Security Bulletin: Multiple vulnerabilities found on IBM Security Secret Server

Summary

Multiple vulnerabilities found on IBM Security Secret Server has been addressed in the release 10.7.000059.

Vulnerability Details

CVEID:CVE-2019-4639
**DESCRIPTION:**IBM Security Secret Server uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2019-4631
**DESCRIPTION:**IBM Security Secret Server could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170001 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID:CVE-2019-4635
**DESCRIPTION:**IBM Security Secret Server could allow a privileged user to perform unauthorized command injection due to imporoper input neutralization of special elements.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170011 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2019-4638
**DESCRIPTION:**IBM Security Secret Server does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2019-4637
**DESCRIPTION:**IBM Security Secret Server uses incomplete blocklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170043 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2019-4640
**DESCRIPTION:**IBM Security Secret Server processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code which could result in an attacker executing malicious code.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170046 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2019-4632
**DESCRIPTION:**IBM Security Secret Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170004 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2019-4636
**DESCRIPTION:**IBM Security Secret Server could disclose sensitive information to an authenticated user from generated error messages.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170013 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2012-5662
**DESCRIPTION:**x3270 before 3.3.12ga12 does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/82984 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2014-4861
**DESCRIPTION:**The Remote Desktop Launcher in Thycotic Secret Server before 8.6.000010 does not properly cleanup a temporary file that contains an encrypted password once a session has ended.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/140555 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2017-11725
**DESCRIPTION:**The share function in Thycotic Secret Server before 10.2.000019 mishandles the Back Button, leading to unintended redirections.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/129954 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

IBM Security Secret Server, All Versions

Remediation/Fixes

Upgrade to the fixpack available here.

Workarounds and Mitigations

None