by following the instructions in the section "Confirm that GSKit was updated". To upgrade GSKit on Solaris: 1. Uncompress and extract the file from gsk7bas.tar.Z 2. Install the patch: pkgadd -a none -d . gsk7bas a. Answer 'y' when asked whether to overwrite an installed instance directory b. When prompted for a package base directory, enter /opt if GSKit is installed in the default location. Otherwise, specify the appropriate location. 3. From the command line, run the following commands to stop and restart the Tivoli Access Manager processes: pd_start stop pd_start start 4. Confirm that the upgrade was successful by following the instructions in the section "Confirm that GSKit was updated". To upgrade GSKit on Microsoft Windows: 1. Extract the GSKit upgrade package: gsk7bas.exe gsk7bas cd gsk7bas 2. Use the following command to upgrade GSKit: setup gsk7 <location> -sf1".\setup.iss" where <location> is the drive and parent directory to your desired GSKit install location. NOTE: The GSKit installation program does not recognize spaces in the <location> string. Therefore, if GSKIT was originally installed in: C:\Program Files\ibm\gsk7 you must specify the location using the following syntax, which eliminates the spaces: C:\Progra~1\ibm\gsk7 The complete command for this example would be: setup gsk7 c:\Progra~1\ibm\gsk7 -sf1".\setup.iss" After entering the setup command, an InstallShield window is displayed. Follow the installation directions. In the window where you are prompted for the destination location, you must change the default location from: C:\Program Files\ibm\gsk7 to: C:\Progra~1\ibm\gsk7 or to whatever install location is applicable. 3. Shut down and reboot the system. 4. Confirm that the upgrade was successful by following the instructions in the section "Confirm that GSKit was updated". Confirm that GSKit was updated After upgrading to the version of GSKit included with this patch, the GSKit PRODUCT VERSION should be 7.0.4.42 for ALL components of the GSKit toolkit. To determine the version of GSKit installed, use the following command on any platform: gsk7ver NOTE: On HP-UX, you might need to add the following path in your profile for the above command to work: SHLIB_PATH=/usr/lib RELATED INFORMATION: CVE-2012-2191 Complete CVSS Guide IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUGpVEe4yVqjM2NGpAQI5ZA//dKUcrxoD4gz0j+7v589ZNZ4A9fChYJOd etlbNN7xTHRSbUzNl/hH6PFUmnwPkdwrFVEF6q+gDexWaj0PEbxc0fAeqjYimqNt 4a53Ns/uwEg7Vcy8uHgBvNJNUH2vDFN07+5h6iPVf+Wb32rb9YwGeUnn11z4xEw5 KYNMQBtY//JfwvLxsPTZw6ecfb/+Auqo2i3p1DOQ3IqMC2CyHo2La1fZQMeHjfN5 U3AKw9gO3ru49gsh65nMcc02cv3AoIWbPjhwQohh3oxOyn1hu7SsA+jz0QbjgeZc ZAl+O7zuIGJ5AwHTibtyN8txfaHUhLwgtYS78x9A9GbQTzZg6KFQ0JzVH+vnim1g 8sOwyWXpsSqKbGpHWpergFGZjJ3omu5CDj48MutMpBvCtOlaLC3552Ss90bXpx6v 93MOrEays8mRKbdhfxOnXiCWi1hnlLO0RfCJkgU3zF4+ZP9EoikeW01lmdzl7lGU kReBgciX89aI8iGn+dGonBJTei/ZTE9teUVL8ibbtuQtU1S0IkCE28V7dZkZiVlc 6UGzprgX7O6pMJUGudar/pXbXaHLh9AL8gtGPHOEORai/yWIwws+Tp0tXkqdyhTv 5KhVWDDs+yjnYd7u4RaBLxf2N7dnw7SMGVekevJT/uugtulGhq8wgSh+Bgj9mt17 Kkrlzy1EOyk= =TpH2 -----END PGP SIGNATURE-----