Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0498
Security Bulletin: IBM Security Access Manager for Web v8.0 Front End Load
Balancer susceptible to Heartbleed vulnerability (CVE-2014-0160)
14 April 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Access Manager
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0160
Reference: ASB-2014.0042
ESB-2014.0457
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21670164
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM Security Access Manager for Web v8.0 Front End Load
Balancer susceptible to Heartbleed vulnerability (CVE-2014-0160)
Document information
More support for:
IBM Security Access Manager for Web
Software version:
8.0.0.2
Operating system(s):
Appliance
Reference #:
1670164
Modified date:
2014-04-11
Flash (Alert)
Abstract
IBM Security Access Manager (ISAM) for Web v8.0 introduced a layer 7 front end
load balancer. The SSL framework used by this component exposes the 'heartbeat'
TLS extension implemented through an older version of OpenSSL and is therefore
susceptible to the Heartbleed vulnerability.
Content
VULNERABILITY DETAILS
CVE ID: CVE-2014-0160
DESCRIPTION:
A vulnerability in OpenSSL could allow a remote attacker to obtain sensitive
information, caused by an error in the TLS/DTLS heartbeat functionality. An
attacker could exploit this vulnerability to expose 64k of private memory and
retrieve secret keys. An attacker can repeatedly expose additional 64k chunks
of memory. This vulnerability can be remotely exploited, authentication is not
required and the exploit is not complex. An exploit can only partially affect
the confidentially, but not integrity or availability.
An affected version of OpenSSL is used by the front end load balancer provided
with ISAM for Web starting with version 8.0. ISAM for Web 8.0 is only
vulnerable if the front end load balancer is enabled and the SSL Proxy for
Layer-7 capability is enabled. Instructions for determining if this is the
case are provided at the end of this bulletin.
The vulnerable front end load balancer was not provided with previous versions
of the product, and they are not susceptible to the vulnerability.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Warning: We strongly encourage you to take action as soon as possible as
potential implications to your environment may be more serious than indicated
by the CVSS score.
AFFECTED PLATFORMS
ISAM for Web v8.0, firmware versions 8.0.0.2 and 8.0.0.3
REMEDIATION:
Step 1) Apply Patches
IBM has provided firmware updates containing the fix. Affected systems should
be patched immediately. Patches and installation instructions are provided at
the URLs listed below.
Applying the patch by using the local management interface.
1. Download the .pkg file.
2. In the local management interface, select Manage System Settings >
Updates and Licensing > Available Updates.
3. Click Upload. The New Update dialog opens.
4. Click Select Update.
5. Browse to the .pkg file.
6. Click Open.
7. Click Save Configuration. The upload process might take several minutes.
8. Select the new firmware and click Install.
Note: The installation of the new firmware takes a few minutes to complete.
After the update is successfully applied to the system, the appliance reboots
automatically.
Applying the patch by using a USB drive.
1. Download the .pkg file.
2. Copy the firmware update onto a USB flash drive. The flash drive must be
formatted with a FAT file system.
3. Insert the USB flash drive into the hardware appliance.
4. Log in as admin in the appliance console or use secure shell.
5. Type updates and then press Enter.
6. Type install and then press Enter. The following options must be selected.
1: For a firmware update
1: To install the update from a USB drive
YES: To confirm that the USB drive is plugged into the appliance
<index>: Select the appliance firmware from the list
YES: To confirm the update and start the update process
Note: The installation of the new firmware takes a few minutes to complete.
After the update is successfully applied to the system, the appliance reboots
automatically.
Fix Build APAR Download URL
8.0.0.2-ISS-WGA-IF00002 8.0.0.22 IV59179 http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm/Tivoli/Tivoli Access Manager for e-business&fixids=8.0.0.2-ISS-WGA-IF0002&source=dbluesearch&function=fixId&parent=Security Systems
8.0.0.3-ISS-WGA-IF00001 8.0.0.31 IV59179 http://www-933.ibm.com/support/fixcentral/swg/selectFix?product=ibm/Tivoli/Tivoli Access Manager for e-business&fixids=8.0.0.3-ISS-WGA-IF0001&source=dbluesearch&function=fixId&parent=Security Systems
Step 2) Replace SSL Certificates.
Because existing SSL certificates could be compromised, you should revoke
existing SSL certificates and reissue new certificates. Be sure not to
generate the new certificates using the old private key. Instead, create a new
private key and use that new private key to create the new certificate signing
request (CSR).
Step 3) Reset User Credentials
Because password information could have been compromised, you should force
users to reset their passwords. You should also revoke any authentication or
session related cookies set prior to the time OpenSSL was upgraded and force
users to re-authenticate.
Warning: Your environment may require additional fixes for other products,
including non-IBM products. Please replace SSL certificates and reset user
credentials after applying the necessary fixes to your environment.
DETERMINING IF YOUR SYSTEM IS VULNERABLE:
As stated above, ISAM for Web 8.0 is only vulnerable if the front end load
balancer is enabled and the SSL Proxy for Layer-7 capability is enabled.
Follow these steps to determine if this is the case:
1. Authenticate to the Local Management Interface.
2. Click the "Manage System Settings" top menu item.
3. Look for the "Front End Load Balancer" option under Network Settings. If
this option is not present, your system is not vulnerable.
4. Click the "Front End Load Balancer" option to open the administration panel
for the load balancer" and ensure that you are viewing the General tab.
5. Look for a checkbox next to "Enabled" at the top of the panel. If this
checkbox is not checked, your system is not vulnerable.
6. Look for a checkbox next to "Enable SSL Proxy for Layer-7". If this option
is not present or the checkbox is not checked, your system is not vulnerable.
7. Click on the 'Servers' tab, and then check to see if any virtual servers
have SSL enabled. This is achieved by selecting each server in turn, pressing
the 'edit' button for the server, and looking at the 'Layer 7 SSL Enabled'
checkbox. If this checkbox is not checked for ANY server, your system is not
vulnerable.
NOTE: Regardless of whether your system is vulnerable, if you have an affected
ISAM for Web version, you should apply the patch.
WORKAROUNDS:
Follow the directions in the "Determining if your system is vulnerable"
section above to perform one or both of the following two options:
1. Disable SSL termination for all of the virtual servers and the entire front
end load balancer.
- Click on the 'Servers' tab and, for each virtual server, edit the
server connection, and if the 'Layer 7 SSL Enabled' check box is
selected, uncheck it.
- Navigate to the General tab of the front end load balancer and
uncheck the checkbox next to "Enable SSL Proxy for Layer-7"
- Save your changes and deploy.
2. Disable the front end load balancer completely.
- Navigate to the General tab of the front end balancer.
- Uncheck the checkbox next to "Enabled" to disable the entire front
end load balancer
- Save your changes and deploy.
Both of these workarounds will require changes to your environment in order to
support operations. These changes are beyond the scope of this document.
REFERENCES:
- - http://heartbleed.com
- - Complete CVSS Guide
- - On-line Calculator V2
- - IBM Secure Engineering Web Portal
- - IBM Product Security Incident Response Blog
Product Alias/Synonym
ISAM WebSEAL Web Gateway Appliance
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU0tFBxLndAQH1ShLAQJH+Q/+O1IXrXX8xZhseiXncmIgdsg5wiQZNVtW
qa9DkWGnziizEGCZQOm+gcoquG4CmVNauTOJJ53N/5Wr+ZabVWDKvATIXlTgqAFa
zEM+ZMSPtMVHJ+Q2WXQmn3OpYHsxLcVZ0fDtXKs264gFgqfi5ee2UhExqMhkAGsQ
yjJ2qsCKUU2DzXMJbfcAABBRvI9mac70n1+pdY9mkZ6IPXOniVnR/D0H5s3ko9Uy
sXAchRSnlF2K6+PGz9bHB+II6korQjUUOEkOxOFrQnzDUcdhbb92jPH8FKyl9PTX
jLc8KAEkd2VXJWdVk0TyzCtHqOemfRtkHtwRszNkwTBkg+LUljsPFraCaZDsjl68
OBPXl3VyveWtQBplr0VvgOxJ+uLBTE8tPZjfdmxvkOgoqiCcM4wS01KMePj6sTSM
Acot1FaF4ogjhTNysEktE1e6Uge9LTHb+xh/UHOEIK1Wav316tYtVUU+3ctTiPmW
vTYz2ivqu+2ZBeOrwyGPUFAmwlFDX5BldDivMFdXs4+x0LKFsya0GhLE1K/IQRai
nmDG/yW4BlotYquu5cDDELQGj9t4+Jrv3dczsAynWIo3THq8DxAtukJjeo+keuUj
K3he6Gcc025GZ6G3Zr2QdI/i5Rkiw7I6QwIuoQflDPWr+qoLqDkssNj5forI67jI
1J+h8Te7OX4=
=pX4J
-----END PGP SIGNATURE-----