Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0933
GSKit SSL/TLS Record Length vulnerability in Tivoli Access
Manager for e-business
2 October 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tivoli Access Manager for e-business
Publisher: IBM
Operating System: Windows
Linux variants
HP-UX
Solaris
AIX
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2191
Reference: ESB-2012.0726
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21612378
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: GSKit SSL/TLS Record Length vulnerability in Tivoli Access
Manager for e-business (CVE-2012-2191)
Flash (Alert)
Abstract
A vulnerability has been identified in the GSKit component utilized by Tivoli
Access Manager for e-business (TAM). A specifically crafted malformed SSL/TLS
data packet can cause the TAM server component using GSKit to segmentation
fault. Remediation for the issue consists of upgrading affected GSKit 7
versions to version 7.0.4.42 or higher following the instructions at the end of
this bulletin.
Content
VULNERABILITY DETAILS
CVE ID:
CVE-2012-2191
DESCRIPTION:
TAM uses GSKit for SSL/TLS connections. The GSKit implementation of CBC and
AEAD Cipher Suites are vulnerable to an attack from a specifically crafted
malformed SSL/TLS data packet. There are several ciphers supported by TAM that
are included in these Suites. An attacker would need to act as a
man-in-the-middle, intercepting the SSL data stream between a client, such as a
web browser, and a TAM server, such as WebSEAL, that was using an affected
cipher, and inject a malformed data packet into the stream. Were an attacker
able to do so, they could cause the TAM server process to crash. The attack
does not require local network access nor does it require authentication, but
highly specialized knowledge and techniques are required. An exploit would not
impact the confidentiality of information or the integrity of data, however
accessibility of the system could be compromised.
CVSS:
CVSS Base Score: 5
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Details: http://xforce.iss.net/xforce/xfdb/75996
AFFECTED PLATFORMS
All supported Tivoli Access Manager versions are affected if they use GSKit
7.0.x.x builds before and including 7.0.4.40
REMEDIATION:
1. Determine the GSKit version on TAM systems.
2. If an affected version is present, upgrade to GSKit version 7.0.4.42 or
higher as soon as possible.
3. Upgrade your GSKit version following the instructions at the end of
this bulletin.
WORKAROUNDS:
No workaround
INSTRUCTIONS FOR UPGRADING GSKIT TO VERSION 7.0.4.42
Note:
IBM Global Security Toolkit (GSKit) version 7.0.4.33 and higher supports RFC
5746 (TLS Renegotiation Indication Extension). Therefore, the security exposure
CVE-2009-3555 (TLS/SSL Protocol Vulnerability) is not applicable to these
versions of GSKit.
Upgrade the IBM Global Security Toolkit (GSKit) to version 7.0.4.42. The 32-bit
version must be used regardless of system architecture.
The updated GSKit installation packages may be downloaded at the URL:
https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt
Instructions for installing GSKit may also be found in the IBM Tivoli Access
Manager for e-business Installation Guide, under the section "Reference
information > Installing prerequisite products".
To upgrade GSKit on AIX:
1. Install the patch:
installp -a -X -g -d . gskta.rte
for 64 bit also install
installp -a -X -g -d . gsksa.rte
2. From the command line, run the following commands to stop and
restart the Tivoli Access Manager processes:
pd_start stop
pd_start start
3. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".
To upgrade GSKit on HP/UX:
Note: On HP Integrity servers use gsk7bas32 instead of gsk7bas.
1. Uncompress and extract the file from gsk7bas.tar.Z
2. Install the patch:
swinstall -s $PATH/gsk7bas gsk7bas
where $PATH is the directory with gsk7bas package.
3. Ensure that you set and verify that the following path has
been set in your .profile:
SHLIB_PATH=/usr/lib
To set this path, enter the following command:
export SHLIB_PATH=/usr/lib;$SHLIB_PATH
After you install GSKit, no configuration is necessary.
Note that the SHLIB_PATH is only required to run the iKeyman
key management utility (gsk7ikm), which is installed with the
GSKit package. This enables you to create key databases,
public-private key pairs, and certificate requests. For more
information about gsk7ikm, see the Secure Sockets Layer
Introduction and iKeyman User's Guide.
4. From the command line, run the following commands to stop
and restart the Tivoli Access Manager processes:
pd_start stop
pd_start start
5. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".
To upgrade GSKit on Linux:
1. Install the patch:
At the command prompt, enter the following:
rpm -U <patchname>
where <patchname> is one of the following:
Linux on xSeries(R)
Red Hat
gsk7bas-7.0.4.42.i386.rpm
Suse SLES8
gsk7bas-7.0.4.42.i386.rpm
Linux on zSeries
gsk7bas-7.0.4.42.s390.rpm
Linux on pSeries(R) and iSeries
gsk7bas-7.0.4.42.ppc32.rpm
If Tivoli Access Manager is already configured, you
might need to install with the --noscripts flag:
rpm -U --noscripts <patchname>
2. From the command line, run the following commands to stop
and restart the Tivoli Access Manager processes:
pd_start stop
pd_start start
3. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".
To upgrade GSKit on Solaris:
1. Uncompress and extract the file from gsk7bas.tar.Z
2. Install the patch:
pkgadd -a none -d . gsk7bas
a. Answer 'y' when asked whether to overwrite an
installed instance directory
b. When prompted for a package base directory,
enter /opt if GSKit is installed in the default
location. Otherwise, specify the appropriate
location.
3. From the command line, run the following commands to stop
and restart the Tivoli Access Manager processes:
pd_start stop
pd_start start
4. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".
To upgrade GSKit on Microsoft Windows:
1. Extract the GSKit upgrade package:
gsk7bas.exe gsk7bas
cd gsk7bas
2. Use the following command to upgrade GSKit:
setup gsk7 <location> -sf1".\setup.iss"
where <location> is the drive and parent directory to your
desired GSKit install location.
NOTE: The GSKit installation program does not recognize spaces
in the <location> string. Therefore, if GSKIT was
originally installed in:
C:\Program Files\ibm\gsk7
you must specify the location using the following
syntax, which eliminates the spaces:
C:\Progra~1\ibm\gsk7
The complete command for this example would be:
setup gsk7 c:\Progra~1\ibm\gsk7 -sf1".\setup.iss"
After entering the setup command, an InstallShield window
is displayed. Follow the installation directions. In the window
where you are prompted for the destination location, you must
change the default location from:
C:\Program Files\ibm\gsk7
to:
C:\Progra~1\ibm\gsk7
or to whatever install location is applicable.
3. Shut down and reboot the system.
4. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".
Confirm that GSKit was updated
After upgrading to the version of GSKit included with this patch,
the GSKit PRODUCT VERSION should be 7.0.4.42 for ALL components
of the GSKit toolkit.
To determine the version of GSKit installed, use the following
command on any platform:
gsk7ver
NOTE: On HP-UX, you might need to add the following path in your
profile for the above command to work:
SHLIB_PATH=/usr/lib
RELATED INFORMATION:
CVE-2012-2191
Complete CVSS Guide
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUGpVEe4yVqjM2NGpAQI5ZA//dKUcrxoD4gz0j+7v589ZNZ4A9fChYJOd
etlbNN7xTHRSbUzNl/hH6PFUmnwPkdwrFVEF6q+gDexWaj0PEbxc0fAeqjYimqNt
4a53Ns/uwEg7Vcy8uHgBvNJNUH2vDFN07+5h6iPVf+Wb32rb9YwGeUnn11z4xEw5
KYNMQBtY//JfwvLxsPTZw6ecfb/+Auqo2i3p1DOQ3IqMC2CyHo2La1fZQMeHjfN5
U3AKw9gO3ru49gsh65nMcc02cv3AoIWbPjhwQohh3oxOyn1hu7SsA+jz0QbjgeZc
ZAl+O7zuIGJ5AwHTibtyN8txfaHUhLwgtYS78x9A9GbQTzZg6KFQ0JzVH+vnim1g
8sOwyWXpsSqKbGpHWpergFGZjJ3omu5CDj48MutMpBvCtOlaLC3552Ss90bXpx6v
93MOrEays8mRKbdhfxOnXiCWi1hnlLO0RfCJkgU3zF4+ZP9EoikeW01lmdzl7lGU
kReBgciX89aI8iGn+dGonBJTei/ZTE9teUVL8ibbtuQtU1S0IkCE28V7dZkZiVlc
6UGzprgX7O6pMJUGudar/pXbXaHLh9AL8gtGPHOEORai/yWIwws+Tp0tXkqdyhTv
5KhVWDDs+yjnYd7u4RaBLxf2N7dnw7SMGVekevJT/uugtulGhq8wgSh+Bgj9mt17
Kkrlzy1EOyk=
=TpH2
-----END PGP SIGNATURE-----