Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1529 Security Bulletin: Multiple vulnerabilities in IBM Security AppScan Enterprise (CVE-2013-4062, CVE-2013-4061, CVE-2013-5430, CVE-2013-3989) 25 October 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Security AppScan Enterprise Publisher: IBM Operating System: Windows Impact/Access: Modify Arbitrary Files -- Existing Account Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-5430 CVE-2013-4062 CVE-2013-4061 CVE-2013-3989 Reference: ESB-2013.1236 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21653287 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple vulnerabilities in IBM Security AppScan Enterprise (CVE-2013-4062, CVE-2013-4061, CVE-2013-5430, CVE-2013-3989) Flash (Alert) Document information Security AppScan Enterprise News Software version: 8.5, 8.6, 8.7.0.0, 8.7.0.1 Operating system(s): Windows Reference #: 1653287 Modified date: 2013-10-22 Abstract Previous releases of IBM Security AppScan Enterprise are affected by multiple vulnerabilities reported in 3rd party components bundled with the product as well as in proprietary IBM code. These vulnerabilities include weak cipher suites, invalid certificate warnings and URL spoofing. Content VULNERABILITY DETAILS: CVE ID: CVE-2013-4062 DESCRIPTION: An invalid certificate warning is not displayed when secure http traffic is intercepted. This may allow an attacker to successfully execute a "man-in-the-middle" attack on the client. The attack requires local network access, does not require authentication, but a high degree of specialized knowledge and techniques are required. An exploit would impact the confidentiality of information, the integrity of data and the availability of the system could be compromised. CVSS: CVSS Base Score: 3.7 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86586 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:L/AC:H/Au:N/C:P/I:P/A:P) AFFECTED PLATFORMS: Running on Microsoft Windows: - - Version 8.5 through 8.7 of Security AppScan Enterprise REMEDIATION: The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information about the fixes available. Vendor Fix(es): For version 8.5 to 8.7 of AppScan Enterprise - - Upgrade to version 8.8 If you are unable to upgrade, contact IBM Technical Support. If you are using your own certificate, makes sure that you add it the IBM certificate trust store so that it will be accepted successfully. Workaround(s): Not applicable; upgrade to version 8.8 for AppScan Enterprise Mitigation(s): Vulnerability does not exist when AppScan Enterprise is configured to use Windows Authentication. CVE ID: CVE-2013-4061 DESCRIPTION: Unauthorized users have the ability able to update allowed hosts used for authentication. This can be used to facilitate spoofing through URL redirection. The attack does not require local network access but does require single authentication. A high degree of specialized knowledge and techniques are required to exploit this issue. An exploit would not impact the availability of the system or the integrity of data, but the confidentiality of information could be compromised. CVSS: CVSS Base Score: 2.1 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86585 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:S/C:P/I:N/A:N) AFFECTED PLATFORMS: Running on Microsoft Windows: - - Version 8.5 through 8.7 of Security AppScan Enterprise REMEDIATION: The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information about the fixes available. Vendor Fix(es): For version 8.5 to 8.7 of AppScan Enterprise - - Upgrade to version 8.8 If you are unable to upgrade, contact IBM Technical Support. Workaround(s): Not applicable; upgrade to version 8.8 of AppScan Enterprise Mitigation(s): Vulnerability does not exist when AppScan Enterprise is configured to use Windows Authentication. CVE ID: CVE-2013-5430 DESCRIPTION: It is possible to install the Jazz Team Server component and have it enabled and configured with the default username and password. This could allow an unauthorized user to obtain access to the Jazz Team server component. The attack does not require specialized knowledge or techniques, nor does it require authentication, and network access required. An exploit could impact the confidentiality of information and the availability of the system, but the integrity of data is not compromised. CVSS: CVSS Base Score: 5.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87562 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:N) AFFECTED PLATFORMS: Running on Microsoft Windows: - - Version 8.5 through 8.7 of Security AppScan Enterprise REMEDIATION: The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information about the fixes available. Vendor Fix(es): For version 8.5 to 8.7 of AppScan Enterprise - - Upgrade to version 8.8 If you are unable to upgrade, contact IBM Technical Support. Workaround(s): Not applicable; upgrade to version 8.8 of AppScan Enterprise Mitigation(s): For previous versions, when configuring installation, login to the Jazz Team Server component and either disable the admin account or change the default password value. CVE ID: CVE-2013-3989 DESCRIPTION: The password value for the AppScan Source database is sent in a response from AppScan Enterprise in a non-encrypted format. This may allow an attacker to successfully execute a "man-in-the-middle" attack on the client. The attack requires some specialized knowledge or techniques, along with single authentication and network access. An exploit could impact the confidentiality of information, but the integrity of data and the availability of the system are not compromised. CVSS: CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84975 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N) AFFECTED PLATFORMS: Running on Microsoft Windows: - - Version 8.5 through 8.7 of Security AppScan Enterprise REMEDIATION: The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information about the fixes available. Vendor Fix(es): For version 8.5 to 8.7 of AppScan Enterprise - - Upgrade to version 8.8 If you are unable to upgrade, contact IBM Technical Support. Workaround(s): Not applicable; upgrade to version 8.8 for AppScan Enterprise Mitigation(s): Vulnerability does not exist when AppScan Source integration is not configured. REFERENCES: Complete CVSS Guide On-line Calculator V2 CVE-2013-4062 CVE-2013-4061 CVE-2013-3989 CVE-2013-5430 http://xforce.iss.net/xforce/xfdb/86586 http://xforce.iss.net/xforce/xfdb/86585 http://xforce.iss.net/xforce/xfdb/84975 http://xforce.iss.net/xforce/xfdb/87562 RELATED INFORMATION: IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this alert. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUmnK7hLndAQH1ShLAQK3og/9H+z5urL8UcS3IevRf54UUtf2Ga33VEIr Kg4TyGgRCwU16cLptbpZuQq+G7B6bALRp3oHPWAel2gAB69vr5tuIy0cp38lX1wJ 0qlaOWB9tHTQ1r5+uuYFExfUg5ajOpTVUm4VkG6GHdfqyfh+6YawqJmtemTqe1Y4 xsJtqL/cZomJQSWfUKxokR/XEFovi1Rxf1fvjfxFh4lBusC2FkFjC0l72Aq/AnE3 p1oT6hYUVKKv21AE497ZyBmi006u4LA8v2XbMDvFMHS68IySHjPoLJS4XFzSDLx0 s+LZhweAS60p1MA+ER5Cli2T3rlw0OTg9+3VuzsHhxsW1/gPmqpy/opQKn+E/olj w5Z8qo5fH+Mw51FLqxqUKJ8wOpcUA0pMIY6Mx4zn0yVHnGOcfBWKF4439Enjbjrc DZsRuB6PHhTBcDuXpgw0SiGX+N/FXTQ0EMPaxCCSD6ZgRuufvCo/6auWN2eDkeUd +7essir1358jv0ueQEWWBjb89YatYThzVlxOXTaWzfvpxTbAERiGmxSJvUxu69VH CnYLybrWyTMCI/Qoh7NbFXNcdbZlU4+fWQJkdelCLXNud86qmT+GPlHd55oDV9dR bTt+xs+8XaxRic8aTPjAIk/nTyoKEic1F6sE3ej3NMYCCha75CjerG3FwVKQI+FL M8zbfAwpS5Q= =Jr1V -----END PGP SIGNATURE-----