> $fedora_repo_file
105 [fedora]
106 name=Fedora
107 metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-33&arch=x86_64
108 enabled=1
109 gpgcheck=0
110
111 [fedora-updates]
112 name=Fedora Updates
113 metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f33&arch=x86_64
114 enabled=1
115 gpgcheck=0
116 EOT
It was confirmed that this configuration appears in the verify-access-runtime instance in the live system:
[root@container-01]# for i in $(podman ps | grep -v NAMES | awk '{ print $1 }'); do podman ps | grep $i; podman exec -it $i cat /etc/yum.repos.d/centos.repo;echo;done
4262005f3646 ibmcom/verify-access/10.0.4.0:20221006.1 7 hours ago Up 7 hours ago (healthy) 0.0.0.0:7443->9443/tcp verify-access
cat: /etc/yum.repos.d/centos.repo: No such file or directory
c930c46acd66 ibmcom/verify-access-runtime/10.0.4.0:20221006.1 7 hours ago Up 7 hours ago (healthy) 0.0.0.0:9443->9443/tcp verify-access-runtime
name = CentOS-8 - Base
baseurl = http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os
gpgcheck = 0
enabled = 1
[CentOS-8_appstream]
name = CentOS-8 - AppStream
baseurl = http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os
gpgcheck = 0
enabled = 1
48f1b1e8f782 ibmcom/verify-access-dsc/10.0.4.0:20221006.1 7 hours ago Up 7 hours ago (healthy) 0.0.0.0:8443-8444->8443-8444/tcp verify-access-dsc
cat: /etc/yum.repos.d/centos.repo: No such file or directory
[root@container-01]#
Furthermore, the script `/usr/sbin/install_system.sh` will insecurely download programs and install them as root, using the previous insecure repositories:
[code:shell]
48 # Install tools required for container build process.
49 #
50
51 microdnf -y install unzip shadow-utils jansson openssl libxslt \
52 libnsl2 gzip cpio tar
[...]
55 # We have an issue where RedHat periodically introduces a dependency on
56 # openssl-pkcs11. We don't actually need this package and so we manually remove
57 # it if it has been installed.
58 #
59
60 if [ `rpm -q -a | grep openssl-pkcs11 | wc -l` -ne 0 ] ; then
61 rpm --erase openssl-pkcs11
62 fi
[...]
70 rpms=""
71 for lang in en cs de es fi fr hu it ja ko nl pl pt ru zh; do
72 rpms="$rpms glibc-langpack-$lang"
73 done
[...]
122 microdnf -y install busybox
[/code]
## Details - Additional repository configuration (potential supply-chain attack)
It was observed that the Docker images verify-access-runtime and verify-access-wrp use a third-party repository configuration, obtained when retrieving the external file at `https://repo.symas.com/configs/SOFL/rhel8/sofl.repo`:
Content of `/usr/sbin/install_system.sh`:
[code:shell]
47 #
48 # Install OpenLDAP. This is no longer provided by CentOS.
49 #
50
51 sofl_repo_file="/etc/yum.repos.d/sofl.repo"
52
53 curl https://repo.symas.com/configs/SOFL/rhel8/sofl.repo \
54 -o $sofl_repo_file
[/code]
It was confirmed that this configuration appears in the verify-access-runtime instance in the live system:
[isam@verify-access-runtime /]$ cat /etc/yum.repos.d/sofl.repo
[sofl]
name=Symas OpenLDAP for Linux RPM repository
baseurl=https://repo.symas.com/repo/rpm/SOFL/rhel8
gpgkey=https://repo.symas.com/repo/gpg/RPM-GPG-KEY-symas-com-signing-key
gpgcheck=1
enabled=1
[isam@verify-access-runtime /]$
When reading the `/usr/sbin/install_system.sh` script, this repository is used to install an additional package, without checking the signature:
[code:shell]
58 #
59 # We want to manually install the openldap server RPM as microdnf pulls
60 # in a whole heap of dependencies which we don't require.
61 #
62
63 baseurl=`grep baseurl $sofl_repo_file | cut -f 2 -d '='`/x86_64
64 version=`rpm -q --qf "%{VERSION}-%{RELEASE}" symas-openldap`
65 rpmfile=/tmp/openldap.rpm
66
67 curl $baseurl/symas-openldap-servers-$version.x86_64.rpm -o $rpmfile
68
69 rpm -i --nodeps $rpmfile
70
71 rm -f $rpmfile
[/code]
There is a potential supply-chain attack and this dependency is not documented.
## Details - Remote Code Execution due to insecure /usr/sbin/install_system.sh script in verify-access-runtime
It was observed that the Docker image verify-access-runtime uses a highly insecure `/usr/sbin/install_system.sh` script.
With the 2 previous vulnerabilities already explained in Additional repository configuration (potential supply-chain attack) and
Remote Code Execution due to insecure download of rpm and zip files in verify-access-dsc, verify-access-runtime and verify-access-wrp (/usr/sbin/install_isva.sh),
this version adds 2 new vulnerabilities:
- - Installation of 3 packages downloaded over HTTP without checking the signature (lines 82, 84 and 90); and
- - Replacement of `/usr/share/java/postgresql-jdbc/postgresql.jar` using a postgresql.jar file directly retrieved over HTTP (line 99) and with `-k` (aka `--insecure`).
Content of `/usr/sbin/install_system.sh`:
[code:shell]
73 #
74 # For the postgresql packages we need to download and install manually so
75 # that we don't also pull in all of the unnecessary dependencies.
76 #
77
78 centos_base=http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/
79
80 rpms=/tmp/rpms.txt
81
82 curl http://mirror.centos.org/centos/8-stream/AppStream/x86_64/os/Packages/ -o $rpms
83
84 for pkg in postgresql-12 postgresql-server-12 postgresql-jdbc-42; do
85 rpm_file=`grep $pkg $rpms | tail -n 1 | \
86 sed 's|.*href="||g' | cut -f 1 -d '"'`
87
88 echo "Installing: $rpm_file"
89
90 rpm -i --nodeps $centos_base/$rpm_file
91 done
92
93 rm -f $rpms
94
95 #
96 # Need a more current jar then what is part of the postges-jdbc rpm
97 #
98 postgres_jar=`locate_file postgresql-.*.jar`
99 curl -kv ${WEBSERVER}/$postgres_jar -o /usr/share/java/postgresql-jdbc/postgresql.jar
[/code]
An attacker located on the network (local network or any Internet router located between the instance and the remote mirror.centos.org server) can inject malicious rpm or a malicious .jar file and take control over the entire platform.
Note that IBM does not consider this vulnerability since the script is supposed to be executed in a secure network.
## Details - Remote Code Execution due to insecure reload script in verify-access-runtime
It was observed that the Docker image verify-access-runtime uses a highly insecure reload script.
An attacker located on the network can inject a malicious snapshot file into the platform or MITM the connection to a server containing the snapshot image and take control over the entire platform.
This script is defined at the end of the `/usr/sbin/install_system.sh` script:
Content of `/usr/sbin/install_system.sh` in verify-access-runtime:
[code:shell]
239 #
240 # Ensure that the reload script is executable.
241 #
242
243 mv /sbin/reload.sh /sbin/runtime_reload
244
245 chmod 755 /sbin/runtime_reload
[/code]
Analysis of `/sbin/runtime_reload`:
The function `download_from_cfgsvc()` is insecure as the curl command uses the `-k` option (as known as `--insecure`) to download and install a snapshot into the instance: any invalid SSL certificate for the remote server will be accepted because of the `-k` option.
We can also see that Postgres does not have passwords in line 144, already found in [Lack of authentication in Postgres inside verify-access-runtime](#no-auth-postgres).
[code:shell]
67 #############################################################################
68 # Attempt to download the snapshot from the configuration service.
69
70 download_from_cfgsvc()
71 {
72 # No need to download the snapshot if the configuration service has not
73 # been defined.
74 if [ -z "$CONFIG_SERVICE_URL" ] ; then
75 return
76 fi
77
78 if [ $1 -eq 1 ] ; then
79 Echo 960
80 fi
81
82 curl -k -s --fail -u "$CONFIG_SERVICE_USER_NAME:$CONFIG_SERVICE_USER_PWD" \
83 "$CONFIG_SERVICE_URL/snapshots/`basename $snapshot`?type=File" \
84 -o $snapshot
85
86 if [ $? -ne 0 ] ; then
87 if [ $1 -eq 1 ] ; then
88 Echo 961
89 fi
90
91 rm -f $snapshot
92 else
93 Echo 962
94 fi
95 }
[...]
97 #############################################################################
98 # Main line.
99
100 #
101 # Download the snapshot file.
102 #
103
104 download_from_cfgsvc 1
[...]
127 #
128 # Update the configuration database.
129 #
130
131 Echo 997
132
133 db_root=/var/postgresql/config
134 db_snapshot=$db_root/snapshot.sql
135 db_port=5432
136 db_name=config
137 db_user=www-data
138
139 if [ ! -f $db_snapshot ] ; then
140 Echo 975
141 exit 1
142 fi
143
144 psql -U $db_user -d $db_name -p $db_port -f $db_snapshot -q -b -w
[/code]
## Details - Remote Code Execution due to insecure reload script in verify-access-wrp
It was observed that the Docker image verify-access-wrp uses a highly insecure reload script.
An attacker located on the network can inject a malicious snapshot file into the platform or MITM the connection to a server containing the snapshot image and take control over the entire platform. He can also overwrite any file present in the verify-access-wrp docker instance (getting a Remote Code Execution).
This script is defined at the end of the `/usr/sbin/install_system.sh` script:
Content of `/usr/sbin/install_system.sh` in verify-access-wrp:
[code:shell]
210 #
211 # Ensure that the restart script is executable.
212 #
213
214 mv /sbin/restart.sh /sbin/wrprestart
215
216 chmod 755 /sbin/wrprestart
[/code]
Analysis of `/sbin/wrprestart`:
The function `download_from_cfgsvc()` is insecure as the curl command uses the `-k` option (as known as `--insecure`) to download and install a snapshot into the instance: any invalid SSL certificate for the remote server will be accepted because of the `-k` option.
The `openldap.zip` file found in the malicious snapshot file will then be decrypted using a previously found hardcoded key and extracted into the `/` directory (line 154 and 156) and openldap will be restarted with the new configuration file, allowing an attacker to get a Remote Code Execution by specifying a malicious `slapd.conf` file (stored inside `openldap.zip`, in `etc/openldap/slapd.conf`).
Since the extraction of `openldap.zip` takes place in `/`, it is also possible to overwrite any file as root (and get Remote Code Execution, e.g. by replacing a program).
[code:shell]
85 #############################################################################
86 # Attempt to download the snapshot from the configuration service.
87
88 download_from_cfgsvc()
89 {
90 # No need to download the snapshot if the configuration service has not
91 # been defined.
92 if [ -z "$CONFIG_SERVICE_URL" ] ; then
93 return
94 fi
95
96 if [ $1 -eq 1 ] ; then
97 Echo 960
98 fi
99
100 curl -k -s --fail -u "$CONFIG_SERVICE_USER_NAME:$CONFIG_SERVICE_USER_PWD" \
101 "$CONFIG_SERVICE_URL/snapshots/`basename $snapshot`?type=File" \
102 -o $snapshot
103
104 if [ $? -ne 0 ] ; then
105 if [ $1 -eq 1 ] ; then
106 Echo 961
107 fi
108
109 rm -f $snapshot
110 else
111 Echo 962
112 fi
113 }
[...]
137 #############################################################################
138 # Process the OpenLDAP configuration and then restart the OpenLDAP server.
139
140 restart_openldap_server()
141 {
142 # Check to see whether the embedded LDAP server has been enabled or
143 # not.
144 ldap_conf="/var/PolicyDirector/etc/ldap.conf"
145 ldap_host=`$pdconf -f $ldap_conf getentry ldap host`
146
147 if [ "$ldap_host" != "127.0.0.1" ] ; then
148 return
149 fi
150
151 Echo 964
152
153 # Decrypt and extract the LDAP configuration.
154 isva_decrypt $snapshot_tmp_dir/openldap.zip
155
156 unzip -q -o $snapshot_tmp_dir/openldap.zip -d /
157
158 # Change the LDAP port from 389 to 6389 (389 is a privileged port).
159 $pdconf -f $ldap_conf setentry ldap port 6389
160
161 # Stop the LDAP server.
162 busybox killall -SIGHUP slapd
163
164 while $(busybox killall -0 slapd 2>/dev/null); do
165 sleep 1
166 done
167
168 # Start the LDAP server.
169 slapd -4 -f /etc/openldap/slapd.conf -h ldap://127.0.0.1:6389 -s 0
170 }
[...]
260 #############################################################################
261 # Main line.
262
263 #
264 # Attempt to download the configuration data from the configuration service.
265 #
266
267 #
268 # Wait for the snapshot file.
269 #
270
271 download_from_cfgsvc 1
[...]
305 #
306 # Restart the OpenLDAP server.
307 #
308
309 restart_openldap_server
[/code]
## Details - Hardcoded private key for IBM ISS (ibmcom/verify-access)
It was observed that the ibmcom/verify-access Docker image contains a hardcoded private key used by the license client iss-lum:
kali-docker# pwd
/home/user/ibmcom/_verify-access.tar/698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/etc/lum
kali-docker# ls -al
total 492
drwxr-xr-x 2 root root 4096 Jun 8 01:43 .
drwxr-xr-x 25 root root 4096 Jun 8 04:09 ..
-rwxr-xr-x 1 root root 1296 Oct 20 2016 externalTrustSettings.xml
-rwxr-xr-x 1 root root 445080 Oct 20 2016 iss-external.kdb
-rwxr-xr-x 1 root root 129 Oct 20 2016 iss-external.sth
-rwxr-xr-x 1 root root 100 Oct 20 2016 iss-lum.conf
-rwxr-xr-x 1 root root 3649 Oct 20 2016 isslum-usLocalSettings.xml
-rwxr-xr-x 1 root root 725 Oct 20 2016 lum_triggers.conf
-rwxr-xr-x 1 root root 1858 Oct 20 2016 private.pem
-rwxr-xr-x 1 root root 451 Oct 20 2016 public.pem
-rwxr-xr-x 1 root root 3926 Oct 20 2016 .udrc
-rwxr-xr-x 1 root root 806 Oct 20 2016 update-settings.conf
-rwxr-xr-x 1 root root 7352 Oct 20 2016 update-status.xsd
-rwxr-xr-x 1 root root 561 Jun 8 01:32 UpdateTypeNames.config
-rwxr-xr-x 1 root root 0 Dec 31 1969 .wh..wh..opq
kali-docker# sha256sum private.pem public.pem
e1ecbd519ef838861cb0fe5e5daad88f90b9b2c154a936daf7f08855039b0c1d private.pem
3a6bbfef0af62c277cbe7b7fbc061b6a11b01e9ff61bba7bfe7edcaaeae3cd20 public.pem
When analyzing the podman instance verify-access, we can confirm the key has not been updated:
[isam@verify-access lum]$ sha256sum private.pem public.pem
e1ecbd519ef838861cb0fe5e5daad88f90b9b2c154a936daf7f08855039b0c1d private.pem
3a6bbfef0af62c277cbe7b7fbc061b6a11b01e9ff61bba7bfe7edcaaeae3cd20 public.pem
[isam@verify-access lum]$
The private key appears to be used by several programs:
- - /opt/dca/bin/dcatool
- - /usr/bin/isslum-modstatus
- - /usr/sbin/iss-lum
- - /usr/sbin/mesa_config
- - /usr/sbin/mesa_eventsd
- - /usr/sbin/isslum-installer
The license client is using outdated codes and may contain vulnerabilities.
The keys are hardcoded and have not been updated for 6 years, which brings a question how the license client is being maintained.
## Details - dcatool using an outdated OpenSSL library (ibmcom/verify-access)
It was observed that the `dcatool` program located in `/opt/dca/bin` is linked with an outdated OpenSSL library located in the non-standard directory `/opt/dca/lib`:
- From a live system:
[isam@verify-access bin]$ pwd
/opt/dca/bin
[isam@verify-access bin]$ ls -la
total 580
drwxr-xr-x 2 root root 4096 Jun 8 13:43 .
drwxr-xr-x 4 root root 4096 Jun 8 13:43 ..
-rwxr-xr-x 1 root root 373208 Jun 8 13:31 dcatool
-rwxr-xr-x 1 root root 207872 Jun 8 13:31 dcaupdate
[isam@verify-access bin]$ ldd dcatool | grep ssl
libssl.so.10 => /opt/dca/lib/libssl.so.10 (0x00007fafcfb1e000)
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fafcda45000)
[isam@verify-access bin]$ ldd dcaupdate | grep ssl
libssl.so.10 => /opt/dca/lib/libssl.so.10 (0x00007fe04980d000)
libssl.so.1.1 => /lib64/libssl.so.1.1 (0x00007fe047734000)
Analysis of the library:
[isam@verify-access lib]$ pwd
/opt/dca/lib
[isam@verify-access lib]$ ls -la
total 4156
drwxr-xr-x 2 root root 4096 Jun 8 13:43 .
drwxr-xr-x 4 root root 4096 Jun 8 13:43 ..
-rwxr-xr-x 1 root root 1252080 Jun 8 13:31 libboost_regex.so.1.53.0
-rwxr-xr-x 1 root root 2521496 Jun 8 13:31 libcrypto.so.10
lrwxrwxrwx 1 root root 24 Jun 8 13:43 libicudata.so.54 -> /usr/lib64/libicudata.so
lrwxrwxrwx 1 root root 24 Jun 8 13:43 libicui18n.so.54 -> /usr/lib64/libicui18n.so
lrwxrwxrwx 1 root root 22 Jun 8 13:43 libicuuc.so.54 -> /usr/lib64/libicuuc.so
-rwxr-xr-x 1 root root 470328 Jun 8 13:31 libssl.so.10
[isam@verify-access lib]$ sha256sum *so*
a4b9594f78c0e5cfa14c171e07ae439dccd0ef990db8c4b155c68fde43a8d9a9 libboost_regex.so.1.53.0
8db48d5bcf1ddf6a8a4033de04827288b33af36d246c73ba46041365a61c697c libcrypto.so.10
07796e84fc3618a64259cfff7a896e57fc90f6b270d690d953f4792c2b7e21ac libicudata.so.54
49e6f6b12d118118c7d17cec26f80c81b39c89ea01a30eaf26abb07859d909fe libicui18n.so.54
1504c73f432bc24414c0ca69d29bdb04c04ba2269b752c320306cb25aadd5972 libicuuc.so.54
523ad80dd3cd9afe19bbb83eb22b11ba43b0dc907a3893a38569023ef7b382f0 libssl.so.10
[isam@verify-access lib]$
We can retrieve these 2 libraries inside the `ibmcom/verify-access` image and identify the version of OpenSSL:
kali-docker# sha256sum **/libssl.so.10
523ad80dd3cd9afe19bbb83eb22b11ba43b0dc907a3893a38569023ef7b382f0 698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libssl.so.10
kali-docker# sha256sum **/libcrypto.so.10
8db48d5bcf1ddf6a8a4033de04827288b33af36d246c73ba46041365a61c697c 698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libcrypto.so.10
kali-docker# kali-docker# strings 698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libcrypto.so.10|grep -i openssl
[...][
OpenSSL 1.0.2k-fips 26 Jan 2017
[...]
kali-docker# strings 698cf9c0c7bb644159c92ba42d86417dd09694093db2eaf8875885e5ddd62fcc/opt/dca/lib/libssl.so.10|grep -i openssl
OpenSSL 1.0.2k-fips 26 Jan 2017
[...]
The libraries located in `/opt/dca/lib` are completely outdated and are vulnerable to known CVEs.
These libraries are likely used by IBM-specific programs.
The Docker images contain known vulnerabilities.
## Details - iss-lum using an outdated OpenSSL library (ibmcom/verify-access) and hardcoded keys
It was observed that the `/usr/sbin/iss-lum` program from the verify-access Docker image contains outdated OpenSSL code (from the library 0.9.7) from 2007. The iss-lum program is the license client that will connect to external servers.
This program runs inside the instance:
[isam@verify-access /]$ ps -auxw
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
isam 1 0.0 0.0 12060 132 ? Ss Oct04 0:00 /bin/sh /sbin/bootstrap.sh
isam 313 0.0 0.0 24532 68 ? Ss Oct04 0:00 /usr/sbin/mesa_crashd
isam 315 0.1 0.0 24532 1032 ? S Oct04 1:57 /usr/sbin/mesa_crashd
isam 319 0.0 0.0 69160 144 ? Ss Oct04 0:00 /usr/sbin/mesa_syslogd
isam 321 0.0 0.0 69224 1280 ? S Oct04 0:00 /usr/sbin/mesa_syslogd
isam 400 0.0 0.0 102760 200 ? Ss Oct04 0:00 /usr/sbin/mesa_eventsd -m 1000
isam 401 0.0 0.0 710856 316 ? Sl Oct04 0:00 /usr/sbin/mesa_eventsd -m 1000
pgresql 435 0.0 0.0 188380 7016 ? Ss Oct04 0:02 /usr/bin/postgres -D /var/postgresql/config/data
pgresql 436 0.0 0.0 138892 184 ? Ss Oct04 0:00 postgres: logger
pgresql 447 0.0 0.0 188380 1600 ? Ss Oct04 0:00 postgres: checkpointer
pgresql 448 0.0 0.0 188516 1288 ? Ss Oct04 0:01 postgres: background writer
pgresql 449 0.0 0.0 188380 1468 ? Ss Oct04 0:01 postgres: walwriter
pgresql 450 0.0 0.0 189112 1864 ? Ss Oct04 0:01 postgres: autovacuum launcher
pgresql 451 0.0 0.0 139024 588 ? Ss Oct04 0:05 postgres: stats collector
pgresql 452 0.0 0.0 188916 1016 ? Ss Oct04 0:00 postgres: logical replication launcher
www-data 548 0.4 4.8 4920352 387128 ? SLl Oct04 7:53 /opt/java/jre/bin/java -javaagent:/opt/IBM/wlp/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -Djava.security.properties=/opt/IBM/wlp/usr/servers/default/java.security -Dcom.ibm.ws.logging.log.directory=/var/application.logs.local/lmi -Xbootclasspath/a:/opt/pdjrte/java/export/rgy/com.tivoli.pd.rgy.jar:/opt/ibm/wlp/usr/servers/runtime/lib/global/xercesImpl.jar -Dorg.osgi.framework.system.packages.extra=com.tivoli.pd.rgy,com.tivoli.pd.rgy.authz,com.tivoli.pd.rgy.exception,com.tivoli.pd.rgy.ldap,com.tivoli.pd.rgy.nls,com.tivoli.pd.rgy.util,com.ibm.misc,com.ibm.net.ssl.www2.protocol.https,com.sun.jndi.ldap,org.apache.xml.serialize -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 --add-exports java.base/sun.security.action=ALL-UNNAMED --add-exports java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports java.naming/com.sun.jndi.url.ldap=ALL-UNNAMED --add-opens java.base/java.util=ALL-UNNAMED --add-opens java.base/java.lang=ALL-UNNAMED --add-opens java.base/java.util.concurrent=ALL-UNNAMED --add-opens java.base/java.io=ALL-UNNAMED --add-opens java.naming/javax.naming.spi=ALL-UNNAMED --add-opens jdk.naming.rmi/com.sun.jndi.url.rmi=ALL-UNNAMED --add-opens java.naming/javax.naming=ALL-UNNAMED --add-opens java.rmi/java.rmi=ALL-UNNAMED --add-opens java.sql/java.sql=ALL-UNNAMED --add-opens java.management/javax.management=ALL-UNNAMED --add-opens java.base/java.lang.reflect=ALL-UNNAMED --add-opens java.desktop/java.awt.image=ALL-UNNAMED --add-opens java.base/java.security=ALL-UNNAMED --add-opens java.base/java.net=ALL-UNNAMED -jar /opt/IBM/wlp/bin/tools/ws-server.jar default --clean
isam 748 0.0 0.0 270992 8 ? Ssl Oct04 0:02 /usr/sbin/wga_watchdogd slapdw -log_file /var/application.logs.local/verify_access_runtime/user_registry/msg__user_registry.log /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap
ldap 753 0.0 4.3 1314228 346548 ? Sl Oct04 0:00 /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap
isam 757 0.0 0.0 271124 8 ? Ssl Oct04 0:02 /usr/sbin/wga_watchdogd ISAM-Policy-Server -log_file /var/application.logs.local/verify_access_runtime/policy/msg__pdmgrd.log -cfg /var/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/bin/pdmgrd -foreground
ivmgr 762 0.0 0.1 1070184 10860 ? Sl Oct04 0:01 /opt/PolicyDirector/bin/pdmgrd -foreground
isam 805 0.0 0.0 71488 316 ? Ss Oct04 0:00 /usr/sbin/iss-lum
isam 806 0.0 0.0 343920 5264 ? Sl Oct04 0:00 /usr/sbin/iss-lum
root 811 0.0 0.0 41984 2416 ? Ss Oct04 0:00 /usr/sbin/crond
isam 834 0.0 0.0 128400 2076 ? Ssl Oct04 0:00 /usr/sbin/rsyslogd
root 859 0.0 0.0 174348 96 ? Ss Oct04 0:00 /usr/sbin/wga_servertaskd
ivmgr 861 0.0 0.0 276544 84 ? Sl Oct04 0:00 /usr/sbin/wga_servertaskd
isam 870 0.0 0.0 273920 8 ? Ssl Oct04 0:02 /usr/sbin/wga_watchdogd wga_notifications -log_file /var/log/wga_notifications.log wga_notifications -foreground
isam 877 2.1 0.2 563872 18472 ? Sl Oct04 38:43 wga_notifications -foreground
isam 889 0.0 0.0 12060 80 ? S Oct04 0:00 /bin/sh /sbin/bootstrap.sh
isam 892 0.0 0.0 23068 24 ? S Oct04 0:00 /usr/bin/coreutils --coreutils-prog-shebang=tail /usr/bin/tail -F -n+0 /var/application.logs.local/lmi/messages.log
isam 217541 4.0 0.0 19248 3836 pts/0 Ss 21:37 0:00 bash
isam 217564 0.0 0.0 54808 4080 pts/0 R+ 21:37 0:00 ps -auxww
[isam@verify-access /]$
This program appears to establish connections to remote servers to check the license.
The OpenSSL library embedded inside the program is completely outdated (0.9.7j - Feb 2007):
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
Furthermore, this program includes several hardcoded keys to decrypt the private key in `/etc/lum/private.pem`. In the function ctor_009:
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
Some decryption keys have been identified within the binaries used to check the license:
Function `sub_4806C0`:
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
Function `ctor_009`:
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
The Docker images contain known vulnerabilities.
## Details - Outdated "IBM Crypto for C" library
It was observed that the IBM Crypto for C library is installed inside all the Docker images in the directory `/usr/local/ibm/gsk8_64`:
For example, from the Docker image verify-access-wrp:
kali-docker# cd ./_verify-access-wrp.tar/b96855ec6855fe34f69782b210ae257d2203ad22d4d79f3bfd4818fa57bcc39a
kali-docker# find usr/local/ibm
usr/local/ibm
usr/local/ibm/gsk8_64
usr/local/ibm/gsk8_64/lib64
usr/local/ibm/gsk8_64/lib64/libgsk8cms_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8kicc_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8p11_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8ssl_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8drld_64.so
usr/local/ibm/gsk8_64/lib64/C
usr/local/ibm/gsk8_64/lib64/C/icc
usr/local/ibm/gsk8_64/lib64/C/icc/icclib
usr/local/ibm/gsk8_64/lib64/C/icc/icclib/libicclib084.so
usr/local/ibm/gsk8_64/lib64/C/icc/icclib/ICCSIG.txt
usr/local/ibm/gsk8_64/lib64/libgsk8ldap_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8iccs_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8valn_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8acmeidup_64.so
usr/local/ibm/gsk8_64/lib64/N
usr/local/ibm/gsk8_64/lib64/N/icc
usr/local/ibm/gsk8_64/lib64/N/icc/icclib
usr/local/ibm/gsk8_64/lib64/N/icc/icclib/libicclib085.so
usr/local/ibm/gsk8_64/lib64/N/icc/icclib/ICCSIG.txt
usr/local/ibm/gsk8_64/lib64/N/icc/ReadMe.txt
usr/local/ibm/gsk8_64/lib64/libgsk8dbfl_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8km2_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8km_64.so
usr/local/ibm/gsk8_64/lib64/libgsk8sys_64.so
usr/local/ibm/gsk8_64/docs
usr/local/ibm/gsk8_64/copyright
usr/local/ibm/gsk8_64/inc
usr/local/ibm/gsk8_64/bin
usr/local/ibm/gsk8_64/bin/gsk8capicmd_64
usr/local/ibm/gsk8_64/bin/gsk8ver_64
usr/local/ibm/.wh..wh..opq
kali-docker#
This library is based on the opensource libraries zlib and OpenSSL. It was built in October 2020, as shown below:
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
Furthermore, the copyrights from the `/usr/local/ibm/gsk8_64/lib64/N/icc/ReadMe.txt` file indicate:
- - (C) 1995-2004 Jean-loup Gailly and Mark Adler - for zlib
- - Copyright (c) 1998-2007 The OpenSSL Project. All rights reserved. - for OpenSSL
The `/usr/local/ibm/gsk8_64/lib64/N/icc/icclib/ICCSIG.txt` file confirms the libraries were generated 2 years ago:
#
# IBM Crypto for C.
# ICC Version 8.7.37.0
#
# Note the signed library contains a copy of cryptographic code from OpenSSL (www.openssl.org),
# zlib (www.zlib.org)
# and IBM code (www.ibm.com)
#
# Platform AMD64_LINUX
#
# Generated Tue Oct 13 12:09:08 2020
#
# File name=libicclib085.so
# File Hash (SHA256)=bbbb89eae43b11aba9a132a53207ca532236cd064b6aa0b84ea878a0b9bf8b4f
#
FILE=906082662e6b3a50fc01a95f2d1bb29d3a54349ad76da59fc8555fadadae4e5305463810ece2064174129a95e89352a02d8c72c7397de2d01b38220c3222796992785b8d99401a65b0894778a2b05760ae1a6919a97e259d270ff5e6996a14fc29e48a848c59e14f2aa758e8e26355faeff60eca0562ad643a86b8fdaa6afd10190190d411a584679ff1ee93caf5039ef070d411040fc828e4b8f79b8bb67d3ec1708c8274c0c9f6899399492fa52c73574065f2684dcc336c41eee2b808b42b0a01578b32fae245b761580240e3b53359767634ba76018f46a8d732c21ec24bf1a979aa11af20b646f166d5658efabcebdf6283fbdc793d82636e89bf2ac4ad
#
SELF=10fefb48a0666936f23aceae7805a7dcefb06a9a2282fea0693610a98ccf12cab8bfef973cda13450afde785960eccb2637adaf15f5e795cdb21f667704ba30ebf6a6a077f29a3574d0792ef633172d324a5b26adc257d3380ffd1cf7698bc560fb52d5c083ffa85fe623e059f7c8d67a8043ca75d8808c082de29bb8e1c46a01421039e557699cf7747c07a22a0e1612b0e4de8836833bebc888269dc46adf0ed5ba0107da2e683554433ed29ab840d16af34581682e35a30d11ff10fbd8ba0cc7ae6a62b75c3ba4758863e5a5a4cf00371040358a732a56ecf7dd04523c85544755c6f0f42447f383ec22e0ee4d79bb3c6e6defc4319f555afaaa1cfc8642f
#
#Do not edit before this line
#
# Global Settings
ICC_ALLOW_2KEY3DES=1
The OpenSSL code and the zlib code are at least 2 year old and vulnerable to CVEs.
The Docker images contain known vulnerabilities.
## Details - Webseald using outdated code with remotely exploitable vulnerabilities
It was observed that the webseald program borrows codes provided by open-source libraries containing outdated and vulnerable code.
This program can be found inside these 2 images:
- - verify-access
- - verify-access-wrp
Webseald is reachable over the network.
Libraries used by webseald:
kali-docker# ldd ./_verify-access.tar/5b72d1a82f5781ef06f5e70155709ab81a57f364644acfa66c0de53e025d4d6b/opt/pdweb/bin/webseald
linux-vdso.so.1 (0x00007fffe59f3000)
libwsdaemon.so => not found
libamwoauth.so => not found
libamweb.so => not found
libamwebrte.so => not found
libpdsvcutl.so => not found
libtivsec_msg.so => not found
libpdz.so => not found
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f61885e8000)
libtivsec_xslt4c.so.112 => not found
libtivsec_xml4c.so => not found
libtivsec_yamlcpp.so => not found
libam_gssapi_krb5.so => not found
libmodsecurity.so.3 => not found
libamwredismgr.so => not found
libhiredis.so.0.15 => not found
libhiredis_ssl.so.0.15 => not found
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f61885df000)
libstdc++.so.6 => /lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f6188200000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6188504000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f61884e4000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6187e00000)
/lib64/ld-linux-x86-64.so.2 (0x00007f6188604000)
The IBM-specific libraries (*.so*) have been analyzed only in surface to detect low-hanging fruits, and several vulnerabilities were found, including some pre-auth vulnerabilities.
Webseal is directly reachable from the network but uses the outdated and vulnerable code.
The quality of the code is extremely inequal between the libraries - some code is very well implemented (with secure calls to -cpy functions) and some code is vulnerable (with insecure calls to -cpy functions). These libraries contain some legacy codes that are not up to date with the current security standards.
Due to the lack of time, only a superficial analysis was done - an attacker with time will likely find 0-day vulnerabilities in these libraries.
### Libmodsecurity.so - 1 non-assigned CVE vulnerability
The `/opt/pdweb/lib/libmodsecurity.so.3` library (b939c5db3ca94073188ea6eb360049f58f9e9d2a9c7d72bc052d9ee47cc5eccc) contains a vulnerable libinjection library. The version used is 3.9.2:
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
This version (3.9.2) is known to have several vulnerabilities. For example, a pre-authentication DoS (https://github.com/SpiderLabs/ModSecurity/issues/1412) from 2017 (no CVE).
This version is confirmed to be vulnerable: https://github.com/client9/libinjection/issues/124.
### libtivsec_yamlcpp.so - 4 CVEs
This IBM library is entirely based on yaml-cpp. Yaml-cpp is available at https://github.com/jbeder/yaml-cpp.
Several vulnerabilities have been patched in 2020 (CVE-2017-5950, CVE-2018-20573, CVE-2018-20574 and CVE-2019-6285) in the yaml-cpp library.
This IBM-specific library is located at `/usr/lib64/libtivsec_yamlcpp.so` and `/opt/ibm/Tivoli/SecUtilities/lib/libtivsec_yamlcpp.so` (cf1b80c501a2f42948322567477c2956155e244d645e3962985569c4496ffad90).
When doing reverse engineering on this file, it appears no security patches have been imported from the official yaml-cpp repository.
We can identify several methods from the yaml-cpp library. For example, the method `SingleDocParser::HandleFlowMap()` found in `/usr/lib64/libtivsec_yamlcpp.so` and `/opt/ibm/Tivoli/SecUtilities/lib/libtivsec_yamlcpp.so`:
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
When analyzing the security patches available at https://github.com/jbeder/yaml-cpp/pull/807 and https://github.com/jbeder/yaml-cpp/pull/807/files/dbd5ac094622ef3b3951e71c31f59e02c930dc4b, there is no reference in the compiled code regarding a `DeepRecursion` class or any method implemented in the security patches. This `DeepRecursion` class is included in the now-patched versions.
The IBM-specific library is using an outdated and vulnerable version of yaml-cpp, without security patches, e.g. 4 CVEs patched in yaml-cpp - https://github.com/jbeder/yaml-cpp/pull/807.
Analysis of the security patches implementing new classes:
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
Furthermore, it is possible to analyze the rest of the security patches from the git repository and compare them with the assembly code from the `libtivsec_yamlcpp.so` library. This allows us to conclude the security patches have not been imported into the `libtivsec_yamlcpp.so` library.
Source code providing security patches:
Method `HandleNode()` from the security patches and the patched versions of yaml-cpp:
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
With the assembly code extracted from the `libtivsec_yamlcpp.so` library and rebuilt into pseudo-code, we can identify the same logic and the same instructions (minus some errors due to the reconstruction from assembly to C++) - with the lack of the patch located on the line 51.
Pseudo-code of method `HandleNode()`:
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
This allows us to conclude that the `libtivsec_yamlcpp.so` library is vulnerable to these 4 CVEs.
### libtivsec_xml4c.so - outdated Xerces-C library
This library (8b3d3d2dcb1152966d097e91e08fa1dc4300f3653f1c264eeecaf20bb1550832) is located in `/usr/lib64/libtivsec_xml4c.so` and `/opt/ibm/Tivoli/SecUtilities/lib/libtivsec_xml4c.so`) and uses outdated code from XML4C 5.5.0 that includes a version of Xerces-C (XML4C doesn't exist anymore and the latest release appears to be from 2007-2008).
[please use the HTML version at https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html]
This version appears to be quite outdated and is likely vulnerable to known CVEs (https://xerces.apache.org/xerces-c/secadv.html).
## Details - Outdated and untrusted CAs used in the Docker images
It was observed that the Docker images will trust invalid Certificate Authorities (CA).
Using the Paranoia program, we can list the invalid, expired and revoked CAs that are trusted inside the 4 Docker images.
It appears that these 4 Docker images trust some invalid, revoked or untrusted CAs.
Results for ibmcom/verify-access:10.0.4.0:
kali-docker# paranoia inspect ibmcom/verify-access:10.0.4.0
Certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=VeriSign Trust Network+OU=(c) 2006 VeriSign\, Inc. - For authorized use only,O=VeriSign\, Inc.,C=US
removed from Mozilla trust store, no reason given
Certificate CN=DigiCert ECC Secure Server CA,O=DigiCert Inc,C=US
expires soon ( expires on 2023-03-08T12:00:00Z, 19 weeks 2 days until expiry)
Certificate CN=Test CA,O=genua mbh
expired ( expired on 2014-10-23T08:22:40Z, 8 years 3 days since expiry)
Certificate CN=Cybertrust Global Root,O=Cybertrust\, Inc
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon.
Certificate CN=DST Root CA X3,O=Digital Signature Trust Co.
expired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)
removed from Mozilla trust store, no reason given
Certificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR
expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)
Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281
Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
removed from Mozilla trust store, no reason given
Certificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)
Certificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59
https://bugzilla.mozilla.org/show_bug.cgi?id=1410277
Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281
Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
removed from Mozilla trust store, no reason given
Certificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59
https://bugzilla.mozilla.org/show_bug.cgi?id=1410277
Certificate CN=Cybertrust Global Root,O=Cybertrust\, Inc
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon.
Certificate CN=DST Root CA X3,O=Digital Signature Trust Co.
expired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)
removed from Mozilla trust store, no reason given
Certificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR
expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)
Certificate CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
expired ( expired on 2020-03-23T09:50:05Z, 2 years 30 weeks since expiry)
Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281
Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
removed from Mozilla trust store, no reason given
Certificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)
Certificate CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
expired ( expired on 2022-10-07T00:33:37Z, 2 weeks 3 days since expiry)
Found 395 certificates total, of which 21 had issues
Results for:
- - ibmcom/verify-access-runtime:10.0.4.0
- - ibmcom/verify-access-wrp:10.0.4.0
- - ibmcom/verify-access-dsc:10.0.4.0
kali-docker# paranoia inspect ibmcom/verify-access-runtime:10.0.4.0
Certificate CN=Cybertrust Global Root,O=Cybertrust\, Inc
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon.
Certificate CN=DST Root CA X3,O=Digital Signature Trust Co.
expired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)
removed from Mozilla trust store, no reason given
Certificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR
expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)
Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281
Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
removed from Mozilla trust store, no reason given
Certificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)
Certificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59
https://bugzilla.mozilla.org/show_bug.cgi?id=1410277
Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281
Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
removed from Mozilla trust store, no reason given
Certificate CN=Global Chambersign Root,OU=http://www.chambersign.org,O=AC Camerfirma SA CIF A82743287,C=EU
removed from Mozilla trust store, comments: Websites trust bit turned off in NSS 3.35, Firefox 59
https://bugzilla.mozilla.org/show_bug.cgi?id=1410277
Certificate CN=Cybertrust Global Root,O=Cybertrust\, Inc
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
removed from Mozilla trust store, comments: June 2015: DigiCert acquired this root cert from Verizon.
Certificate CN=DST Root CA X3,O=Digital Signature Trust Co.
expired ( expired on 2021-09-30T14:01:15Z, 1 year 3 weeks since expiry)
removed from Mozilla trust store, no reason given
Certificate CN=E-Tugra Certification Authority,OU=E-Tugra Sertifikasyon Merkezi,O=E-Tua EBG Bilim Teknolojileri ve Hizmetleri A.,L=Ankara,C=TR
expires soon ( expires on 2023-03-03T12:09:48Z, 18 weeks 4 days until expiry)
Certificate CN=DigiNotar PKIoverheid CA Organisatie - G2,O=DigiNotar B.V.,C=NL
expired ( expired on 2020-03-23T09:50:05Z, 2 years 30 weeks since expiry)
Certificate CN=GlobalSign,OU=GlobalSign Root CA - R2,O=GlobalSign
expired ( expired on 2021-12-15T08:00:00Z, 44 weeks 5 days since expiry)
removed from Mozilla trust store, comments: Ownership transferred to GTS:
https://bug1325532.bmoattachments.org/attachment.cgi?id=8844281
Certificate CN=Hellenic Academic and Research Institutions RootCA 2011,O=Hellenic Academic and Research Institutions Cert. Authority,C=GR
removed from Mozilla trust store, no reason given
Certificate CN=Staat der Nederlanden EV Root CA,O=Staat der Nederlanden,C=NL
expires soon ( expires on 2022-12-08T11:10:28Z, 6 weeks 3 days until expiry)
Certificate CN=sks-keyservers.net CA,O=sks-keyservers.net CA,ST=Oslo,C=NO
expired ( expired on 2022-10-07T00:33:37Z, 2 weeks 3 days since expiry)
Found 374 certificates total, of which 18 had issues
The communications used in the ISVA platform use SSL/TLS with a trust entirely based on underlying CAs. Some CAs have been revoked and cannot be trusted anymore.
The presence of revoked and expired CAs also shows that the security of the Docker images is highly perfectible.
## Details - Lack of privilege separation in Docker instances
It was observed that the Docker images do not implement privilege separation. Privilege separation is a software-based implementation of the principle of least privilege.
Using dynamic analysis, the ibmcom/verify-access-wrp:10.0.4.0 Docker image, ibmcom/verify-access:10.0.4.0 Docker image, and the ibmcom/verify-access-runtime Docker image do not correctly implement privilege separation.
Processes running inside the ibmcom/verify-access:10.0.4.0 Docker image:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
isam 1 0.0 0.0 12060 2812 ? Ss Oct21 0:00 /bin/sh /sbin/bootstrap.sh
isam 312 0.0 0.0 24532 56 ? Ss Oct21 0:00 /usr/sbin/mesa_crashd
isam 314 0.1 0.0 24568 2056 ? R Oct21 6:20 /usr/sbin/mesa_crashd
isam 318 0.0 0.0 69160 2732 ? Ss Oct21 0:00 /usr/sbin/mesa_syslogd
isam 322 0.0 0.0 69224 2164 ? S Oct21 0:02 /usr/sbin/mesa_syslogd
isam 399 0.0 0.0 102760 2740 ? Ss Oct21 0:00 /usr/sbin/mesa_eventsd -m 1000
isam 400 0.0 0.1 711216 8276 ? Sl Oct21 0:00 /usr/sbin/mesa_eventsd -m 1000
isam 747 0.0 0.0 270992 7452 ? Ssl Oct21 0:06 /usr/sbin/wga_watchdogd slapdw -log_file /var/application.logs.local/verify_access_runtime/user_registry/msg__user_registry.log /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap
isam 756 0.0 0.0 271124 7308 ? Ssl Oct21 0:06 /usr/sbin/wga_watchdogd ISAM-Policy-Server -log_file /var/application.logs.local/verify_access_runtime/policy/msg__pdmgrd.log -cfg /var/PolicyDirector/etc/ivmgrd.conf /opt/PolicyDirector/bin/pdmgrd -foreground
isam 807 0.0 0.0 71488 3084 ? Ss Oct21 0:00 /usr/sbin/iss-lum
isam 808 0.0 0.5 343920 42140 ? Sl Oct21 0:00 /usr/sbin/iss-lum
isam 833 0.0 0.0 128400 5140 ? Ssl Oct21 0:00 /usr/sbin/rsyslogd
isam 873 0.0 0.0 273920 7080 ? Ssl Oct21 0:06 /usr/sbin/wga_watchdogd wga_notifications -log_file /var/log/wga_notifications.log wga_notifications -foreground
isam 879 1.5 0.5 563872 42292 ? Sl Oct21 71:40 wga_notifications -foreground
isam 892 0.0 0.0 12060 1804 ? S Oct21 0:00 /bin/sh /sbin/bootstrap.sh
isam 895 0.0 0.0 23068 1256 ? S Oct21 0:00 /usr/bin/coreutils --coreutils-prog-shebang=tail /usr/bin/tail -F -n+0 /var/application.logs.local/lmi/messages.log
isam 573957 0.0 0.0 47620 3696 pts/0 Rs+ 16:53 0:00 ps -aux
isam 573963 0.0 0.0 11928 2852 ? S 16:53 0:00 sh -c ls /var/support/core_*.* | wc -l
pgresql 434 0.0 0.2 188380 17492 ? Ss Oct21 0:06 /usr/bin/postgres -D /var/postgresql/config/data
pgresql 435 0.0 0.0 138892 2960 ? Ss Oct21 0:00 postgres: logger
pgresql 446 0.0 0.0 188380 2696 ? Ss Oct21 0:00 postgres: checkpointer
pgresql 447 0.0 0.0 188516 4676 ? Ss Oct21 0:03 postgres: background writer
pgresql 448 0.0 0.0 188380 5148 ? Ss Oct21 0:03 postgres: walwriter
pgresql 449 0.0 0.0 189112 5312 ? Ss Oct21 0:04 postgres: autovacuum launcher
pgresql 450 0.0 0.0 139024 3016 ? Ss Oct21 0:15 postgres: stats collector
pgresql 451 0.0 0.0 188916 5492 ? Ss Oct21 0:00 postgres: logical replication launcher
www-data 547 0.3 6.2 4925056 499744 ? SLl Oct21 18:57 /opt/java/jre/bin/java -javaagent:/opt/IBM/wlp/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true -Djava.security.properties=/opt/IBM/wlp/usr/servers/de
ivmgr 761 0.0 0.5 873712 44896 ? Sl Oct21 0:04 /opt/PolicyDirector/bin/pdmgrd -foreground
ivmgr 863 0.0 0.1 276544 8440 ? Sl Oct21 0:00 /usr/sbin/wga_servertaskd
ldap 752 0.0 10.3 1314228 822572 ? Sl Oct21 0:00 /usr/sbin/slapd -d 0 -s 0 -h ldap://127.0.0.1:389 ldaps://127.0.0.1:636 -f /etc/openldap/slapd.conf -u ldap -g ldap
root 813 0.0 0.0 41984 3528 ? Ss Oct21 0:01 /usr/sbin/crond
root 862 0.0 0.0 174348 2828 ? Ss Oct21 0:00 /usr/sbin/wga_servertaskd
Some processes are running as `isam`. For example, the rsyslogd processys runs as `isam`. If a program running as `isam` is compromised inside an instance, then all the programs running as isam are also compromised.
Processes running inside the ibmcom/verify-access-wrp:10.0.4.0 Docker image:
PID USER TIME COMMAND
1 isam 9:42 /opt/pdweb/bin/webseald -foreground -noenv -config etc/webseald-login-internal.conf
32 isam 0:02 slapd -4 -f /etc/openldap/slapd.conf -h ldap://127.0.0.1:6389 -s 0
The only 2 processes are running as `isam`.
Processes running inside the ibmcom/verify-access-runtime: 10.0.4.0 Docker image:
PID USER TIME COMMAND
1 isam 1h18 /opt/java/jre/bin/java -javaagent:/opt/ibm/wlp/bin/tools/ws-javaagent.jar -Djava.awt.headless=true -Djdk.attach.allowAttachSelf=true -Dcom.ibm.ws.logging.log.directory=/var/application.logs.local/rtprofile -Xms512m -Xmx2048m -Dcom.sun.security.enableCRLDP=true -Dsun.net.inetaddr.ttl=30 -Dhttps
38 isam 0:00 slapd -4 -f /etc/openldap/slapd.conf -h ldap://127.0.0.1:6389 -s 0
63 isam 0:04 /usr/bin/postgres -D /var/postgresql/config/data
64 isam 0:00 postgres: logger
66 isam 0:00 postgres: checkpointer
67 isam 0:00 postgres: background writer
68 isam 0:00 postgres: walwriter
69 isam 0:01 postgres: autovacuum launcher
70 isam 0:05 postgres: stats collector
71 isam 0:00 postgres: logical replication launcher
37169 isam 0:00 bash
37186 isam 0:00 ps -a
In the `ibmcom/verify-access-runtime` instance, we can confirm the postgres daemon is running. We can also confirm a complete lack of privilege separation: everything is running as isam.
If a program running as `isam` is compromised inside an instance, then the all the programs running as isam are also compromised.
## Vendor Response
IBM provided several security bulletins:
Security Bulletin: IBM Security Verify Access is vulnerable to multiple Security Vulnerabilities - https://www.ibm.com/support/pages/node/7158790:
- - CVE-2023-38371: IBM Security Access Manager uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
- - CVE-2024-35137: IBM Security Access Manager Appliance could allow a local user to possibly elevate their privileges due to sensitive configuration information being exposed.
- - CVE-2024-35139: IBM Security Verify Access could allow a local user to obtain sensitive information from the container due to incorrect default permissions.
- - CVE-2023-30998: IBM Security Access Manager Container could allow a local user to obtain root access due to improper access controls.
- - CVE-2023-30997: IBM Security Access Manager Container could allow a local user to obtain root access due to improper access controls.
- - CVE-2023-38368: IBM Security Access Manager Container could disclose sensitive information to a local user to do improper permission controls.
- - CVE-2023-38370: IBM Security Access Manager Container, under certain configurations, could allow a user on the network to install malicious packages.
Security Bulletin: Security Vulnerabilities discovered in IBM Security Verify Access - https://www.ibm.com/support/pages/node/7145400:
- - CVE-2024-25027: IBM Security Verify Access could disclose sensitive snapshot information due to missing encryption.
Security Bulletin: Multiple Security Vulnerabilities were identified in IBM Security Verify Access - https://www.ibm.com/support/pages/node/7106586:
- - CVE-2023-31003: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to obtain root access due to improper access controls.
- - CVE-2023-31001: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) temporarily stores sensitive information in files that could be accessed by a local user.
- - CVE-2023-38267: IBM Security Access Manager Appliance (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.6.1) could allow a local user to obtain sensitive configuration information.
- - CVE-2023-31005: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a local user to escalate their privileges due to an improper security configuration.
- - CVE-2023-30999: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow an attacker to cause a denial of service due to uncontrolled resource consumption.
- - CVE-2023-43016: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password.
- - CVE-2023-32327: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
- - CVE-2023-32329: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a user to download files from an incorrect repository due to improper file validation.
- - CVE-2023-31004: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote attacker to gain access to the underlying system using man in the middle techniques.
- - CVE-2023-31006: IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to a denial of service attacks on the DSC server.
- - CVE-2023-32328: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server.
- - CVE-2023-32330: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure calls that could allow an attacker on the network to take control of the server.
- - CVE-2023-43017: IBM Security Verify Access 10.0.0.0 through 10.0.6.1 could allow a privileged user to install a configuration file that could allow remote access.
- - CVE-2022-2068: OpenSSL could allow a remote attacker to execute arbitrary commands on the system, caused by improper validation of user-supplied input by the c_rehash script. By sending a specially-crafted request using shell metacharacters, an attacker could exploit this vulnerability to execute arbitrary commands with the privileges of the script on the system.
- - CVE-2023-31002: IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 temporarily stores sensitive information in files that could be accessed by a local user.
- - CVE-2023-38369: IBM Security Access Manager Container 10.0.0.0 through 10.0.6.1 does not require that docker images should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
Security Bulletin: Multiple Security Vulnerabilities were discovered in IBM Security Verify Access Container (CVE-2024-35140, CVE-2024-35141, CVE-2024-35142) - https://www.ibm.com/support/pages/node/7155356:
- - CVE-2024-35140: IBM Security Verify Access could allow a local user to escalate their privileges due to improper certificate validation.
- - CVE-2024-35141: IBM Security Verify Access could allow a local user to escalate their privileges due to execution of unnecessary privileges.
- - CVE-2024-35142: IBM Security Verify Access could allow a local user to escalate their privileges due to execution of unnecessary privileges.
## Report Timeline
* October 2022: Security assessment performed on IBM Security Verify Access.
* Feb 12, 2023: A complete report was sent to IBM.
* Feb 13, 2023: IBM acknowledged the reception of the security assessment and said that scan tools usually report a lot of issues so I have to check the status of detected CVEs by browsing RedHat webpages and create an issue for each CVE.
* Feb 13, 2023: Replied to IBM saying that the security assessment was not done using a scanner.
* Feb 14, 2023: Asked for an update.
* Feb 14, 2023: IBM confirmed that the report was shared with L3 and "IBM hacking team".
* Feb 22, 2023: IBM said they were still assessing the report.
* Mar 13, 2023: An additional report on ibmsecurity was sent to IBM.
* Mar 13, 2023: IBM confirmed that the second report was shared with L3 team.
* Mar 15, 2023: IBM wanted to organize a meeting about the findings.
* Mar 15, 2023: I replied that I would like to have a written feedback for each reported vulnerability in order to have constructive discussion.
* Apr 4, 2023: I asked again IBM to confirm the vulnerabilities
* Apr 5, 2023: IBM shared the analysis (VulnerabilityResponse.xlsx), confirming several vulnerabilities.
* Apr 11, 2023: I provided my comments (VulnerabilityResponse-comments-Pierre.xlsx) and asked to organize a meeting.
* Apr 11, 2023: IBM confirmed a meeting is possible.
* Apr 18, 2023: I asked to organize a meeting on Apr 19, 2023.
* Apr 18, 2023: IBM confirmed a meeting is possible.
* Apr 19, 2023: I asked to have a meeting where every party (dev team, support and myself) can be present.
* Apr 19, 2023: IBM confirmed a meeting would take place on Apr 20, 2023.
* Apr 20, 2023: Meeting with IBM regarding ISVA. IBM confirmed they would recheck some of the issues and would provide CVEs for the vulnerabilities.
* Apr 23, 2023: I asked to have a second meeting about ibmsecurity.
* Apr 23, 2023: IBM confirmed they will organize a meeting on ibmsecurity.
* Apr 24, 2023: I asked the timeline to get security patches.
* Apr 24, 2023: IBM confirmed there are no ETA to get security patches.
* Apr 27, 2023: Meeting with IBM regarding ibmsecurity. IBM confirmed they will fix all the issues.
* May 10, 2023: I asked for CVE identifiers to track the vulnerabilities.
* May 11, 2023: IBM said that PSIRT records have been opened and the scoring is in progress.
* May 15, 2023: I reached IBM because I found a CVE (CVE-2023-25927) and a security bulletin likely corresponding to a vulnerability I reported, thanks to @CVEnew on Twitter: https://www.ibm.com/support/pages/node/6989653. I asked if this was one of the reported vulnerabilities.
* Jul 7, 2023: IBM said the dev team was still working on the final list of issues and that everything would be fixed in the 10.0.7 release.
* Jul 10, 2023: I asked when the 10.0.7 release would be available. I asked again more details about the previous advisory.
* Jul 11, 2023: IBM said that the 10.0.7 release would be published on Dec 23, 2023. Regarding the CVEs, IBM replied they would need to discuss with the dev team.
* Jul 12, 2023: I asked IBM to confirm if CVE-2023-25927 was one of the reported vulnerabilities.
* Jul 12, 2023: IBM said that they do not credit security researchers.
* Jul 13, 2023: I provided several IBM security bulletins where security researchers were credited, e.g. https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-exist-ibm-data-risk-manager-cve-2020-4427-cve-2020-4428-cve-2020-4429-and-cve-2020-4430.
* Jul 14, 2023: IBM confirmed that they would forward the information to L3 team and asked what I would want to do with this case.
* Jul 14, 2023: I said that (1) I was still waiting for information about CVE-2023-25927, (2) I did not have any information regarding security patches for ibmsecurity and (3) I asked IBM to provide me with the final list of vulnerabilities that would be patched in the 10.0.7. Since the list of confirmed vulnerabilities was quite long, I wanted to confirm that nothing was missed.
* Jul 28, 2023: IBM said that they did not know if CVE-2023-25927 is one of the reported vulnerabilities and in any case, it is impossible to edit the security bulletin and give credits.
* Aug 16, 2023: IBM asked if additional assistance was required [NB: IBM likely wanted to close this ticket while no security patches were published].
* Aug 17, 2023: I asked again information about ibmsecurity and CVE-2023-25927.
* Oct 20, 2023: IBM said they were still analysing the requests (final list of patched vulnerabilties, security patches of ibmsecurity and status of CVE-2023-25927).
* Oct 25, 2023: IBM asked to organize a meeting.
* Oct 25, 2023: I replied that I was still waiting for the final list of vulnerabilities that would be fixed in version 10.0.7. There was also no information regarding security patches for ibmsecurity.
* Oct 25, 2023: IBM replied they wanted to discuss about the vulnerabilities in a meeting.
* Oct 29, 2023: IBM asked to organize a meeting again.
* Oct 30, 2023: I accepted the meeting and I asked IBM to provide the list of vulnerabilities that would be patched with their current status. I also asked the status of ibmsecurity.
* Oct 30, 2023: IBM asked to have a meeting on Nov 7, 2023.
* Nov 2, 2023: I confirmed my presence to the meeting.
* Nov 5, 2023: IBM confirmed the meeting.
* Nov 7, 2023: Meeting with IBM. IBM provided me with a new report containing new feedbacks for several vulnerabilities. Also IBM confirmed that several vulnerabilities would be patched in 2024 and ibmsecurity would be patched in December 2023. IBM asked me to review a specific vulnerability that appears to be invalid (_V-[REDACTED] - Insecure SSLv3 connections to the DSC servers_).
* Nov 21, 2023: IBM asked me to review the new report shared by IBM.
* Nov 28, 2023: IBM asked for updates.
* Dec 4, 2023: I answered that I did not have anymore access to the test infrastructure and IBM had to wait for my analysis until I get again access to the test infrastructure.
* Dec 4, 2023: IBM asked me to check the vulnerabilities as soon as possible.
* Dec 21, 2023: I got access to a test infrastructure and reviewed some vulnerabilities.
* Dec 21, 2023: I sent a new analysis to IBM, containing details of 4 vulnerabilities.
* Dec 27, 2023: IBM confirmed the reception of the new analysis.
* Jan 15, 2024: IBM asked me to update ISVA and recheck all the vulnerabilities.
* Jan 16, 2024: I asked IBM if ibmsecurity was also patched.
* Jan 16, 2024: IBM confirmed that a new case must be opened for ibmsecurity to get security patches(!).
* Jan 22, 2024: IBM wanted to organize a new meeting.
* Jan 22, 2024: I replied that I failed to understand the issue with the ibmsecurity library and that I had a written confirmation by IBM that security patches would be provided. The vulnerabilities found in ibmsecurity were reported in March 2023 (10 months ago).
* Jan 22, 2024: I informed IBM that I discovered(!) a new security bulletin thanks to @CVEnew: https://www.ibm.com/support/pages/node/7106586, but only 15 vulnerabilities were listed instead of the 35 vulnerabilities confirmed by IBM. I asked IBM to clarify the situation as it looked like less than half of vulnerabilities were indeed patched.
* Jan 24, 2024: IBM created a new case for ibmsecurity.
* Jan 29, 2024: IBM confirmed that 5 vulnerabilities had not been patched in the latest version (10.0.7).
* Jan 29, 2024: I reached IBM to get the status of 15 unpatched vulnerabilities. I provided the updated analysis to IBM.
* Feb 7, 2024: IBM confirmed that some of the vulnerabilities were "being processed" and that some of vulnerabilities had been also silently patched and no security bulletins had been published.
* Feb 20, 2024: IBM asked for updates.
* Feb 20, 2024: I asked when would be the release date for ISVA 10.0.8 and the complete list of vulnerabilities that would be patched in this release.
* Feb 20, 2024: IBM confirmed that the 10.0.8 release would be published in mid-2024.
* Feb 23, 2024: I sent a new vulnerability to IBM "Authentication Bypass on IBM Security Verify Runtime".
* Feb 23, 2024: IBM confirmed the reception of the vulnerability and asked to close the ticket.
* Feb 23, 2024: I said that since some vulnerabilities had not been patched, the ticket must stay open.
* Feb 23, 2024: IBM said that they cannot keep the ticket open and they needed to close it.
* Feb 23, 2024: I explained that the vulnerabilities were reported over a year ago and IBM confirmed they had not fully fixed in the latest version and that some vulnerabilities were also still under evaluation. I said that I would agree to close this ticket if IBM could confirm that all vulnerabilities reported in the ticket had been correctly fixed in the latest version. I also asked IBM to provide the corresponding security bulletins.
* Feb 27, 2024: Regarding the authentication bypass, IBM replied that the runtime was supposed to be in the intranet zone.
* Feb 28, 2024: I asked IBM to clarify where in the documentation specified that the runtime should not be exposed. For example, in https://www.ibm.com/docs/en/sva/10.0.7?topic=support-docker-image-verify-access-runtime, it was not explained that exposing this runtime on the network was a high security risk.
* Mar 4, 2024: Regarding the vulnerabilities found in ibmsecurity, IBM said that any security vulnerability found in ibmsecurity must be reported by opening an issue in the Github repository.
* Mar 8, 2024: IBM confirmed they were able to reproduce the authentication bypass vulnerability.
* Mar 12, 2024: IBM confirmed they would add an optional MTLS authentication in the next release (10.0.8) and they would update the ISVA documentation to block any attempt of the authentication bypass vulnerability.
* Mar 29, 2024: IBM published a new security bulletin: https://www.ibm.com/support/pages/node/7145400.
* Mar 29, 2024: IBM confirmed that any security vulnerability found in ibmsecurity must be reported by opening an issue in the Github repository.
* Apr 1, 2024: Creation of https://github.com/IBM-Security/ibmsecurity/issues/416.
* Apr 2, 2024: IBM confirmed the reception of the report https://github.com/IBM-Security/ibmsecurity/issues/416#issuecomment-2032110397.
* Apr 3, 2024: https://github.com/IBM-Security/ibmsecurity/issues/416 was entirely redacted by IBM.
* Apr 5, 2024: I asked if the vulnerabilities would be patched in the #416 issue (https://github.com/IBM-Security/ibmsecurity/issues/416).
* Apr 6, 2024: Issue #416 (https://github.com/IBM-Security/ibmsecurity/issues/416) closed.
* Apr 6, 2024: I added again the content of https://github.com/IBM-Security/ibmsecurity/issues/416 and asked if CVEs would be published.
* Apr 10, 2024: Security bulletin for ibm security published: https://www.ibm.com/support/pages/node/7147932.
* Apr 10, 2024: I reached IBM regarding a new security bulletin, with a potential vulnerability I reported https://www.ibm.com/support/pages/node/7145828.
* Apr 10, 2024: IBM said this security bulletin was unrelated to the vulnerabilities I reported.
* Apr 15, 2024: IBM confirmed that the final vulnerabilities would be fixed in ISVA 10.0.8.
* Apr 15, 2024: I provided a list of unfixed vulnerabilities and asked for more information.
* Apr 16, 2024: IBM confirmed that all the unfixed vulnerabilities would be fixed in ISVA 10.0.8 and asked to close the ticket.
* Apr 16, 2024: I confirmed that this ticket can be closed only when the security patches are available.
* Apr 16, 2024: IBM confirmed they wanted to close the ticket because nothing would be updated before mid-2024.
* Apr 17, 2024: I replied that "It makes no sense to close this ticket until the vulnerabilities have been fixed. The fact that the vulnerabilities are fixed mid-year is a decision made by IBM. IBM was made aware of these vulnerabilities over a year ago, and yet we are still waiting for security patches. If this ticket is closed, I would consider that the vulnerabilities have been fixed and it is perfectly fine to publish the technical analysis."
* May 6, 2024: IBM closed the existing ticket and opened new tickets for the remaining vulnerabilities.
* May 6, 2024: I contacted IBM PSIRT asking if it was fine to publish the vulnerabilities since the ticket was closed by IBM.
* May 7, 2024: I reopened the ticket stating that some of the patched vulnerabilities did not receive a CVE and there were also some unpatched vulnerabilities. I asked IBM to provide me with the CVE assigned to each vulnerability. I also asked IBM to confirm that, since this ticket had been closed by IBM, all the vulnerabilities had been fixed and that I would be able to publish the technical details.
* May 8, 2024: IBM said they would review the list of vulnerabilities.
* May 10, 2024: IBM PSIRT asked me not to publish technical details of unpatched vulnerabilities.
* May 17, 2024: IBM provided me with an incomplete list of CVEs, with different vulnerabilities under the same CVE identifier and asked to close the ticket.
* May 20, 2024: IBM asked for my comments on the list of CVEs.
* May 20, 2024: I confirmed that several CVEs were missing and the list was incomplete.
* May 21, 2024: IBM provided me with an explanation regarding the missing CVEs.
* May 21, 2024: I asked IBM to quote their explanation in the security advisory.
* May 21, 2024: IBM asked to have a meeting.
* May 22, 2024: I replied that I would prefer written communication since it was very difficult to track the status of the vulnerabilities with (1) CVEs obtained only several months after the release of security bulletins, (2) tickets closed by IBM for unpatched vulnerabilities, (3) vulnerabilities in ibmsecurity which could be corrected by IBM and which could then no longer be managed by IBM, and (4) missing CVEs.
* May 22, 2024: IBM asked to have a meeting to remove any confusion.
* May 23, 2024: I replied that there's not much confusion except missing CVEs for silently patched vulnerabilities and lack of communication from IBM when releasing security patches. I asked IBM to share the CVEs with the corresponding vulnerabilities and indicate the security bulletins with the list of corresponding vulnerabilities.
* May 24, 2024: IBM stated they would provide me with additional CVEs.
* May 30, 2024: I confirmed that the creation of additional CVEs is fair.
* Jun 2, 2024: IBM confirmed 3 new CVEs in a new security bulletin: https://www.ibm.com/support/pages/node/7155356.
* Jun 3, 2024: I asked IBM the release date of the 10.0.8 version.
* Jun 3, 2024: IBM confirmed that the exact date was not yet decided.
* Jun 6, 2024: IBM asked if I had comments about the remaining vulnerabilities.
* Jun 8, 2024: I asked IBM the status of a previously patched vulnerability.
* Jun 10, 2024: IBM confirmed that this vulnerability had not been previously patched and would be patched in the 10.0.8 release.
* Jun 11, 2024: IBM asked to create separate cases for the remaining vulnerabilities.
* Jun 19, 2024: IBM asked if I needed assistance.
* Jun 23, 2024: IBM confirmed that the 10.0.8 version was released and that they would close the ticket tracking the vulnerabilities.
* Jun 26, 2024: I asked IBM to provide the corresponding CVEs and the link of the security bulletin.
* Jun 27, 2024: IBM provided me with the link to the security bulletin: https://www.ibm.com/support/pages/node/7158790 and said that the 10.0.8 version was released with all the patched vulnerabilities. IBM closed the ticket.
* Jul 3, 2024: I reopened the ticket and asked IBM to provide me with the list of vulnerabilities with the corresponding CVEs since I was not able to correctly map the CVEs to the vulnerabilities I reported.
* Jul 8, 2024: IBM provided me with the list of CVEs. IBM closed the ticket.
* Sep 7, 2024: I sent an email to IBM PSIRT stating that I was going to publish the security advisory and that some CVEs were still missing. I also stated that CVE-2023-38371 seemed to be an error since it was confirmed not to be a vulnerability according to our previous email exchanges.
* Sep 9, 2024: I asked IBM to provide me with an official link regarding the runtime authentication bypass, to publish it in the security advisory.
* Sep 13, 2024: IBM PSIRT provided me with (1) links regarding the runtime authentication bypass and (2) additional CVEs. They also confirmed that at least one vulnerability was not fixed and asked me not to disclose this finding until it was patched. No information was provided when this vulnerability would be patched.
* Nov 1, 2024: A security advisory is published.
## Credits
These vulnerabilities were found by Pierre Barre aka Pierre Kim (@PierreKimSec).
## References
https://pierrekim.github.io/blog/2024-11-01-ibm-security-verify-access-32-vulnerabilities.html
https://pierrekim.github.io/advisories/2024-ibm-security-verify-access.txt
https://pierrekim.github.io/blog/2024-11-01-ibmsecurity-4-vulnerabilities.html
https://pierrekim.github.io/advisories/2024-ibmsecurity.txt
https://www.ibm.com/support/pages/node/7106586
https://www.ibm.com/support/pages/node/7145400
https://www.ibm.com/support/pages/node/7155356
https://www.ibm.com/support/pages/node/7158790
## Disclaimer
This advisory is licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEoSgI9MSrzxDXWrmCxD4O2n2TLbwFAmckrf4ACgkQxD4O2n2T
LbzphQ//dkcrCH8Q+yNrjdYoxvY/wXwc1JfgXxmLK7Ns3N5qFJVT70Uea6HjIoHz
eJQurricioTP8jG48J2uzIt7l4G4Kgv0zP+aPN/KXjfYghu46N4G29458OgXTHVe
ecOmouy/za1DG6qtST+sbicDhX5oku4VtdQ+NtDXaoLUAkADp/wJ3rLv5Fdw7gxQ
VR0OMUTsy50Vv1bRN2R77ZAs/odAY67pQfTw8QpKLDDLBZveeAwBLgc66rQ+KZjq
mPbLUULFlZp3+EYnR+XyZXu2nNGZDhTVMKAYCGzuqr3/boIz1BF7rifK07tL8+EE
+NQQK3kzauWuQ/Sl5X20kfvdC91g7d/G93Me+Uz9iSfB9cyDfAdCLNf6fyYi/xjE
qz6HNe2capSG7GBeCK6Q8ffb95kojjKrmyL2eKj2Yz5ZCWuDXa0L6pLwHZ9KSyjj
24kykmiHI4bCKBCXazBVYcdguk+6PCcenAGxLIpKdmTcMvaUUbN/c2jUenjV8/As
+akcA48mNjuITE+Qei9kn7R5huTSCZffws9j4r0P86dst0ZkYfNSWgThatk2NRwC
V8D2DOXdxpXThuOAMfN4b9ViLYTeHm2/JGvl0RLQNyNSv2rWeeEch6Z69NsS/Fq7
Y7L55juYeCFtkTrdYA+tkaUHlvX8uQC9GoKkcUOfYV6utGQ4fnU=
=3Ax6
-----END PGP SIGNATURE-----