-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0805
  Security Bulletin: Vulnerability in InstallShield affects IBM Sterling
           Connect:Direct for Microsoft Windows (CVE-2016-2542)
                               30 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Sterling Connect:Direct for Microsoft Windows
Publisher:         IBM
Operating System:  Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2542  

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg21979075

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerability in InstallShield affects IBM Sterling
Connect:Direct for Microsoft Windows (CVE-2016-2542)

Security Bulletin

Document information

More support for:

Sterling Connect:Direct for Microsoft Windows

Software version:

4.5, 4.5.01, 4.6, 4.7

Operating system(s):

Windows

Reference #:

1979075

Modified date:

2016-03-25

Summary

An InstallShield vulnerability was disclosed by Flexera. InstallShield is
used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling
Connect:Direct for Microsoft Windows has addressed the applicable CVE.

Vulnerability Details

CVEID:

CVE-2016-2542

DESCRIPTION:

Flexera InstallShield could allow a remote attacker to execute arbitrary code
on the system. The application does not directly specify the fully qualified
path to a dynamic-linked library (schannel.dll) when running on Microsoft
Windows. By persuading a victim to open a specially-crafted file from a
WebDAV or SMB share using a vulnerable application, a remote attacker could
exploit this vulnerability via a specially-crafted library to execute
arbitrary code on the system.

CVSS Base Score: 8.8

CVSS Temporal Score: See

https://exchange.xforce.ibmcloud.com/vulnerabilities/110914

for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Sterling Connect:Direct for Microsoft Windows 4.5.00, 4.5.01, 4.6.0 and
4.7.0.

Remediation/Fixes

Product                                            VRMF    APAR     Remediation/First Fix
IBM Sterling Connect:Direct for Microsoft Windows  4.5.00  IT14315  Upgrade to version 4.6.0 or 4.7.0. Version 4.5.00 will be End of Support on 7/31/2016.
                                                                    If you cannot upgrade at this time, follow the mitigation instructions.
IBM Sterling Connect:Direct for Microsoft Windows  4.5.01  IT14315  Upgrade to version 4.6.0 or 4.7.0. Version 4.5.01 will be End of Support on 7/31/2016.
                                                                    If you cannot upgrade at this time, follow the mitigation instructions.
IBM Sterling Connect:Direct for Microsoft Windows  4.6.0   IT14315  Apply 4.6.0.5_iFix028, available on Fix Central
IBM Sterling Connect:Direct for Microsoft Windows  4.7.0   IT14315  Apply 4.7.0.4, available on Fix Central

For older versions/releases IBM recommends upgrading to a fixed, supported
version/release/platform of the product.

Workarounds and Mitigations

To install IBM Sterling Connect:Direct for Microsoft Windows 4.7.0(recommended)
or upgrade an earlier version of the product:

1. Run the 4.7.0.4 fix pack installer or later to install the product. See the
CDWin470FixPackReadme.rtf document provided with the fix pack download for
further instructions.

To install IBM Sterling Connect:Direct for Microsoft Windows 4.5.00, 4.5.01, 
4.6.0 or 4.7.0.0:

1. As an administrator, create a new secure directory. The directory must not
exist before and only the administrator should have write permission to it.

2. Unzip or copy the files from your installation media into this new directory.

3. Rename the file Setup.exe to cdw_install.exe. Do not skip this step.

4. Ensure there are no DLL files in this directory.

5. Run cdw_install.exe from this directory to install the product. Proceed with
the installation as normal.

To apply a patch for 4.5.00 or 4.5.01, or to apply an iFix / fix pack for 4.6.0 
and 4.7.0 prior to 4.6.0.5_iFix027 and 4.7.0.4:

1. As an administrator, create a new secure directory. The directory must not
exist before and only the administrator should have write permission to it.

2. Copy the patch / iFix/ iFix pack installer to this directory.

3. Ensure the installer is not called Setup.exe. Rename the file if needed. Do
not skip this step.

4. Ensure there are no DLL files in this directory.

5. Run the installer from this directory. Proceed with the installation as
normal.

Get Notified about Future Security Bulletins

Subscribe to

My Notifications

to be notified of important product support alerts like this.

Important note

IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the

System z Security web site

Security and integrity APARs and associated fixes will be posted to this
portal. IBM suggests reviewing the CVSS scores and applying all security or
integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Acknowledgement

None

Change History

25 March 2016: Original Version Published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvsPdH6ZAP0PgtI9AQLsOBAAxovW5zX7CoyYZCpvPvdj9DT/5PJASzOT
SfijY3Eyj9QJ++79QxVqfz3j9UQ8zmBizMsWkzJ2xTxwZK+CCy00KJUjIsTVLpgK
cNsmgaYH3vwusO0ONLecXNiIm18+MP3UI4w/E9iIU2bRgdwGb10JGmLVpg2tVG2R
bH14Xsq3tae2NcS3rLrRnjsPCa4xtSqDVxO1omZ5zFrf5tE8fEaU8PzMmgabdQq1
G2kQaZVqM32kruLHjuHZ/Zx9eAgRltByt66FnphBzfuvS/3+5tG5fglTUxXQuDQ+
id1yJpKe/vvUvMlTY0x3i+OZKYq9t8g+y4zwr8MBgZWduxRBVAWqRniYlrVdvVb8
ka5Eu5Xg7BqZkZ9RMGLAwuFHKSXtsOvbgpCxX7IqHgCfDCfbjcMsH6wxCS0zUhWh
MNCXZkhOqq6G2zvhJOY0C6+gWZMIw/ZeUmJzpWiX4VIdUhQZpB6CAkd4SMla89Wt
5zuFxbExPo46uD5mt1y2RdqmOb81xUAEDxcQdFyy2v01lAsZuG0cqscSKhgl1jIB
knYcG4P+MDR+xSrIeFZrkPk3GxeSYzJVYpEcvWxjLhRnxj1J65b/PQZvh9Xp8dQJ
5tBud5OlCnXDBumnDdvYIxTXLsDRkJllPyHQnjHLyOwfnQOHE2tOgemRkQWFGGth
tozMPjAJycc=
=0aGT
-----END PGP SIGNATURE-----