Security Bulletin: TADDM uses weak SSL certificates (CVE-2012-5770)

Abstract

IBM Tivoli Application Dependency Discovery Manager SSL certificate uses weak MD5 hash algorithm

Content

VULNERABILITY DETAILS:

DESCRIPTION:
TADDM uses weak certificates for SSL communication what can lead to man in the middle attack. The attacker must have access to traffic between TADDM server and its client (GUI or API) to be able to hijack and break the certificate. If more powerful hash algorithm is used the certificate is much more difficult to break.

**CVEID:*CVE-2012-5770
CVSS Base Score: 4.3
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/80354&gt;_ for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:
TADDM 7.2.0.0 through 7.2.1.3

REMEDIATION:

Each customer should generate their own security certificates that would uniquely identify the customer. The steps to do that are listed in following section.

Workaround(s):
The certificates can be generated manually issuing following commands:

<taddm_dist_dir>/external/<jdk-for-platform>/bin/keytool -delete -alias collation -keystore <taddm_dist_dir>/etc/serverkeys -storepass <ssl-password>

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -genkey -alias collation -keystore <taddm_dist_dir>/etc/serverkeys -validity 3650 -keyAlg RSA -sigalg SHA256WithRSA -keypass <ssl-password> -storepass <ssl-password> -dname “CN=<TADDM_SERVER_FQDN>, OU=Engineering, O=IBM, L=Palo Alto, S=California, C=US”

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -export -alias collation -noprompt -keystore <taddm_dist_dir>/etc/serverkeys -keypass <ssl-password> -storepass <ssl-password> -file <taddm_dist_dir>/cert.tmp

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -delete -alias collation -noprompt -keystore <taddm_dist_dir>/etc/jssecacerts.cert -storepass <ssl-password>

<taddm_dist_dir>external/<jdk-for-platform>/bin/keytool -import -alias collation -noprompt -keystore <taddm_dist_dir>/etc/jssecacerts.cert -keypass <ssl-password> -storepass <ssl-password> -file <taddm_dist_dir>/cert.tmp

where:

<taddm_dist_dir> - the “dist” dir where taddm is installed
<jdk-for-platform> - jdk dir dedicated for Customer’s platform
<ssl-password> - value of com.collation.sslpassphrase
<TADDM_SERVER_FQDN> - taddm server fqdn

NOTE: please backup the existing files before:

<taddm_dist_dir>/etc/serverkeys
<taddm_dist_dir>/etc/jssecacerts.cert

Mitigation(s):
If possible access to TADDM server should be restricted to certain selected machines by using e.g. by using iptables. This way the potential attacker must hijack machine allowed to access to conduct MiM attack.

REFERENCES:

• Complete CVSS Guide
• On-line Calculator V2_ _
• CVE-2012-5770
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/80354&gt;_

RELATED INFORMATION:
_IBM Secure Engineering Web Portal _
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
None

CHANGE HISTORY
1 March 2013: Original Copy Published

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSPLFC”,“label”:“Tivoli Application Dependency Discovery Manager”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“–”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“7.2;7.2.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]