Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4479.2 IBM QRadar Network Packet Capture updates dependencies 28 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: QRadar Network Packet Capture Publisher: IBM Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote with User Interaction Increased Privileges -- Existing Account Denial of Service -- Existing Account Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-11810 CVE-2019-9948 CVE-2019-9947 CVE-2019-9740 CVE-2019-5489 CVE-2019-3863 CVE-2019-3857 CVE-2019-3856 CVE-2019-3855 CVE-2019-1559 CVE-2019-1125 CVE-2019-1073 CVE-2019-1071 CVE-2018-17972 CVE-2018-9568 CVE-2018-0734 CVE-2017-17805 Reference: ASB-2019.0289 ESB-2019.2489 ESB-2019.0169.4 ESB-2018.3639 Original Bulletin: https://www.ibm.com/support/pages/node/1115649 https://www.ibm.com/support/pages/node/1115643 https://www.ibm.com/support/pages/node/1115655 https://www.ibm.com/support/pages/node/1116357 Comment: This bulletin contains four (4) IBM security advisories. Revision History: November 28 2019: Vendor released advisory covering libssh2 and Linux kernel updates November 27 2019: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- OpenSSL as used by IBM QRadar Network Packet Capture is vulnerable to a timing side channel attack (CVE-2018-0734) Security Bulletin Summary Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. Vulnerability Details CVEID: CVE-2018-0734 DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p). CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 152085 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions IBM QRadar Network Packet Capture 7.3.0 -7.3.2 Patch 2 Remediation/Fixes IBM QRadar Network Packet Capture 7.3.2 Patch 3 Workarounds and Mitigations None - -------------------------------------------------------------------------------- OpenSSL as used by IBM QRadar Network Packet Capture is vulnerable to (CVE-2019-1559) Security Bulletin Summary The software does not implement a required step in a cryptographic algorithm Vulnerability Details CVEID: CVE-2019-1559 DESCRIPTION: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). CVSS Base score: 5.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157514 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) Affected Products and Versions IBM QRadar Network Packet Capture 7.3.0 -7.3.2 Patch 2 Remediation/Fixes IBM QRadar Network Packet Capture 7.3.2 Patch 3 Workarounds and Mitigations None - -------------------------------------------------------------------------------- Python as used by IBM QRadar Network Packet Capture is vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers (CVE-2019-9947, CVE-2019-9948) Security Bulletin Summary The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers. Vulnerability Details CVEID: CVE-2019-9947 DESCRIPTION: An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path component of a URL that lacks a character) followed by an HTTP header or a Redis command. This is similar to the CVE-2019-9740 query string issue. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158830 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2019-9948 DESCRIPTION: urllib in Python 2.x through 2.7.16 supports the local_file: scheme, which makes it easier for remote attackers to bypass protection mechanisms that blacklist file: URIs, as demonstrated by triggering a urllib.urlopen('local_file:///etc/passwd') call. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158831 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions IBM QRadar Network Packet Capture 7.3.0 -7.3.2 Patch 2 Remediation/Fixes IBM QRadar Network Packet Capture 7.3.2 Patch 3 Workarounds and Mitigations None - -------------------------------------------------------------------------------- IBM Security QRadar Packet Capture is vulnerable to Using Components with Known Vulnerabilities Summary The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools. Vulnerability Details CVEID: CVE-2019-3855 DESCRIPTION: An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way packets are read from the server. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158339 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2019-3856 DESCRIPTION: An integer overflow flaw, which could lead to an out of bounds write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt requests are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158340 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2019-3857 DESCRIPTION: An integer overflow flaw which could lead to an out of bounds write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST packets with an exit signal are parsed. A remote attacker who compromises a SSH server may be able to execute code on the client system when a user connects to the server. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158341 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2019-3863 DESCRIPTION: A flaw was found in libssh2 before 1.8.1. A server could send a multiple keyboard interactive response messages whose total length are greater than unsigned char max characters. This value is used as an index to copy memory causing in an out of bounds memory write error. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158347 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) CVEID: CVE-2019-1559 DESCRIPTION: If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q). CVSS Base score: 5.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157514 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) CVEID: CVE-2019-5489 DESCRIPTION: The mincore() implementation in mm/mincore.c in the Linux kernel through 4.19.13 allowed local attackers to observe page cache access patterns of other processes on the same system, potentially allowing sniffing of secret information. (Fixing this affects the output of the fincore program.) Limited remote exploitation may be possible, as demonstrated by latency differences in accessing public files from an Apache HTTP Server. CVSS Base score: 5.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 155197 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2019-1125 DESCRIPTION: An information disclosure vulnerability exists when certain central processing units (CPU) speculatively access memory, aka 'Windows Kernel Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1071, CVE-2019-1073. CVSS Base score: 5.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 162990 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N) CVEID: CVE-2018-17972 DESCRIPTION: An issue was discovered in the proc_pid_stack function in fs/proc/ base.c in the Linux kernel through 4.18.11. It does not ensure that only root may inspect the kernel stack of an arbitrary task, allowing a local attacker to exploit racy stack unwinding and leak kernel task stack contents. CVSS Base score: 6.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 150826 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2017-17805 DESCRIPTION: The Salsa20 encryption algorithmin the Linux kernel before 4.14.8 does not correctly handle zero-length inputs, allowing a local attacker able to use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to cause a denial of service (uninitialized-memory free and kernel crash) or have unspecified other impact by executing a crafted sequence of system calls that use the blkcipher_walk API. Both the generic implementation (crypto/ salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of Salsa20 were vulnerable. CVSS Base score: 5.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 136626 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-11810 DESCRIPTION: An issue was discovered in the Linux kernel before 5.0.7. A NULL pointer dereference can occur when megasas_create_frame_pool() fails in megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes a Denial of Service, related to a use-after-free. CVSS Base score: 6.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 160665 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2018-9568 DESCRIPTION: In sk_clone_lock of sock.c, there is a possible memory corruption due to type confusion. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android kernel. Android ID: A-113509306. References: Upstream kernel. CVSS Base score: 8.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 153889 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions IBM Security QRadar Packet Capture 7.3.0 to 7.3.2 Patch 1 Remediation/Fixes IBM Security QRadar Packet Capture 7.3.2 Patch 2 Workarounds and Mitigations None - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXd8ks2aOgq3Tt24GAQg0Xg//ZrRKiDOA+VlfHMGQsmyr0qtQQhp/84fi 9t9pKmTqn0Sb0hMwu6YJvADyoeIHkbHTVIIP97jzlfPuBIxFvO7LkzwQc7dI57mY dCNEA600hRUgQr7QuYWZ/ngV6FPnrqDUUikjTlZ8r8YMFbbwS15sRrntO50Ow1rk NaxutMPGC2wGnqsWMZwyuuJ07cnKMqmV+x0/TOaAhGOS6lA7HvOoM+XYlcIlv7L7 r4QFV3MqmvU8lWKzPzKZLG6UiwxIebqKSrmq5TPFzoEcNc8S3kMSTh7JIsry5m6G H3URnOLdagd18eTDk6IbZ7bwXwN3FYL/FeGNL27gra8AkmYX1rWdW8JH0Ko/GY5b qkwa+pxcHWjxf8dabpcx4YvFdN1Y3B6/kV01MhaWfpwa/iSyIEjJVO22u3ebbMbe 0g5jyC0VlhLfGZZzwUL1IGjxNK388C14GN0aUcz9nf6jLnnLiP/m1/Q85sfoI3ko N+Akkm+KrEk5xDLFbKX4SyWpV4IO4TLBilnAV94tjF89I79sc7A/bMp3fUTWo/Z7 B7cmsnrooNsx5Vpl67VswVCDvCzOUidZQnzghWP1PurnTRvOTGI50XV6QSG8uOs0 wDynoIq8T0bgXWBwBARclGykBZPxCfzCrPF2j4A7+lv1/OLEUZeJxpsoaYPBkwLE SIowtKwiD9U= =jxdU -----END PGP SIGNATURE-----