Multiple vulnerabilities in IBM Cloud Pak for Automation



Published: 2022-09-22
Risk High
Patch available YES
Number of vulnerabilities 5
CVE-ID CVE-2021-23018
CVE-2021-23017
CVE-2021-23021
CVE-2021-23020
CVE-2021-23019
CWE-ID CWE-319
CWE-193
CWE-276
CWE-338
CWE-312
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Vulnerable software
Subscribe
IBM Cloud Pak for Business Automation
Server applications / Other server solutions

Vendor IBM Corporation

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Cleartext transmission of sensitive information

EUVDB-ID: #VU67564

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-23018

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the services within the NGINX Controller namespace are using cleartext protocols inside the cluster. A remote attacker with ability to intercept network traffic can gain access to sensitive data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Cloud Pak for Business Automation: before 22.0.1.1

CPE2.3
External links

http://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-f5-nginx-controller-affect-ibm-cloud-pak-for-automation/
http://www.ibm.com/support/pages/node/6473495


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Off-by-one

EUVDB-ID: #VU53543

Risk: High

CVSSv3.1: 7.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2021-23017

CWE-ID: CWE-193 - Off-by-one Error

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to an off-by-one error within the ngx_resolver_copy() function when processing DNS responses. A remote attacker can trigger an off-by-one error, write a dot character (‘.’, 0x2E) out of bounds in a heap allocated buffer and execute arbitrary code on the system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

The vulnerability can be triggered by a DNS response in reply to a DNS request from nginx when the resolver primitive is configured. A specially crafted packet allows overwriting the least significant byte of next heap chunk metadata with 0x2E.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Cloud Pak for Business Automation: before 22.0.1.1

CPE2.3
External links

http://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-f5-nginx-controller-affect-ibm-cloud-pak-for-automation/
http://www.ibm.com/support/pages/node/6473495


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Incorrect default permissions

EUVDB-ID: #VU53576

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-23021

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for agent configuration file /etc/controller-agent/agent.conf. A local user with access to the system can obtain sensitive information, such as the API key.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Cloud Pak for Business Automation: before 22.0.1.1

CPE2.3
External links

http://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-f5-nginx-controller-affect-ibm-cloud-pak-for-automation/
http://www.ibm.com/support/pages/node/6473495


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

EUVDB-ID: #VU53577

Risk: Low

CVSSv3.1: 4.5 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-23020

CWE-ID: CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Exploit availability: No

Description

The vulnerability allows a local user to bypass implemented security restrictions.

the vulnerability exists due to the NAAS API keys are generated using an insecure pseudo-random string and hashing algorithm. A local user can potentially generate a valid user key.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Cloud Pak for Business Automation: before 22.0.1.1

CPE2.3
External links

http://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-f5-nginx-controller-affect-ibm-cloud-pak-for-automation/
http://www.ibm.com/support/pages/node/6473495


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Cleartext storage of sensitive information

EUVDB-ID: #VU53575

Risk: High

CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-23019

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the NGINX Controller Administrator password is exposed via the
systemd.txt file that is included in the NGINX support package. An attacker, who can obtain the support package can retrieve administrator's password and gain unauthorized access to the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Cloud Pak for Business Automation: before 22.0.1.1

CPE2.3
External links

http://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-f5-nginx-controller-affect-ibm-cloud-pak-for-automation/
http://www.ibm.com/support/pages/node/6473495


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###