Security Bulletin
Summary
Various IBM WebSphere MQ graphical user interface installers are susceptible to a DLL-planting vulnerability where a malicious DLL, that is present in the Windows search path, could be loaded by the operating system in place of the genuine file.
The vulnerability affects Windows executable installers downloaded from IBM before 2nd June 2016.
Vulnerability Details
CVEID: CVE-2016-2542
DESCRIPTION: Flexera InstallShield could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully qualified path to a dynamic-linked library (schannel.dll) when running on Microsoft Windows. By persuading a victim to open a specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110914 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2016-4560
DESCRIPTION: Flexera InstallAnywhere could allow a remote attacker to execute arbitrary code on the system. The application does not directly specify the fully qualified path to a dynamic-linked library when running on Microsoft Windows. By persuading a victim to open a specially-crafted file from a WebDAV or SMB share using a vulnerable application, a remote attacker could exploit this vulnerability via a specially-crafted library to execute arbitrary code on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113016 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
The vulnerability affects the executable (.exe file extension) installers, fixpacks and SupportPacs;
- IBM WebSphere MQ for Windows (5.3 - All versions)
- IBM WebSphere MQ for Windows (6.0 - All versions)
- IBM WebSphere MQ for Windows (7.0.0.0 - 7.0.1.13)
- IBM WebSphere MQ for Windows (7.1.0.0 - 7.1.0.7)
- IBM WebSphere MQ for Windows (7.5.0.0 - 7.5.0.6)
- IBM WebSphere MQ for Windows (8.0.0.0 - 8.0.0.4)
- IBM WebSphere MQ Evaluation (8.0.0.0 - 8.0.0.4)
- IBM WebSphere MQ Evaluation (7.5.0.0 - 7.5.0.6)
- IBM WebSphere MQ Evaluation (7.1.0.0 - 7.1.0.7)
- IBM WebSphere MQ File Transfer Edition for Windows (V7.0.0.0 - V7.0.4.4)
- IBM WebSphere MQ File Transfer Edition Trial for Windows (V7.0.0.0 - V7.0.4.4)
- IBM WebSphere MQ Advanced Message Security for Windows (V7.0.1.0 - V7.0.1.3)
- IBM WebSphere MQ Advanced Message Security Trial for Windows (V7.0.1.0 - V7.0.1.3)
- IBM WebSphere MQ for HP NonStop Server V5.3 (Windows Installer V5.3.1.0)
- IBM WebSphere MQ Advanced for Developers (7.5.0.0 - 8.0.0.4)
- MS0T IBM WebSphere MQ Explorer (7.0.1.0 - 8.0.0.4)
- MQC7 IBM WebSphere MQ V7 Clients (All versions)
- MQC71 IBM WebSphere MQ V7.1 Clients (7.1.0.0 - 7.1.0.7)
- MQC75 IBM WebSphere MQ V7.5 Clients (7.5.0.0 - 7.5.0.6)
- MQC8 IBM WebSphere MQ V8 Clients (8.0.0.0 - 8.0.0.4)
Where fixes are available (see below), you should discard any Windows installation images that were downloaded from IBM before 2nd June 2016 and download new images from Fix Central or Passport Advantage.
Remediation/Fixes
The executable installers for the following offerings now contain safeguards to prevent being started in an environment where a malicious DLL could be loaded by the operating system.
The following offerings, and all subsequent levels of maintenance, have the installer fix applied:
- IBM WebSphere MQ for Windows (6.0.2.12)
- IBM WebSphere MQ for Windows (7.0.1.13)
- IBM WebSphere MQ for Windows (7.1.0.7)
- IBM WebSphere MQ for Windows (7.5.0.6)
- IBM WebSphere MQ for Windows (8.0.0.5)
- IBM WebSphere MQ File Transfer Edition for Windows (V7.0.4.5)
- IBM WebSphere MQ Advanced Message Security for Windows (V7.0.1.3)
- IBM WebSphere MQ for HP NonStop Server V5.3 (V5.3.1.0 Manufacturing Refresh)
- MS0T IBM WebSphere MQ Explorer (8.0.0.4)
- MQC71 IBM WebSphere MQ V7.1 Clients (7.1.0.7)
- MQC75 IBM WebSphere MQ V7.5 Clients (7.5.0.6)
- MQC8 IBM WebSphere MQ V8 Clients (8.0.0.5)
You should download these new install images from Fix Central or Passport Advantage where possible, however if older installers must be used, please refer to the workarounds and mitigations detailed below.
Workarounds and Mitigations
The DLL-planting vulnerability only impacts IBM WebSphere MQ for Windows when an interactive installation is attempted via the graphical user interface via executable installer (.exe file extension).
The advanced installation method of IBM WebSphere MQ that uses msiexec offers both an interactive graphical interface, and a command line driven non-interactive installation that is not affected by this vulnerability. To install using msiexec, at the command line, enter the msiexec command in the following format:
msiexec parameters [USEINI=" response-file "] [TRANSFORMS=" transform_file "]
This installation method should be used in preference to running setup.exe. See the links below for detailed information on using this installation method.
Get Notified about Future Security Bulletins
References
Change History
2 June 2016: Original version published
7 June 2016: Corrected spelling of SupportPac
9 June 2016: Remove link to MQC7 SupportPac
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
25 June 2018
UID
swg21978363