Lucene search

IBM36C8876D30B6ACE8A886897CFD69A2205FB314573E45CC13518506C5E99C6764

HistorySep 22, 2021 - 11:05 p.m.

Security Bulletin: Vulnerability in GnuTLS affects Power Hardware Management Console ( CVE-2018-10845 CVE-2018-10844)

2021-09-2223:05:38

www.ibm.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.014 Low

EPSS

Percentile

84.7%

JSON

Summary

It was found that GnuTLS’s implementation of HMAC-SHA-384 and HMAC-SHA-256 was vulnerable to a Lucky Thirteen-style attack. A remote attacker could use this flaw to conduct distinguishing attacks and plain text recovery attacks via statistical analysis of timing data using crafted packets.

Vulnerability Details

CVEID: CVE-2018-10845
DESCRIPTION: GnuTLS could allow a remote attacker to obtain sensitive information, caused by a flaw in the implementation of HMAC-SHA-384 . By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to obtain information.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148730> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-10844
DESCRIPTION: GnuTLS could allow a remote attacker to obtain sensitive information, caused by a flaw in the implementation of HMAC-SHA-256. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to obtain information.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148731> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Power HMC V8.7.0.0
Power HMC V9.1.910.0

Remediation/Fixes

The following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>

Product

VRMF

APAR

Remediation/Fix

—|—|—|—

Power HMC

V8.8.7.2 PTF3 ppc

MB04193

MH01807

Power HMC

V8.8.7.2 PTF3 x86

MB04192

MH01806

Power HMC

V9.1.921.0 PTF3 ppc

MB04195

MH01809

Power HMC

V9.1.920.0 PTF3 x86

MB04194

MH01808

Workarounds and Mitigations

None

CPENameOperatorVersion
hardware management console v9eqany

CPE	Name	Operator	Version
	hardware management console v9	eq	any

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.014 Low

EPSS

Percentile

84.7%

JSON

Related for 36C8876D30B6ACE8A886897CFD69A2205FB314573E45CC13518506C5E99C6764