IBM Support

Security Bulletin: BigFix Platform 9.5.x / 9.2.x affected by multiple vulnerabilities (CVE-2018-0739, CVE-2018-1474, CVE-2018-1476, CVE-2018-1478, CVE-2018-14780, CVE-2018-1481, CVE-2018-1484, CVE-2018-1485)

Security Bulletin


Summary

The BigFix Platform versions 9.2 and 9.5 are exhibiting vulnerabilities in the following categories: HTTP Response Splitting, Information Exposure, ClickJacking, Session Cookie and Session ID security. These vulnerabilities have been addressed in patch releases 9.2.15 and 9.5.10.

Vulnerability Details

 

CVEID: CVE-2018-0739

DESCRIPTION: OpenSSL is vulnerable to a denial of service. By sending specially crafted ASN.1 data with a recursive definition, a remote attacker could exploit this vulnerability to consume excessive stack memory.

CVSS Base Score: 5.3 

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140847 for the current score 

CVSS Environmental Score*: Undefined  

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

 

CVEID: CVE-2018-1474

DESCRIPTION: IBM BigFix Platform is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.

CVSS Base Score: 6.1 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140692 for the current score 
CVSS Environmental Score*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

 

CVEID: CVE-2018-1476

DESCRIPTION: The product discloses sensitive information to unauthorized users. The information can be used to mount further attacks on the system.

CVSS Base Score:  5.3 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140757 for the current score 
CVSS Environmental Score*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) 

 

CVEID: CVE-2018-1478

DESCRIPTION: IBM BigFix Platform could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim.

CVSS Base Score:  4.3 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140760 for the current score
CVSS Environmental Score*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) 

 

CVEID: CVE-2018-1480

 

DESCRIPTION: IBM BigFix Platform does not set the 'HttpOnly' attribute on authorization tokens or session cookies. If a Cross-Site Scripting vulnerability also existed attackers may be able to get the cookie values via malicious JavaScript and then hijack the user session.

 

CVSS Base Score:  4 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140762 for the current score 
CVSS Environmental Score*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N) 

 
CVEID: CVE-2018-1481

DESCRIPTION: The product stores sensitive information in URLs. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history.

CVSS Base Score: 3.7 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140763 for the current score 
CVSS Environmental Score*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

 

CVEID: CVE-2018-1484

DESCRIPTION: IBM BigFix Platform does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

CVSS Base Score:  3.1 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140969 for the current score
CVSS Environmental Score*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) 

 

 

CVEID: CVE-2018-1485

DESCRIPTION: IBM BigFix Platform does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. This could force a user to utilize a cookie that may be known to an attacker.

CVSS Base Score:  5.3 
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140970 for the current score 
CVSS Environmental Score*: Undefined  
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected IBM BigFix Platform Affected Versions
BigFix Platform 9.5 - 9.5.9
BigFix Platform 9.2 - 9.2.14



 

Remediation/Fixes

Product VRMF Remediation / First Fix
BigFix Platform 9.5.10 Apply the upgrade-patch 9.5.10 by looking for the associated upgrade-patch Fixlet in the Console, then launch and apply it.
BigFix Platform 9.2.15 Apply the upgrade-patch 9.2.15 by looking for the associated upgrade-patch Fixlet in the Console, then launch and apply it.

 

CVE-to-Component Breakdown:

CVEs Affected Components
CVE-2018-0739, CVE-2018-1476 Server, WebReports and Client
CVE-2018-1474, CVE-2018-1478, CVE-2018-1480, CVE-2018-1484, CVE-2018-1485 Server and Relay
CVE-2018-1481 Server
CVE-2017-1231 All Components

 

 

Additionally, after performing the upgrade:

 

In order to address CVE-2018-1481, a new advanced setting (enableRESTAPIOperatorID) allows you to display operator resource URLs with the operator ID instead of the operator name. To enable the option, set it to true or 1.

For more details about how to specify the advanced settings both on Versions 9.2 and 9.5, see:

https://www.ibm.com/support/knowledgecenter/SSQL82_9.5.0/com.ibm.bigfix.doc/Platform/Installation/c_list_of_advanced_options.html

 

In order to address CVE-2018-1476a new BESAdmin command must be run.

This command allows you to hide the email address of the license assignee in the masthead file.

For 9.2.15 the syntax is the following: .\BESAdmin.exe /securitysettings /hideFromFieldFromMasthead [/sitePvkFile=<path+license.pvk>] [/sitePassword=<pvk_password>]

For 9.5.10 the syntax is the following: .\BESAdmin.exe /securitysettings /hideFromFieldFromMasthead [/sitePvkLocation=<path+license.pvk>][/sitePvkPassword=<pvk_password>]

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza

Change History

October 19th, 2018 - Clarified CVE/Component association, added more details for update steps

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM BigFix Platform

Software version: 9.2.0 - 9.2.14, 9.5.0 - 9.5.9

Operating system(s): Platform Independent

Reference #: 0733605

Modified date: 10 December 2018