IBM Support

Security Bulletin: BigFix Platform 9.5.x / 9.2.x affected by multiple vulnerabilities (CVE-2018-0732, CVE-2018-0737, CVE-2018-14618, CVE-2018-1000301)

Security Bulletin


Summary

There are vulnerabilities in the OpenSSL and LibcURL libraries used by BigFix. These are addressed in the BigFix Platform 9.5.11 and 9.2.16 releases.

Vulnerability Details

CVEID: CVE-2018-0732

DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the sending of a very large prime value to the client by a malicious server during key agreement in a TLS handshake. By spending an unreasonably long period of time generating a key for this prime, a remote attacker could exploit this vulnerability to cause the client to hang.

CVSS Base Score: 3.7
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/144658
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

 

CVEID: CVE-2018-0737

DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by a cache-timing side channel attack in the RSA Key generation algorithm. An attacker with access to mount cache timing attacks during the RSA key generation process could exploit this vulnerability to recover the private key and obtain sensitive information.

CVSS Base Score: 3.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/141679
for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

 

CVEIDCVE-2018-14618

DESCRIPTION: cURL libcurl is vulnerable to a buffer overflow, caused by an integer overflow flaw in the Curl_ntlm_core_mk_nt_hash internal function in the NTLM authentication code. By sending an overly long password, a remote attacker could overflow a buffer and execute arbitrary code and cause the application to crash.

CVSS Base Score: 9.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/149359 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

CVE-ID: CVE-2018-1000301

DESCRIPTION: curl is vulnerable to a denial of service, caused by heap-based buffer over-read. By sending a specially crafted RTSP response, a remote attacker could overflow a buffer and possibly obtain sensitive information or cause the application to crash.

CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/143390 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

Affected IBM BigFix Platform

Affected Versions
BigFix Platform
9.5 - 9.5.10
BigFix Platform
9.2 - 9.2.15

 

Remediation/Fixes

VRMF
Remediation / First Fix
9.5.11
Apply the upgrade-patch 9.5.11 by looking for the associated upgrade-patch Fixlet in the Console, then launch and apply it.
9.2.16

Apply the upgrade-patch 9.2.16 by looking for the associated upgrade-patch Fixlet in the Console, then launch and apply it.

 

CVE-to-Component Breakdown

CVEs

Affected Components

CVE-2018-0732,CVE-2018-0737

All

CVE-2018-14618

Any BigFix component except for the agent uses libcurl. Based on the vulnerability description, only relays can be potentially used to exploit it in environments using NTLM authentication.

CVE-2018-1000301

Any BigFix component except for the agent uses libcurl. Purpose built custom content can allow to potentially exploit this vulnerability on any component using libcurl.

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Reference

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

We appreciate the efforts of the IBM X-Force Ethical Hacking Team (Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza) in discovering these issues.

Change History

December 2018: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM BigFix Platform

Component: Not Applicable

Software version: 9.2, 9.5

Operating system(s): Platform Independent

Reference #: 0743283

Modified date: 20 December 2018