Security Bulletin: GSKit SSL/TLS Record Length vulnerability in Tivoli Access Manager for e-business (CVE-2012-2191)

Flash (Alert)


Abstract

A vulnerability has been identified in the GSKit component utilized by Tivoli Access Manager for e-business (TAM). A specifically crafted malformed SSL/TLS data packet can cause the TAM server component using GSKit to segmentation fault.. Remediation for the issue consists of upgrading affected GSKit 7 versions to version 7.0.4.42 or higher following the instructions at the end of this bulletin.

Content

VULNERABILITY DETAILS

CVE ID:
CVE-2012-2191


DESCRIPTION:
TAM uses GSKit for SSL/TLS connections. The GSKit implementation of CBC and AEAD Cipher Suites are vulnerable to an attack from a specifically crafted malformed SSL/TLS data packet. There are several ciphers supported by TAM that are included in these Suites. An attacker would need to act as a man-in-the-middle, intercepting the SSL data stream between a client, such as a web browser, and a TAM server, such as WebSEAL, that was using an affected cipher, and inject a malformed data packet into the stream. Were an attacker able to do so, they could cause the TAM server process to crash. The attack does not require local network access nor does it require authentication, but highly specialized knowledge and techniques are required. An exploit would not impact the confidentiality of information or the integrity of data, however accessibility of the system could be compromised.

CVSS:
CVSS Base Score: 5
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Details: http://xforce.iss.net/xforce/xfdb/75996

AFFECTED PLATFORMS
All supported Tivoli Access Manager versions are affected if they use GSKit 7.0.x.x builds before and including 7.0.4.40


REMEDIATION:
1. Determine the GSKit version on TAM systems.
2. If an affected version is present, upgrade to GSKit version 7.0.4.42 or higher as soon as possible.
3. Upgrade your GSKit version following the instructions at the end of this bulletin.


WORKAROUNDS:
No workaround


INSTRUCTIONS FOR UPGRADING GSKIT TO VERSION 7.0.4.42

Note:
IBM Global Security Toolkit (GSKit) version 7.0.4.33 and higher supports RFC 5746 (TLS Renegotiation Indication Extension). Therefore, the security exposure CVE-2009-3555 (TLS/SSL Protocol Vulnerability) is not applicable to these versions of GSKit.

Upgrade the IBM Global Security Toolkit (GSKit) to version 7.0.4.42. The 32-bit version must be used regardless of system architecture.

The updated GSKit installation packages may be downloaded at the URL:

https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?source=gskitupdt

Instructions for installing GSKit may also be found in the IBM Tivoli Access Manager for e-business Installation Guide, under the section "Reference information > Installing prerequisite products".


To upgrade GSKit on AIX:

1. Install the patch:

installp -a -X -g -d . gskta.rte

for 64 bit also install
installp -a -X -g -d . gsksa.rte

2. From the command line, run the following commands to stop and
restart the Tivoli Access Manager processes:

pd_start stop
pd_start start

3. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".


To upgrade GSKit on HP/UX:

Note: On HP Integrity servers use gsk7bas32 instead of gsk7bas.

1. Uncompress and extract the file from gsk7bas.tar.Z

2. Install the patch:

swinstall -s $PATH/gsk7bas gsk7bas

where $PATH is the directory with gsk7bas package.

3. Ensure that you set and verify that the following path has
been set in your .profile:

SHLIB_PATH=/usr/lib
To set this path, enter the following command:
export SHLIB_PATH=/usr/lib;$SHLIB_PATH

After you install GSKit, no configuration is necessary.
Note that the SHLIB_PATH is only required to run the iKeyman
key management utility (gsk7ikm), which is installed with the
GSKit package. This enables you to create key databases,
public-private key pairs, and certificate requests. For more
information about gsk7ikm, see the Secure Sockets Layer
Introduction and iKeyman User's Guide.

4. From the command line, run the following commands to stop
and restart the Tivoli Access Manager processes:

pd_start stop
pd_start start

5. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".


To upgrade GSKit on Linux:

1. Install the patch:

At the command prompt, enter the following:

rpm -U <patchname>

where <patchname> is one of the following:

Linux on xSeries(R)
Red Hat
gsk7bas-7.0.4.42.i386.rpm

Suse SLES8
gsk7bas-7.0.4.42.i386.rpm

Linux on zSeries

gsk7bas-7.0.4.42.s390.rpm

Linux on pSeries(R) and iSeries

gsk7bas-7.0.4.42.ppc32.rpm


If Tivoli Access Manager is already configured, you
might need to install with the --noscripts flag:

rpm -U --noscripts <patchname>



2. From the command line, run the following commands to stop
and restart the Tivoli Access Manager processes:

pd_start stop
pd_start start

3. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".


To upgrade GSKit on Solaris:

1. Uncompress and extract the file from gsk7bas.tar.Z

2. Install the patch:

pkgadd -a none -d . gsk7bas

a. Answer 'y' when asked whether to overwrite an
installed instance directory

b. When prompted for a package base directory,
enter /opt if GSKit is installed in the default
location. Otherwise, specify the appropriate
location.

3. From the command line, run the following commands to stop
and restart the Tivoli Access Manager processes:

pd_start stop
pd_start start

4. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".


To upgrade GSKit on Microsoft Windows:


1. Extract the GSKit upgrade package:

gsk7bas.exe gsk7bas
cd gsk7bas

2. Use the following command to upgrade GSKit:

setup gsk7 <location> -sf1".\setup.iss"

where <location> is the drive and parent directory to your
desired GSKit install location.

NOTE: The GSKit installation program does not recognize spaces
in the <location> string. Therefore, if GSKIT was
originally installed in:

C:\Program Files\ibm\gsk7

you must specify the location using the following
syntax, which eliminates the spaces:

C:\Progra~1\ibm\gsk7

The complete command for this example would be:

setup gsk7 c:\Progra~1\ibm\gsk7 -sf1".\setup.iss"

After entering the setup command, an InstallShield window
is displayed. Follow the installation directions. In the window
where you are prompted for the destination location, you must
change the default location from:

C:\Program Files\ibm\gsk7
to:

C:\Progra~1\ibm\gsk7

or to whatever install location is applicable.

3. Shut down and reboot the system.

4. Confirm that the upgrade was successful by following the
instructions in the section "Confirm that GSKit was updated".


Confirm that GSKit was updated

After upgrading to the version of GSKit included with this patch,
the GSKit PRODUCT VERSION should be 7.0.4.42 for ALL components
of the GSKit toolkit.

To determine the version of GSKit installed, use the following
command on any platform:

gsk7ver

NOTE: On HP-UX, you might need to add the following path in your
profile for the above command to work:

SHLIB_PATH=/usr/lib


RELATED INFORMATION:

· CVE-2012-2191
· Complete CVSS Guide
· IBM Secure Engineering Web Portal
· IBM Product Security Incident Response Blog


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.


Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security Access Manager for Web

Software version:

All versions

Operating system(s):

All Platforms

Reference #:

1612378

Modified date:

2013-08-22

Translate my page

Machine Translation

Content navigation