Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0934
GSKit Trust Anchor vulnerability in Tivoli Access Manager for e-business
2 October 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tivoli Access Manager for e-business
Publisher: IBM
Operating System: Windows
Linux variants
HP-UX
Solaris
AIX
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-2203
Reference: ESB-2012.0929
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21612390
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: GSKit Trust Anchor vulnerability in Tivoli Access Manager
for e-business (CVE-2012-2203)
Flash (Alert)
Abstract
A vulnerability has been identified in the GSKit component utilized by Tivoli
Access Manager for e-business (TAM) such that trust anchors can be inserted
without detection. Remediation for the issue consists of upgrading affected
GSKit 7 versions to version 7.0.4.42 or higher following the instructions at
the end of this bulletin.
Content
VULNERABILITY DETAILS
CVE ID:
CVE-2012-2203
DESCRIPTION:
A vulnerability has been discovered with the importing of certificates when a
PKCS#12 file is the source. Such certificates are used in a number of places by
TAM client and server components and the GSKit components used by TAM support
importing PKCS#12 files. The vulnerability exists because trust anchors can be
inserted without detection. Should someone with file level access to the
PKCS#12 source file succeed in adding additional trust anchors prior to the
import, this may result in a successful SSL/TLS connection that would normally
have been rejected due to a missing chain of trust. For example, an attacker
could use a crafted certificate to establish a TLS connection to the TAM
WebSEAL component because the certification authority trust anchor in the
WebSEAL server certificate had been compromised. The attack requires access to
the PKCS#12 source file and sufficient permissions to modify that file.
Specialized knowledge and techniques are required. An exploit would not impact
accessibility of the compromised system, but it could impact the
confidentiality of information and the integrity of data.
CVSS:
CVSS Base Score: 5.8
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Details: http://xforce.iss.net/xforce/xfdb/77280
AFFECTED PLATFORMS
All supported Tivoli Access Manager versions are affected if they use GSKit
7.0.x.x builds before and including 7.0.4.40
REMEDIATION:
1. Determine the GSKit version on TAM systems.
2. If an affected version is present, upgrade to GSKit version 7.0.4.42 or
higher as soon as possible.
3. Obtain the updated GSKit installation packages from this URL:
https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt
4. Upgrade your GSKit version following the instructions at the end of
this bulletin.
Workaround(s):
No workaround.
INSTRUCTIONS FOR UPGRADING GSKIT TO VERSION 7.0.4.42
Note:
IBM Global Security Toolkit (GSKit) version 7.0.4.33 and higher supports RFC
5746 (TLS Renegotiation Indication Extension). Therefore, the security exposure
CVE-2009-3555 (TLS/SSL Protocol Vulnerability) is not applicable to these
versions of GSKit.
Upgrade the IBM Global Security Toolkit (GSKit) to version 7.0.4.42. The 32-bit
version must be used regardless of system architecture.
Instructions for installing GSKit may also be found in the IBM Tivoli Access
Manager for e-business Installation Guide, under the section "Reference
information > Installing prerequisite products".
To upgrade GSKit on AIX:
1. Install the patch:
installp -a -X -g -d . gskta.rte
for 64 bit also install
installp -a -X -g -d . gsksa.rte
2. From the command line, run the following commands to stop and
restart the Tivoli Access Manager processes:
pd_start stop
pd_start start
3. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".
To upgrade GSKit on HP/UX:
Note: On HP Integrity servers use gsk7bas32 instead of gsk7bas.
1. Uncompress and extract the file from gsk7bas.tar.Z
2. Install the patch:
swinstall -s $PATH/gsk7bas gsk7bas
where $PATH is the directory with gsk7bas package.
3. Ensure that you set and verify that the following path has
been set in your .profile:
SHLIB_PATH=/usr/lib
To set this path, enter the following command:
export SHLIB_PATH=/usr/lib;$SHLIB_PATH
After you install GSKit, no configuration is necessary.
Note that the SHLIB_PATH is only required to run the iKeyman
key management utility (gsk7ikm), which is installed with the
GSKit package. This enables you to create key databases,
public-private key pairs, and certificate requests. For more
information about gsk7ikm, see the Secure Sockets Layer
Introduction and iKeyman User's Guide.
4. From the command line, run the following commands to stop
and restart the Tivoli Access Manager processes:
pd_start stop
pd_start start
5. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".
To upgrade GSKit on Linux:
1. Install the patch:
At the command prompt, enter the following:
rpm -U <patchname>
where <patchname> is one of the following:
Linux on xSeries(R)
Red Hat
gsk7bas-7.0.4.42.i386.rpm
Suse SLES8
gsk7bas-7.0.4.42.i386.rpm
Linux on zSeries
gsk7bas-7.0.4.42.s390.rpm
Linux on pSeries(R) and iSeries
gsk7bas-7.0.4.42.ppc32.rpm
If Tivoli Access Manager is already configured, you
might need to install with the --noscripts flag:
rpm -U --noscripts <patchname>
2. From the command line, run the following commands to stop
and restart the Tivoli Access Manager processes:
pd_start stop
pd_start start
3. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".
To upgrade GSKit on Solaris:
1. Uncompress and extract the file from gsk7bas.tar.Z
2. Install the patch:
pkgadd -a none -d . gsk7bas
a. Answer 'y' when asked whether to overwrite an
installed instance directory
b. When prompted for a package base directory,
enter /opt if GSKit is installed in the default
location. Otherwise, specify the appropriate
location.
3. From the command line, run the following commands to stop
and restart the Tivoli Access Manager processes:
pd_start stop
pd_start start
4. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".
To upgrade GSKit on Microsoft Windows:
1. Extract the GSKit upgrade package:
gsk7bas.exe gsk7bas
cd gsk7bas
2. Use the following command to upgrade GSKit:
setup gsk7 <location> -sf1".\setup.iss"
where <location> is the drive and parent directory to your
desired GSKit install location.
NOTE: The GSKit installation program does not recognize spaces
in the <location> string. Therefore, if GSKIT was
originally installed in:
C:\Program Files\ibm\gsk7
you must specify the location using the following
syntax, which eliminates the spaces:
C:\Progra~1\ibm\gsk7
The complete command for this example would be:
setup gsk7 c:\Progra~1\ibm\gsk7 -sf1".\setup.iss"
After entering the setup command, an InstallShield window
is displayed. Follow the installation directions. In the window
where you are prompted for the destination location, you must
change the default location from:
C:\Program Files\ibm\gsk7
to:
C:\Progra~1\ibm\gsk7
or to whatever install location is applicable.
3. Shut down and reboot the system.
4. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".
Confirm that GSKit was updated
After upgrading to the version of GSKit included with this patch,
the GSKit PRODUCT VERSION should be 7.0.4.42 for ALL components
of the GSKit toolkit.
To determine the version of GSKit installed, use the following
command on any platform:
gsk7ver
NOTE: On HP-UX, you might need to add the following path in your
profile for the above command to work:
SHLIB_PATH=/usr/lib
RELATED INFORMATION:
CVE-2012-2203
Complete CVSS Guide
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUGpqA+4yVqjM2NGpAQJvjRAApcHHU4bAZDoRTiEa51fj5qkGVt2wnVcf
SZHmxCQ5JSeOn/sG6x3B8EgvAG8oCUQeGUB6jVKVIh4f4T/VcZqVhz7YET1zBjyo
lLaBo1WnX/4QjXSjBy/e5tl5BrDT/FQ0PyPjhOIyPmcgemsLfW/XrcgnJTrHtXE1
7Vs/GIGvoJUkAbkUBkmZ1zaprsgGWy4y/Gi5qlsQcDsrQOR6aqtInADfbs9yqtys
tp4hw5TzfpvnyxNqbrIRdEMKfw0rnWDJD5iG+MN9sDWxJ4A9SeMRkw2DCidIhv0u
8xml/I71WPspDpxmnj0denZTxfnfE4YkognoKr4M9IKPmnzuTZkYUxmVQai9ydD6
eQXYBfWSA9ren0q2qTXXlQv1wMcGzH3+Hn33GFc9tUIyrdF7GWDx8+M8P1R26QK9
nBi0eZbQRonIW3+ItOVlv79md45bMWaGS5Dci3vlqnDks42OY4ayO50cuvHKX+eT
7xSExIwNYZAXZXY1VsrWIGxU7RR0zOFfMylpj9CJKPUhp3GyWUrKQSu4ma1tsrJw
lBM07cxnzQaKbTqoNnyVxkvSXaQzsqXSl+D0Wi8ILp0d2th+ip3ViLFqDG+qZvTA
XzpDBm0AivLNuvrnnl4My2OMiryKfQVX/TifSYyBomi2MSAWOVo7jKoil5wNXtpe
bQzMAJdyOew=
=UFsp
-----END PGP SIGNATURE-----