Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4479.2
IBM QRadar Network Packet Capture updates dependencies
28 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: QRadar Network Packet Capture
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Remote with User Interaction
Increased Privileges -- Existing Account
Denial of Service -- Existing Account
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11810 CVE-2019-9948 CVE-2019-9947
CVE-2019-9740 CVE-2019-5489 CVE-2019-3863
CVE-2019-3857 CVE-2019-3856 CVE-2019-3855
CVE-2019-1559 CVE-2019-1125 CVE-2019-1073
CVE-2019-1071 CVE-2018-17972 CVE-2018-9568
CVE-2018-0734 CVE-2017-17805
Reference: ASB-2019.0289
ESB-2019.2489
ESB-2019.0169.4
ESB-2018.3639
Original Bulletin:
https://www.ibm.com/support/pages/node/1115649
https://www.ibm.com/support/pages/node/1115643
https://www.ibm.com/support/pages/node/1115655
https://www.ibm.com/support/pages/node/1116357
Comment: This bulletin contains four (4) IBM security advisories.
Revision History: November 28 2019: Vendor released advisory covering libssh2
and Linux kernel updates
November 27 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
OpenSSL as used by IBM QRadar Network Packet Capture is vulnerable to a timing
side channel attack (CVE-2018-0734)
Security Bulletin
Summary
Covert timing channels convey information by modulating some aspect of system
behavior over time, so that the program receiving the information can observe
system behavior and infer protected information.
Vulnerability Details
CVEID: CVE-2018-0734
DESCRIPTION: The OpenSSL DSA signature algorithm has been shown to be
vulnerable to a timing side channel attack. An attacker could use variations in
the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a
(Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in
OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
152085 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
IBM QRadar Network Packet Capture 7.3.0 -7.3.2 Patch 2
Remediation/Fixes
IBM QRadar Network Packet Capture 7.3.2 Patch 3
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
OpenSSL as used by IBM QRadar Network Packet Capture is vulnerable to
(CVE-2019-1559)
Security Bulletin
Summary
The software does not implement a required step in a cryptographic algorithm
Vulnerability Details
CVEID: CVE-2019-1559
DESCRIPTION: If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently based
on that in a way that is detectable to the remote peer, then this amounts to a
padding oracle that could be used to decrypt data. In order for this to be
exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites
are optimised implementations of certain commonly used ciphersuites. Also the
application must call SSL_shutdown() twice even if a protocol error has
occurred (applications should not do this but some do anyway). Fixed in OpenSSL
1.0.2r (Affected 1.0.2-1.0.2q).
CVSS Base score: 5.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
157514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
Affected Products and Versions
IBM QRadar Network Packet Capture 7.3.0 -7.3.2 Patch 2
Remediation/Fixes
IBM QRadar Network Packet Capture 7.3.2 Patch 3
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
Python as used by IBM QRadar Network Packet Capture is vulnerable to Improper
Neutralization of CRLF Sequences in HTTP Headers (CVE-2019-9947, CVE-2019-9948)
Security Bulletin
Summary
The software receives data from an upstream component, but does not neutralize
or incorrectly neutralizes CR and LF characters before the data is included in
outgoing HTTP headers.
Vulnerability Details
CVEID: CVE-2019-9947
DESCRIPTION: An issue was discovered in urllib2 in Python 2.x through 2.7.16
and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the
attacker controls a url parameter, as demonstrated by the first argument to
urllib.request.urlopen with \r\n (specifically in the path component of a URL
that lacks a character) followed by an HTTP header or a Redis command. This
is similar to the CVE-2019-9740 query string issue.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158830 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2019-9948
DESCRIPTION: urllib in Python 2.x through 2.7.16 supports the local_file:
scheme, which makes it easier for remote attackers to bypass protection
mechanisms that blacklist file: URIs, as demonstrated by triggering a
urllib.urlopen('local_file:///etc/passwd') call.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158831 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
IBM QRadar Network Packet Capture 7.3.0 -7.3.2 Patch 2
Remediation/Fixes
IBM QRadar Network Packet Capture 7.3.2 Patch 3
Workarounds and Mitigations
None
- --------------------------------------------------------------------------------
IBM Security QRadar Packet Capture is vulnerable to Using Components with Known
Vulnerabilities
Summary
The product includes vulnerable components (e.g., framework libraries) that may
be identified and exploited with automated tools.
Vulnerability Details
CVEID: CVE-2019-3855
DESCRIPTION: An integer overflow flaw which could lead to an out of bounds
write was discovered in libssh2 before 1.8.1 in the way packets are read from
the server. A remote attacker who compromises a SSH server may be able to
execute code on the client system when a user connects to the server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158339 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-3856
DESCRIPTION: An integer overflow flaw, which could lead to an out of bounds
write, was discovered in libssh2 before 1.8.1 in the way keyboard prompt
requests are parsed. A remote attacker who compromises a SSH server may be able
to execute code on the client system when a user connects to the server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158340 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-3857
DESCRIPTION: An integer overflow flaw which could lead to an out of bounds
write was discovered in libssh2 before 1.8.1 in the way SSH_MSG_CHANNEL_REQUEST
packets with an exit signal are parsed. A remote attacker who compromises a SSH
server may be able to execute code on the client system when a user connects to
the server.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158341 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-3863
DESCRIPTION: A flaw was found in libssh2 before 1.8.1. A server could send a
multiple keyboard interactive response messages whose total length are greater
than unsigned char max characters. This value is used as an index to copy
memory causing in an out of bounds memory write error.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
158347 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-1559
DESCRIPTION: If an application encounters a fatal protocol error and then calls
SSL_shutdown() twice (once to send a close_notify, and once to receive one)
then OpenSSL can respond differently to the calling application if a 0 byte
record is received with invalid padding compared to if a 0 byte record is
received with an invalid MAC. If the application then behaves differently based
on that in a way that is detectable to the remote peer, then this amounts to a
padding oracle that could be used to decrypt data. In order for this to be
exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites
are optimised implementations of certain commonly used ciphersuites. Also the
application must call SSL_shutdown() twice even if a protocol error has
occurred (applications should not do this but some do anyway). Fixed in OpenSSL
1.0.2r (Affected 1.0.2-1.0.2q).
CVSS Base score: 5.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
157514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
CVEID: CVE-2019-5489
DESCRIPTION: The mincore() implementation in mm/mincore.c in the Linux kernel
through 4.19.13 allowed local attackers to observe page cache access patterns
of other processes on the same system, potentially allowing sniffing of secret
information. (Fixing this affects the output of the fincore program.) Limited
remote exploitation may be possible, as demonstrated by latency differences in
accessing public files from an Apache HTTP Server.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
155197 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2019-1125
DESCRIPTION: An information disclosure vulnerability exists when certain
central processing units (CPU) speculatively access memory, aka 'Windows Kernel
Information Disclosure Vulnerability'. This CVE ID is unique from
CVE-2019-1071, CVE-2019-1073.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
162990 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVEID: CVE-2018-17972
DESCRIPTION: An issue was discovered in the proc_pid_stack function in fs/proc/
base.c in the Linux kernel through 4.18.11. It does not ensure that only root
may inspect the kernel stack of an arbitrary task, allowing a local attacker to
exploit racy stack unwinding and leak kernel task stack contents.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
150826 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-17805
DESCRIPTION: The Salsa20 encryption algorithmin the Linux kernel before 4.14.8
does not correctly handle zero-length inputs, allowing a local attacker able to
use the AF_ALG-based skcipher interface (CONFIG_CRYPTO_USER_API_SKCIPHER) to
cause a denial of service (uninitialized-memory free and kernel crash) or have
unspecified other impact by executing a crafted sequence of system calls that
use the blkcipher_walk API. Both the generic implementation (crypto/
salsa20_generic.c) and x86 implementation (arch/x86/crypto/salsa20_glue.c) of
Salsa20 were vulnerable.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
136626 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-11810
DESCRIPTION: An issue was discovered in the Linux kernel before 5.0.7. A NULL
pointer dereference can occur when megasas_create_frame_pool() fails in
megasas_alloc_cmds() in drivers/scsi/megaraid/megaraid_sas_base.c. This causes
a Denial of Service, related to a use-after-free.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
160665 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-9568
DESCRIPTION: In sk_clone_lock of sock.c, there is a possible memory corruption
due to type confusion. This could lead to local escalation of privilege with no
additional execution privileges needed. User interaction is not needed for
exploitation. Product: Android. Versions: Android kernel. Android ID:
A-113509306. References: Upstream kernel.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
153889 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM Security QRadar Packet Capture 7.3.0 to 7.3.2 Patch 1
Remediation/Fixes
IBM Security QRadar Packet Capture 7.3.2 Patch 2
Workarounds and Mitigations
None
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXd8ks2aOgq3Tt24GAQg0Xg//ZrRKiDOA+VlfHMGQsmyr0qtQQhp/84fi
9t9pKmTqn0Sb0hMwu6YJvADyoeIHkbHTVIIP97jzlfPuBIxFvO7LkzwQc7dI57mY
dCNEA600hRUgQr7QuYWZ/ngV6FPnrqDUUikjTlZ8r8YMFbbwS15sRrntO50Ow1rk
NaxutMPGC2wGnqsWMZwyuuJ07cnKMqmV+x0/TOaAhGOS6lA7HvOoM+XYlcIlv7L7
r4QFV3MqmvU8lWKzPzKZLG6UiwxIebqKSrmq5TPFzoEcNc8S3kMSTh7JIsry5m6G
H3URnOLdagd18eTDk6IbZ7bwXwN3FYL/FeGNL27gra8AkmYX1rWdW8JH0Ko/GY5b
qkwa+pxcHWjxf8dabpcx4YvFdN1Y3B6/kV01MhaWfpwa/iSyIEjJVO22u3ebbMbe
0g5jyC0VlhLfGZZzwUL1IGjxNK388C14GN0aUcz9nf6jLnnLiP/m1/Q85sfoI3ko
N+Akkm+KrEk5xDLFbKX4SyWpV4IO4TLBilnAV94tjF89I79sc7A/bMp3fUTWo/Z7
B7cmsnrooNsx5Vpl67VswVCDvCzOUidZQnzghWP1PurnTRvOTGI50XV6QSG8uOs0
wDynoIq8T0bgXWBwBARclGykBZPxCfzCrPF2j4A7+lv1/OLEUZeJxpsoaYPBkwLE
SIowtKwiD9U=
=jxdU
-----END PGP SIGNATURE-----