Multiple vulnerabilities in IBM MaaS360 Cloud Extender and Modules
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 11 |
| CVE-ID | CVE-2021-22890 CVE-2021-22876 CVE-2021-23839 CVE-2021-23840 CVE-2021-23841 CVE-2020-1971 CVE-2021-20227 CVE-2020-15078 CVE-2021-22897 CVE-2021-22901 CVE-2021-22898 |
| CWE-ID | CWE-300 CWE-200 CWE-310 CWE-20 CWE-476 CWE-416 CWE-287 CWE-326 CWE-457 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #6 is available. |
| Vulnerable software Subscribe |
IBM MaaS360 Cloud Extender Agent Server applications / Other server solutions IBM MaaS360 Ceriticate Integration Module Other software / Other software solutions IBM MaaS360 Base Module Other software / Other software solutions IBM MaaS360 VPN Module Server applications / Remote access servers, VPN |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 11 vulnerabilities.
1) Man-in-the-Middle (MitM) attack
EUVDB-ID: #VU51822
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22890
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error when handling TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.
When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed.
This flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU51821
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22876
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to libcurl does not strip off user credentials from the URL when automatically populating the Referer:
HTTP request header field in outgoing HTTP requests and therefore
risks leaking sensitive data to the server that is the target of the
second HTTP request.
Install update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Cryptographic issues
EUVDB-ID: #VU50744
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23839
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a MitM attack.
The vulnerability exists due to a faulty implementation of the padding check when server is configured to support SSLv2 protocol. A remote attacker can perform a MitM attack and force the server to use less secure protocols.
Install update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU50745
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23840
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input during EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate calls. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) NULL pointer dereference
EUVDB-ID: #VU50740
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-23841
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the X509_issuer_and_serial_hash() function when parsing the issuer field in the X509 certificate. A remote attacker can supply a specially crafted certificate, trigger a NULL pointer dereference error and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) NULL pointer dereference
EUVDB-ID: #VU48896
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2020-1971
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via the API functions TS_RESP_verify_response and TS_RESP_verify_token). If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack.
Install update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Use-after-free
EUVDB-ID: #VU51834
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20227
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows an attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing SELECT queries in "src/select.c" if a subquery with both a correlated WHERE clause and a "HAVING 0" clause is used and the parent query is an aggregate. A remote attacker can execute a specially crafted query to trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Improper authentication
EUVDB-ID: #VU52479
Risk: Medium
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-15078
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests. A remote attacker can bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.
Under certain circumstances an attacker can trick the server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Inadequate encryption strength
EUVDB-ID: #VU53584
Risk: Low
CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22897
CWE-ID:
CWE-326 - Inadequate Encryption Strength
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to force applications use weak cryptographic ciphers.
The vulnerability exists due to a logic error when selecting TLS ciphers during connection via the CURLOPT_SSL_CIPHER_LIST option in libcurl. The selected cipher set was stored in a single "static" variable in the library that is used for multiple concurrent transfers within the specific application, the last one that sets the ciphers will accidentally control the set used by all transfers.
The vulnerability can be triggered when Schannel is used, which is the native TLS library in Microsoft Windows.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Use-after-free
EUVDB-ID: #VU53589
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22901
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to crash the application or compromise the vulnerable system.
The vulnerability exists due to a use-after-free error when processing creation of new TLS sessions or during client certificate negotiation. A remote attacker can force the application to connect to a malicious server, trigger a use-after-free error and crash the application.
Remote code execution is also possible if the application can be forced to initiate multiple transfers with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection in order to inject a crafted memory content into the correct place in memory.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system but requires that libcurl is using OpenSSL.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Use of uninitialized variable
EUVDB-ID: #VU53587
Risk: Medium
CVSSv3.1: 4.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-22898
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.
Proof of concept:
curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)Install update from vendor's website.
Vulnerable software versionsIBM MaaS360 Cloud Extender Agent: before 2.105.300.005
IBM MaaS360 Ceriticate Integration Module: before 2.105.300.005
IBM MaaS360 VPN Module: before 2.105.300.005
IBM MaaS360 Base Module: before 2.105.300.005
External linkshttp://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/
http://www.ibm.com/support/pages/node/6479935
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
