Security Bulletin: Weak Key Vulnerability in Remote Supervisor Adapter II firmware (CVE-2012-2187) - IBM System x3650, System x3850 M2, System x3950 M2

Summary

Customers using secure network protocols such as https and ssh with the Remote Supervisor Adapter II are impacted by a recently discovered weakness in the generation of RSA keys that are used with those protocols. The weakness in the key generation process may allow the corresponding private key to be remotely compromised by an attacker.

Vulnerability Details

Summary

• Weak RSA keys were found to be generated by the Remote Supervisor Adapter II firmware.

Vulnerability Details

CVE ID: CVE-2012-2187

Description:
Customers using secure network protocols such as https and ssh with the Remote Supervisor Adapter II are impacted by a recently discovered weakness in the generation of RSA keys that are used with those protocols. The weakness in the key generation process may allow the corresponding private key to be remotely compromised by an attacker.

CVSS:
CVSS Base Score: 7.8
CVSS Temporal Score: Undefined
CVSS Environmental Score*: See <http://xforce.iss.net/xforce/xfdb/75885&gt; for the current score
CVSS String: (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Affected Platforms:

List the affected versions/releases/platforms, as best possible.

• The Remote Supervisor Adapter II firmware for System x3850 M2 and System x3950 M2 (version 1.13 or older, Build ID A3EP46A or older)
• The Remote Supervisor Adapter II firmware for System x3650 (version 1.13 or older, Build ID GGEP41A or older)

Remediation:

The recommended solution is to apply the fix for the Remote Supervisor Adapter II in each named product as soon as practical. After applying the fix, generate new ssh keys and self-signed certificates, or certificate signing requests to be used by ssh and https protocols on the Remote Supervisor Adapter II. Please see below for information on the firmware fixes available.

Fixes:

Remote Supervisor Adapter II firmware for System x3850 M2 and System x3950 M2:

• Zip Update Package
  http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5086633
• Linux Update Package
  http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5086634
• Windows Update Package
  http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5086635

Remote Supervisor Adapter II firmware for System x3650:

• Zip Update Package
  http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-64575
• Linux Update Package
  http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-64576
• Windows Update Package
  http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-64577

Workaround:

• None known, apply fixes

Mitigation:

• None known

References:

• Complete CVSS Guide
• On-line Calculator V2
• X-Force Vulnerability Database
• CVE-2012-2187)

Related Information:

• IBM Secure Engineering Web Portal
• IBM Product Security Incident Response Blog

Acknowledgement:

The vulnerability was reported to IBM during a larger security study by researchers at the University of Michigan and UC San Diego. https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.