IBM Support

Security Bulletin: BigFix Platform 9.5.x / 9.2.x affected by multiple vulnerabilities (CVE-2018-16839, CVE-2018-16842, CVE-2018-16840, CVE-2019-3823, CVE-2019-3822, CVE-2018-16890, CVE-2019-4011, CVE-2018-2005, CVE-2019-4058, CVE-2019-1559)

Security Bulletin


Summary

There are vulnerabilities in the areas of cross-site scripting, sensitive information viewable in memory, a possible authorization bypass, and in OpenSSL and LibcURL libraries that are used by BigFix. These are addressed in the BigFix Platform 9.2.18 and 9.5.13 releases.

Vulnerability Details


CVEID: CVE-2018-16389
DESCRIPTION: cURL is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the Curl_auth_create_plain_message function. By sending a specially-crafted request, an attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/152298 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:  CVE-2018-16842
DESCRIPTION:  cURL could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer over-read in the display function in the command line tool. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition.
CVSS Base Score: 6.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/152300 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

CVEID:  CVE-2018-16840
DESCRIPTION:  cURL is vulnerable to a denial of service, caused by a heap use-after-free flaw in the Curl_close function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/152299 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:  CVE-2019-3823
DESCRIPTION:   cURL libcurl could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when handling certain SMTP responses. An attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/156650 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:  CVE-2019-3822
DESCRIPTION:   cURL libcurl is vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header generates the request HTTP header contents based on previously received data. By sending an overly large "nt response" data, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/156651 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:  CVE-2018-16890
DESCRIPTION:   cURL libcurl is vulnerable to a stack-based buffer overflow. The function creating an outgoing NTLM type-3 header generates the request HTTP header contents based on previously received data. By sending an overly large "nt response" data, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/156649 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-4011
DESCRIPTION:   IBM BigFix Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:  CVE-2018-2005
DESCRIPTION:   IBM BigFix Platform stores potentially sensitive information in process memory that could be read by a local attacker with elevated permissions.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/155007 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2019-4058
DESCRIPTION:   IBM BigFix Platform could allow a low - privilege user to manipulate the UI into exposing interface elements and information normally restricted to administrators.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/156570 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2019-1559
DESCRIPTION:   OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. An attacker could exploit this vulnerability using a 0-byte record padding-oracle attack to decrypt traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/157514 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Affected Products and Versions


Affected IBM BigFix Platform

Affected Versions
BigFix Platform
9.2 - 9.2.17
BigFix Platform 9.5 - 9.5.12

CVE-to-Component Breakdown


CVEs

Affected Components
CVE-2018-16839, CVE-2018-16842, CVE-2018-16840, CVE-2015-3823, CVE-2019-3822, CVE-2018-16890 Any BigFix component except for the client uses libcurl.
CVE-2019-4011 Server
CVE-2018-2005 Console
CVE-2019-4058 Server
CVE-2019-1559 All


Remediation/Fixes

Product

VRMF Remediation/ First fix

BigFix Platform

9.5.13
Apply the upgrade-patch 9.5.13.
Look for the associated upgrade-patch Fixlet in the Console, and launch it.
BigFix Platform 9.2.18
Apply the upgrade-patch 9.2.18.
Look for the associated upgrade-patch Fixlet in the Console, and launch it.

 


Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Reference

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

IBM X-Force Ethical Hacking Team: Ron Craig, Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Rodney Ryan, Chris Shepherd, Dmitriy Beryoza
3rd-Party Reporter: Jakub Palaczynski

Change History

8 May 2019: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM BigFix Platform

Component: Not Applicable

Software version: 9.2, 9.5

Operating system(s): Platform Independent

Reference #: 0881996

Modified date: 16 May 2019