Lucene search

IBM3C0FF523C74432B18836572C6B58D65005A87F7BD97053B4CE0032910EF800BF

HistoryFeb 09, 2024 - 4:04 p.m.

Security Bulletin: Kubernetes secrets in IBM Storage Defender Connection Manager on-prem environment are not encrypted by default (CVE-2023-50957, CVE-2024-22312, CVE-2024-22313)

2024-02-0916:04:14

www.ibm.com

kubernetes

ibm storage defender

encryption

base64

root access

vulnerabilities

resiliency service

plain text credentials

hard-coded credentials

defender 2.0.1

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

7.3 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

19.0%

JSON

Summary

Kubernetes secrets in the IBM Storage Defender Connection Manager on-premises environment (OVA) are obfuscated using base64 encoding instead of being encrypted. An attacker who has gained root access to the environment can read the secrets from the Kubernetes configuration. The vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2023-50957
**DESCRIPTION:**IBM Storage Defender - Resiliency Service could allow a privileged user to perform unauthorized actions after obtaining encrypted data from clear text key storage.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275783 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID:CVE-2024-22312
**DESCRIPTION:**IBM Storage Defender - Resiliency Service stores user credentials in plain clear text which can be read by a local user.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278748 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-22313
**DESCRIPTION:**IBM Storage Defender - Resiliency Service contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278749 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Storage Defender - Resiliency Service	2.0.0

Remediation/Fixes

The Connection Manager included with Defender 2.0.1 and newer provides the fixes. If using a version of the Connection Manager obtained from Defender 2.0, IBM strongly recommends contacting support for assistance with upgrading.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmstorage_defender_data_protectMatch2.0.1

CPENameOperatorVersion
ibm storage defendereq2.0.1

CPE	Name	Operator	Version
	ibm storage defender	eq	2.0.1

8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

7.3 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

19.0%

JSON

Related for 3C0FF523C74432B18836572C6B58D65005A87F7BD97053B4CE0032910EF800BF