IBM Support

Security Bulletin: IBM Endpoint Manager Platform 9.1 is affected by two OpenSSL vulnerabilities, the "POODLE" vulnerability, and two XSS vulnerabilities

Security Bulletin


Summary

Vulnerabilities have been discovered in the OpenSSL libraries used by IBM Endpoint Manager 9.1. Two of these vulnerabilities could allow attackers to create a denial of services attack or to craft a man-in-middle attack to hijack sessions or to get sensitive information.
Attackers could also hijack a browser session to gain sensitive session information using the "POODLE" attack.
Attackers could also get sensitive information from the Relay Diagnostics page or Web Reports through XSS vulnerabilities.

Vulnerability Details

An OpenSSL advisory was announced October 15 of 2014. One of the vulnerabilities detailed in this advisory affect IBM Endpoint Manager Platform 9.1.

CVE-ID: CVE-2014-3567

Description: : OpenSSL is vulnerable to a denial of service, caused by a memory leak when handling failed session ticket integrity checks. By sending an overly large number of invalid session tickets, an attacker could exploit this vulnerability to exhaust all available memory of an SSL/TLS or DTLS server.

CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97036 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2014-0224

Description: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients and servers. A remote attacker could exploit this vulnerability using a specially-crafted handshake to conduct man-in-the-middle attacks to decrypt and modify traffic.


CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

CVE-ID: CVE-2014-3566

Description: Product could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97013 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2014-6137

Description: : IBM Endpoint Manager is vulnerable to cross-site scripting, caused by improper validation of user-supplied input in the Relay Diagnostics page. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/96817 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-ID: CVE-2014-6113

Description: IBM Endpoint Manager is vulnerable to cross-site scripting, caused by improper validation of user-supplied input in the Web Reports page. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/96210 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Endpoint Manager 9.1 (9.1.1117 and earlier) is affected by these vulnerabilities. Version 9.1.1229 fixes these vulnerabilities.

Remediation/Fixes

If you are using Endpoint Manager 9.1, you should upgrade to version 9.1.1229.

Upgrade fixlets are available in BES Support version 1199
Manual upgrades are available at http://support.bigfix.com/bes/install/downloadbes.html

Workarounds and Mitigations

For the Relay Diagnostics Page vulnerability, users can turn off the diagnostics page. For the other vulnerabilities, there are no workarounds.

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The XSS vulnerability In the Relay Diagnostic Page was reported to IBM by RedTeam Pentesting GmbH and discovered by Lutz Wolf.

The XSS vulnerability In Web Reports was reported to IBM by 3S Labs.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Change History

11 September 2015 - Removed old CVSS Guide link

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM BigFix family

Software version: 9.1

Operating system(s): Platform Independent

Reference #: 1692516

Modified date: 15 May 2017