Two vulnerabilities in IBM Security Access Manager



Published: 2017-06-06
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2016-3051
CVE-2016-3019
CWE-ID CWE-264
CWE-261
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
IBM Security Verify Access
Server applications / Remote management servers, RDP, SSH

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Privilege escalation

EUVDB-ID: #VU6917

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-3051

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target server.

The weakness exists due to improper privilege controls. A remote attacker can access some privileged functionality of the server.

Mitigation

Update to version 9.0.3.0.
http://www-01.ibm.com/software/passportadvantage/pacustomers.html

Vulnerable software versions

IBM Security Verify Access: 9.0.0 - 9.0.2


CPE2.3 External links

http://www-01.ibm.com/support/docview.wss?uid=swg21995724

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU6918

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-3019

CWE-ID: CWE-261 - Weak Cryptography for Passwords

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to use of weak cryptographic algorithms for password stash files. A remote attacker can decrypt highly sensitive information.

Successful exploitation of the vulnerability results in passwords disclosure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Security Verify Access: 9.0.0 - 9.0.3


CPE2.3 External links

http://www-01.ibm.com/support/docview.wss?uid=swg21988419

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###