Security Bulletin: IBM Tivoli Application Dependency Discovery Manager (TADDM) could expose password hashes stored in system memory on target Windows systems that are discovered by TADDM
IBM Tivoli Application Dependency Discovery Manager (TADDM) requires a local service account to communicate with Windows servers (targets) via WMI. WMI caches the password hash in memory on each target Windows system when using certain authentication methods. By TADDM design, and according to standard implementation, the service account password is the same for all Windows targets. The cached password can be viewed in memory on any target Windows server using open source windows credential tools such as "mimikatz". A local user can execute this tool and view the password hash from memory on the target systems. This essentially exposes the password for all other Windows targets that are configured to use TADDM. No access to the TADDM server is necessary to view the password. The local TADDM service account on each target system is a privileged account, so a local attacker could potentially gain access and administrative authority to all target Windows systems.
DESCRIPTION: IBM Tivoli Application Dependency Discovery Manager could expose password hashes stored in system memory on target systems that are configured to use TADDM.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/145110 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Affected Products and Versions
TADDM 126.96.36.199 - 188.8.131.52
TADDM 184.108.40.206 - 220.127.116.11
There are eFixes prepared on top of the latest released FixPack for each stream.
|Fix||VRMF||APAR||How to acquire fix|
Please get familiar with eFix readme in etc/<efix_name>_readme.txt
For eFixes on 18.104.22.168, 22.214.171.124 and 126.96.36.199, the following property needs to be added in collation.properties for configuring this eFix:
This property can be a comma separated list of any of the following keywords which stand for the type of windows login to be used: NETWORK, BATCH, SERVICE, INTERACTIVE
The order of their occurrence in case of comma separated values defines the preference to be given to that logon type, with first value being the first preference.
The security issue is resolved by setting the property to "NETWORK"
For all the above eFixes (188.8.131.52, 184.108.40.206, 220.127.116.11 and 18.104.22.168):
The new TADDM WMI Provider files are required to be updated at target windows system, so the user needs to configure the following properties:
This property enables TADDM to auto-deploy new files to windows targets. The default value of this property is true.
If any WMI error is encountered during auto-deploy, then target WMI needs to be restarted by setting this property to true. By default, its value is false. This property needs to be set to true, so that the new provider files replace old files at target and are then registered.
This property can again be set to false after the TADDM WMI provider on all windows are successfully updated and discovery is success. This property can also be set specific to an IP address, e.g. for a IP address: 22.214.171.124, following property is to be configured:
Note: The default value for above WMI restart property is false. Setting these values to true may provide more reliable Windows discovery. This must be weighed against the potential negative impact of a WMI service temporarily being stopped and restarted. If the WMI service is restarted, all WMI dependent services that were running before the restart are also restarted.
Workarounds and Mitigations
If an eFix is required on any other TADDM version, please contact IBM Support. This fix contains TADDM code, if you have existing eFixes (ls -rlt etc/efix*), open a case for a custom version of this eFix. Include your current eFix level, TADDM version and a link to this bulletin.
The eFix is created to be installed on the above FixPack without any previously applied eFixes.
Get Notified about Future Security Bulletins
27 Nov 2018: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
Tivoli Application Dependency Discovery Manager
Software version: 7.2.2, 7.3
Operating system(s): AIX, Linux, Windows
Reference #: 0742403
Modified date: 28 November 2018