Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0934 GSKit Trust Anchor vulnerability in Tivoli Access Manager for e-business 2 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tivoli Access Manager for e-business Publisher: IBM Operating System: Windows Linux variants HP-UX Solaris AIX Impact/Access: Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-2203 Reference: ESB-2012.0929 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21612390 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: GSKit Trust Anchor vulnerability in Tivoli Access Manager for e-business (CVE-2012-2203) Flash (Alert) Abstract A vulnerability has been identified in the GSKit component utilized by Tivoli Access Manager for e-business (TAM) such that trust anchors can be inserted without detection. Remediation for the issue consists of upgrading affected GSKit 7 versions to version 7.0.4.42 or higher following the instructions at the end of this bulletin. Content VULNERABILITY DETAILS CVE ID: CVE-2012-2203 DESCRIPTION: A vulnerability has been discovered with the importing of certificates when a PKCS#12 file is the source. Such certificates are used in a number of places by TAM client and server components and the GSKit components used by TAM support importing PKCS#12 files. The vulnerability exists because trust anchors can be inserted without detection. Should someone with file level access to the PKCS#12 source file succeed in adding additional trust anchors prior to the import, this may result in a successful SSL/TLS connection that would normally have been rejected due to a missing chain of trust. For example, an attacker could use a crafted certificate to establish a TLS connection to the TAM WebSEAL component because the certification authority trust anchor in the WebSEAL server certificate had been compromised. The attack requires access to the PKCS#12 source file and sufficient permissions to modify that file. Specialized knowledge and techniques are required. An exploit would not impact accessibility of the compromised system, but it could impact the confidentiality of information and the integrity of data. CVSS: CVSS Base Score: 5.8 CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:M/Au:N/C:P/I:P/A:N) Details: http://xforce.iss.net/xforce/xfdb/77280 AFFECTED PLATFORMS All supported Tivoli Access Manager versions are affected if they use GSKit 7.0.x.x builds before and including 7.0.4.40 REMEDIATION: 1. Determine the GSKit version on TAM systems. 2. If an affected version is present, upgrade to GSKit version 7.0.4.42 or higher as soon as possible. 3. Obtain the updated GSKit installation packages from this URL: https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt 4. Upgrade your GSKit version following the instructions at the end of this bulletin. Workaround(s): No workaround. INSTRUCTIONS FOR UPGRADING GSKIT TO VERSION 7.0.4.42 Note: IBM Global Security Toolkit (GSKit) version 7.0.4.33 and higher supports RFC 5746 (TLS Renegotiation Indication Extension). Therefore, the security exposure CVE-2009-3555 (TLS/SSL Protocol Vulnerability) is not applicable to these versions of GSKit. Upgrade the IBM Global Security Toolkit (GSKit) to version 7.0.4.42. The 32-bit version must be used regardless of system architecture. Instructions for installing GSKit may also be found in the IBM Tivoli Access Manager for e-business Installation Guide, under the section "Reference information > Installing prerequisite products". To upgrade GSKit on AIX: 1. Install the patch: installp -a -X -g -d . gskta.rte for 64 bit also install installp -a -X -g -d . gsksa.rte 2. From the command line, run the following commands to stop and restart the Tivoli Access Manager processes: pd_start stop pd_start start 3. Confirm that the upgrade was successful by following the instructions in the section "Confirm that GSKit was updated". To upgrade GSKit on HP/UX: Note: On HP Integrity servers use gsk7bas32 instead of gsk7bas. 1. Uncompress and extract the file from gsk7bas.tar.Z 2. Install the patch: swinstall -s $PATH/gsk7bas gsk7bas where $PATH is the directory with gsk7bas package. 3. Ensure that you set and verify that the following path has been set in your .profile: SHLIB_PATH=/usr/lib To set this path, enter the following command: export SHLIB_PATH=/usr/lib;$SHLIB_PATH After you install GSKit, no configuration is necessary. Note that the SHLIB_PATH is only required to run the iKeyman key management utility (gsk7ikm), which is installed with the GSKit package. This enables you to create key databases, public-private key pairs, and certificate requests. For more information about gsk7ikm, see the Secure Sockets Layer Introduction and iKeyman User's Guide. 4. From the command line, run the following commands to stop and restart the Tivoli Access Manager processes: pd_start stop pd_start start 5. Confirm that the upgrade was successful by following the instructions in the section "Confirm that GSKit was updated". To upgrade GSKit on Linux: 1. Install the patch: At the command prompt, enter the following: rpm -U <patchname> where <patchname> is one of the following: Linux on xSeries(R) Red Hat gsk7bas-7.0.4.42.i386.rpm Suse SLES8 gsk7bas-7.0.4.42.i386.rpm Linux on zSeries gsk7bas-7.0.4.42.s390.rpm Linux on pSeries(R) and iSeries gsk7bas-7.0.4.42.ppc32.rpm If Tivoli Access Manager is already configured, you might need to install with the --noscripts flag: rpm -U --noscripts <patchname> 2. From the command line, run the following commands to stop and restart the Tivoli Access Manager processes: pd_start stop pd_start start 3. Confirm that the upgrade was successful by following the instructions in the section "Confirm that GSKit was updated". To upgrade GSKit on Solaris: 1. Uncompress and extract the file from gsk7bas.tar.Z 2. Install the patch: pkgadd -a none -d . gsk7bas a. Answer 'y' when asked whether to overwrite an installed instance directory b. When prompted for a package base directory, enter /opt if GSKit is installed in the default location. Otherwise, specify the appropriate location. 3. From the command line, run the following commands to stop and restart the Tivoli Access Manager processes: pd_start stop pd_start start 4. Confirm that the upgrade was successful by following the instructions in the section "Confirm that GSKit was updated". To upgrade GSKit on Microsoft Windows: 1. Extract the GSKit upgrade package: gsk7bas.exe gsk7bas cd gsk7bas 2. Use the following command to upgrade GSKit: setup gsk7 <location> -sf1".\setup.iss" where <location> is the drive and parent directory to your desired GSKit install location. NOTE: The GSKit installation program does not recognize spaces in the <location> string. Therefore, if GSKIT was originally installed in: C:\Program Files\ibm\gsk7 you must specify the location using the following syntax, which eliminates the spaces: C:\Progra~1\ibm\gsk7 The complete command for this example would be: setup gsk7 c:\Progra~1\ibm\gsk7 -sf1".\setup.iss" After entering the setup command, an InstallShield window is displayed. Follow the installation directions. In the window where you are prompted for the destination location, you must change the default location from: C:\Program Files\ibm\gsk7 to: C:\Progra~1\ibm\gsk7 or to whatever install location is applicable. 3. Shut down and reboot the system. 4. Confirm that the upgrade was successful by following the instructions in the section "Confirm that GSKit was updated". Confirm that GSKit was updated After upgrading to the version of GSKit included with this patch, the GSKit PRODUCT VERSION should be 7.0.4.42 for ALL components of the GSKit toolkit. To determine the version of GSKit installed, use the following command on any platform: gsk7ver NOTE: On HP-UX, you might need to add the following path in your profile for the above command to work: SHLIB_PATH=/usr/lib RELATED INFORMATION: CVE-2012-2203 Complete CVSS Guide IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUGpqA+4yVqjM2NGpAQJvjRAApcHHU4bAZDoRTiEa51fj5qkGVt2wnVcf SZHmxCQ5JSeOn/sG6x3B8EgvAG8oCUQeGUB6jVKVIh4f4T/VcZqVhz7YET1zBjyo lLaBo1WnX/4QjXSjBy/e5tl5BrDT/FQ0PyPjhOIyPmcgemsLfW/XrcgnJTrHtXE1 7Vs/GIGvoJUkAbkUBkmZ1zaprsgGWy4y/Gi5qlsQcDsrQOR6aqtInADfbs9yqtys tp4hw5TzfpvnyxNqbrIRdEMKfw0rnWDJD5iG+MN9sDWxJ4A9SeMRkw2DCidIhv0u 8xml/I71WPspDpxmnj0denZTxfnfE4YkognoKr4M9IKPmnzuTZkYUxmVQai9ydD6 eQXYBfWSA9ren0q2qTXXlQv1wMcGzH3+Hn33GFc9tUIyrdF7GWDx8+M8P1R26QK9 nBi0eZbQRonIW3+ItOVlv79md45bMWaGS5Dci3vlqnDks42OY4ayO50cuvHKX+eT 7xSExIwNYZAXZXY1VsrWIGxU7RR0zOFfMylpj9CJKPUhp3GyWUrKQSu4ma1tsrJw lBM07cxnzQaKbTqoNnyVxkvSXaQzsqXSl+D0Wi8ILp0d2th+ip3ViLFqDG+qZvTA XzpDBm0AivLNuvrnnl4My2OMiryKfQVX/TifSYyBomi2MSAWOVo7jKoil5wNXtpe bQzMAJdyOew= =UFsp -----END PGP SIGNATURE-----