Security Bulletin: IBM Security SiteProtector System is affected by GSKit vulnerabilities

Summary

IBM Security SiteProtector System has addressed the following vulnerabilities in GSKit.

Vulnerability Details

CVEID:CVE-2018-1428
**DESCRIPTION:*IBM GSKit uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139073&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2018-1427
**DESCRIPTION:*IBM GSKit contains several enviornment variables that a local attacker could overflow and cause a denial of service.
CVSS Base Score: 6.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139072&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2018-1426
**DESCRIPTION:*IBM GSKit duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material.
CVSS Base Score: 7.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139071&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID: CVE-2018-1447 DESCRIPTION: The GSKit CMS KDB logic fails to salt the hash function resulting in weaker than expected protection of passwords. A weak password may be recovered. Note: After update the customer should change password to ensure the new password is stored more securely. Products should encourage customers to take this step as a high priority action.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139972&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:

ServicePack3_1_1_16.xpu
AgentManager_WINNT_XXX_ST_3_1_1_52.xpu
RSEvntCol_WINNT_XXX_ST_3_1_1_10.xpu
DB_SP_3_1_1_65.xpu
UpdateServer_3_1_1_11.pkg
MU_3_1_1_8.xpu
ManualUpgrader_3_1_1_8.exe
CertificateManagerTools_3_1_1_6.exe
EventArchiver_3_1_1_7.pkg
EventArchiverImporter_3_1_1_7.exe
Console-Setup.exe

IBM Security SiteProtector System | 3.0.0.19 |

Apply the appropriate eXPress Updates (XPUs) as identified in the SiteProtector Console Agent view:

ServicePack3_0_0_19.xpu
AgentManager_WINNT_XXX_ST_3_0_0_83.xpu
RSEvntCol_WINNT_XXX_ST_3_0_0_16.xpu
DB_SP_3_0_0_82.xpu
UpdateServer_3_1_1_11.pkg
MU_3_1_1_8.xpu
ManualUpgrader_3_1_1_8.exe
CertificateManagerTools_3_1_1_6.exe
EventArchiver_3_1_1_7.pkg
EventArchiverImporter_3_1_1_7.exe
Console-Setup.exe

Alternatively, the packages can be manually obtained from the IBM Security License Key and Download Center using the following URL:

<https://ibmss.flexnetoperations.com/service/ibms/login&gt;

Workarounds and Mitigations

None