Two vulnerabilities in IBM Security Access Manager
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2016-3051 CVE-2016-3019 |
| CWE-ID | CWE-264 CWE-261 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
IBM Security Verify Access Server applications / Remote management servers, RDP, SSH |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Privilege escalation
EUVDB-ID: #VU6917
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-3051
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to gain elevated privileges on the target server.
The weakness exists due to improper privilege controls. A remote attacker can access some privileged functionality of the server.
Update to version 9.0.3.0.
http://www-01.ibm.com/software/passportadvantage/pacustomers.html
IBM Security Verify Access: 9.0.0 - 9.0.2
External linkshttp://www-01.ibm.com/support/docview.wss?uid=swg21995724
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU6918
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-3019
CWE-ID:
CWE-261 - Weak Cryptography for Passwords
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to use of weak cryptographic algorithms for password stash files. A remote attacker can decrypt highly sensitive information.
Successful exploitation of the vulnerability results in passwords disclosure.
Install update from vendor's website.
IBM Security Verify Access: 9.0.0 - 9.0.3
External linkshttp://www-01.ibm.com/support/docview.wss?uid=swg21988419
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
