IBM Support

Security Bulletin: IBM Tivoli Application Dependency Discovery Manager (TADDM) could expose password hashes stored in system memory on target Windows systems that are discovered by TADDM

Security Bulletin


Summary

IBM Tivoli Application Dependency Discovery Manager (TADDM) requires a local service account to communicate with Windows servers (targets) via WMI. WMI caches the password hash in memory on each target Windows system when using certain authentication methods. By TADDM design, and according to standard implementation, the service account password is the same for all Windows targets. The cached password can be viewed in memory on any target Windows server using open source windows credential tools such as "mimikatz". A local user can execute this tool and view the password hash from memory on the target systems. This essentially exposes the password for all other Windows targets that are configured to use TADDM. No access to the TADDM server is necessary to view the password. The local TADDM service account on each target system is a privileged account, so a local attacker could potentially gain access and administrative authority to all target Windows systems.

Vulnerability Details

CVEID: CVE-2018-1675
DESCRIPTION: IBM Tivoli Application Dependency Discovery Manager could expose password hashes stored in system memory on target systems that are configured to use TADDM.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/145110 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

TADDM 7.2.2.0 - 7.2.2.5
TADDM 7.3.0.0 - 7.3.0.5

Remediation/Fixes

There are eFixes prepared on top of the latest released FixPack for each stream.

Fix VRMF APAR How to acquire fix

efix_taddm7305_CVE-2018-1675_FP5180802.zip

7.3.0.5 None Download eFix
efix_taddm7304_CVE-2018-1675_FP420171214.zip 7.3.0.4 None Download eFix

efix_taddm7303_CVE-2018-1675_FP320160323.zip

7.3.0.3 None Download eFix

efix_taddm7225_CVE-2018-1675_FP520160209.zip

7.2.2.5 None Download eFix


Please get familiar with eFix readme in etc/<efix_name>_readme.txt

For eFixes on 7.2.2.5, 7.3.0.3 and 7.3.0.4, the following property needs to be added in collation.properties for configuring this eFix:


com.collation.WmiProvider.LogonTypeAllowed=NETWORK


This property can be a comma separated list of any of the following keywords which stand for the type of windows login to be used: NETWORK, BATCH, SERVICE, INTERACTIVE
The order of their occurrence in case of comma separated values defines the preference to be given to that logon type, with first value being the first preference.
The security issue is resolved by setting the property to "NETWORK"

For all the above eFixes (7.2.2.5, 7.3.0.3, 7.3.0.4 and 7.3.0.5):

The new TADDM WMI Provider files are required to be updated at target windows system, so the user needs to configure the following properties: 


com.collation.platform.os.WindowsOs.AutoDeploy=true   

This property enables TADDM to auto-deploy new files to windows targets. The default value of this property is true.

com.collation.RestartWmiOnAutoDeploy=true  


If any WMI error is encountered during auto-deploy, then target WMI needs to be restarted by setting this property to true. By default, its value is false. This property needs to be set to true, so that the new provider files replace old files at target and are then registered.
This property can again be set to false after the TADDM WMI provider on all windows are successfully updated and discovery is success. This property can also be set specific to an IP address, e.g. for a IP address: 1.2.3.4, following property is to be configured:


  com.collation.RestartWmiOnAutoDeploy.1.2.3.4=true   
 
 Note: The default value for above WMI restart property is false. Setting these values to true may provide more reliable Windows discovery. This must be weighed against the potential negative impact of a WMI service temporarily being stopped and restarted. If the WMI service is restarted, all WMI dependent services that were running before the restart are also restarted.

Workarounds and Mitigations

If an eFix is required on any other TADDM version, please contact IBM Support. This fix contains TADDM code, if you have existing eFixes (ls -rlt etc/efix*), open a case for a custom version of this eFix. Include your current eFix level, TADDM version and a link to this bulletin.
The eFix is created to be installed on the above FixPack without any previously applied eFixes.

Get Notified about Future Security Bulletins

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

27 Nov 2018: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: Tivoli Application Dependency Discovery Manager

Software version: 7.2.2, 7.3

Operating system(s): AIX, Linux, Windows

Reference #: 0742403

Modified date: 28 November 2018