Security Bulletin: IBM Tivoli Application Dependency Discovery Manager (TADDM) could expose password hashes stored in system memory on target Windows systems that are discovered by TADDM

Summary

IBM Tivoli Application Dependency Discovery Manager (TADDM) requires a local service account to communicate with Windows servers (targets) via WMI. WMI caches the password hash in memory on each target Windows system when using certain authentication methods. By TADDM design, and according to standard implementation, the service account password is the same for all Windows targets. The cached password can be viewed in memory on any target Windows server using open source windows credential tools such as “mimikatz”. A local user can execute this tool and view the password hash from memory on the target systems. This essentially exposes the password for all other Windows targets that are configured to use TADDM. No access to the TADDM server is necessary to view the password. The local TADDM service account on each target system is a privileged account, so a local attacker could potentially gain access and administrative authority to all target Windows systems.

Vulnerability Details

CVEID: CVE-2018-1675 DESCRIPTION: IBM Tivoli Application Dependency Discovery Manager could expose password hashes stored in system memory on target systems that are configured to use TADDM.
CVSS Base Score: 6.8
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/145110&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

TADDM 7.3.0.0 - 7.3.0.5

Remediation/Fixes

There are eFixes prepared on top of the latest released FixPack for each stream.

efix_taddm7305_CVE-2018-1675_FP5180802.zip

| 7.3.0.5 | None | Download eFix
efix_taddm7304_CVE-2018-1675_FP420171214.zip | 7.3.0.4 | None | Download eFix

efix_taddm7303_CVE-2018-1675_FP320160323.zip

| 7.3.0.3 | None | Download eFix

Please get familiar with eFix readme in etc/<efix_name>_readme.txt

For eFixes on 7.2.2.5, 7.3.0.3 and 7.3.0.4, the following property needs to be added in collation.properties for configuring this eFix:

com.collation.WmiProvider.LogonTypeAllowed=NETWORK

This property can be a comma separated list of any of the following keywords which stand for the type of windows login to be used: NETWORK, BATCH, SERVICE, INTERACTIVE
The order of their occurrence in case of comma separated values defines the preference to be given to that logon type, with first value being the first preference.
The security issue is resolved by setting the property to “NETWORK”

For all the above eFixes (7.2.2.5, 7.3.0.3, 7.3.0.4 and 7.3.0.5):

The new TADDM WMI Provider files are required to be updated at target windows system, so the user needs to configure the following properties:

com.collation.platform.os.WindowsOs.AutoDeploy=true

This property enables TADDM to auto-deploy new files to windows targets. The default value of this property is true.

com.collation.RestartWmiOnAutoDeploy=true

If any WMI error is encountered during auto-deploy, then target WMI needs to be restarted by setting this property to true. By default, its value is false. This property needs to be set to true, so that the new provider files replace old files at target and are then registered.
This property can again be set to false after the TADDM WMI provider on all windows are successfully updated and discovery is success. This property can also be set specific to an IP address, e.g. for a IP address: 1.2.3.4, following property is to be configured:

com.collation.RestartWmiOnAutoDeploy.1.2.3.4=true

Note: The default value for above WMI restart property is false. Setting these values to true may provide more reliable Windows discovery. This must be weighed against the potential negative impact of a WMI service temporarily being stopped and restarted. If the WMI service is restarted, all WMI dependent services that were running before the restart are also restarted.

Workarounds and Mitigations

If an eFix is required on any other TADDM version, please contact IBM Support. This fix contains TADDM code, if you have existing eFixes (ls -rlt etc/efix*), open a case for a custom version of this eFix. Include your current eFix level, TADDM version and a link to this bulletin.
The eFix is created to be installed on the above FixPack without any previously applied eFixes.