Lucene search

K
ibmIBM1D6E662FBFEB4794BB624D785DA3C88B345296305978E42DF5B3062A85781261
HistoryJul 24, 2020 - 10:19 p.m.

Security Bulletin: IBM Connect:Direct for UNIX is Vulnerable to a Privilege Escalation Attack via its C/C++ API

2020-07-2422:19:08
www.ibm.com
8

Summary

IBM Sterling Connect:Direct for UNIX could allow a user who is authorized for limited Connect:Direct privileges to attack through a custom application written using the Connect:Direct for UNIX C/C++ API by replacing the system implementation of getuid() with a malicious implementation and gain unauthorized privilege to access to the Connect:Direct for UNIX Server.

Vulnerability Details

CVEID: CVE-2019-4529 DESCRIPTION: IBM Sterling Connect:Direct for UNIX could allow an authenticated attacker to replace the system implementation of getuid() with a malicious implementation allowing the user to gain unauthorized access to the CD UNIX Server through a custom application written using the CD UNIX C/C++ API.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165585&gt; for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Sterling Connect:Direct for Unix 6.0.0

IBM Sterling Connect:Direct for Unix 4.3.0

IBM Sterling Connect:Direct for Unix 4.2.0

Remediation/Fixes

V.R.M.F

| APAR | Remediation/First Fix
—|—|—
6.0.0 | IT27957 | Apply 6.0.0.1.iFix006, available in cumulative iFix 6.0.0.1.008 on Fix Central
4.3.0 | IT27957 | Apply 4.3.0.1.iFix009, available in cumulative iFix 4.3.0.1.010 on Fix Central
4.2.0 | IT27957 | Apply 4.2.0.4.iFix122, available in cumulative Fix Pack 4.2.0.5 on Fix Central

For versions previous to 4.2.0, IBM recommends upgrading to a fixed, supported version of the product.

Workarounds and Mitigations

None

Related for 1D6E662FBFEB4794BB624D785DA3C88B345296305978E42DF5B3062A85781261