Security Bulletin: TADDM uses weak SSL certificates (CVE-2012-5770)

VULNERABILITY DETAILS:

DESCRIPTION:
TADDM uses weak certificates for SSL communication what can lead to man in the middle attack. The attacker must have access to traffic between TADDM server and its client (GUI or API) to be able to hijack and break the certificate. If more powerful hash algorithm is used the certificate is much more difficult to break.

CVEID: CVE-2012-5770
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80354 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:
TADDM 7.2.0.0 through 7.2.1.3

REMEDIATION:

Fix*	VRMF	APAR	How to acquire fix
7.2.1-TIV-ITADDM-FP0004	7.2.1.X	IV32391	Download from fix central
None	7.2..0.0	None	Upgrade to 7.2.1.4 or work around.

Each customer should generate their own security certificates that would uniquely identify the customer. The steps to do that are listed in following section.

Workaround(s):
The certificates can be generated manually issuing following commands:

<taddm_dist_dir>/external/<jdk-for-platform>/bin/keytool -delete -alias collation -keystore <taddm_dist_dir>/etc/serverkeys -storepass <ssl-password>

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -genkey -alias collation -keystore <taddm_dist_dir>/etc/serverkeys -validity 3650 -keyAlg RSA -sigalg SHA256WithRSA -keypass <ssl-password> -storepass <ssl-password> -dname "CN=<TADDM_SERVER_FQDN>, OU=Engineering, O=IBM, L=Palo Alto, S=California, C=US"

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -export -alias collation -noprompt -keystore <taddm_dist_dir>/etc/serverkeys -keypass <ssl-password> -storepass <ssl-password> -file <taddm_dist_dir>/cert.tmp

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -delete -alias collation -noprompt -keystore <taddm_dist_dir>/etc/jssecacerts.cert -storepass <ssl-password>

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -import -alias collation -noprompt -keystore <taddm_dist_dir>/etc/jssecacerts.cert -keypass <ssl-password> -storepass <ssl-password> -file <taddm_dist_dir>/cert.tmp

where:

<taddm_dist_dir> - the "dist" dir where taddm is installed
<jdk-for-platform> - jdk dir dedicated for Customer's platform
<ssl-password> - value of com.collation.sslpassphrase
<TADDM_SERVER_FQDN> - taddm server fqdn

NOTE: please backup the existing files before:

<taddm_dist_dir>/etc/serverkeys
<taddm_dist_dir>/etc/jssecacerts.cert

Mitigation(s):
If possible access to TADDM server should be restricted to certain selected machines by using e.g. by using iptables. This way the potential attacker must hijack machine allowed to access to conduct MiM attack.

REFERENCES:

• Complete CVSS Guide
• On-line Calculator V2
• CVE-2012-5770
• X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/80354

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT
None

CHANGE HISTORY
1 March 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.