This security bulletin describes plugging some potential, minor yet significant, information leaks by the IBM Security Secret Server Web server.
IBM Security Secret Server may unintentionally disclose information about their underlying technologies through headers, error messages, version numbers, or other identifying information. An attacker can use that information to research vulnerabilities in those technologies to attack the application to breach the system.
CVEID:CVE-2019-4634
DESCRIPTION:
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
IBM Security Secret Server, All Versions
I. Hide the IIS version.
The HTTP header “X-Powered-By” reveals the version of IIS used on the server. To stop this, remove the header:
II. Hide the ASP.NET version.
The HTTP header “X-ASPNET-VERSION” reveals the version of ASP.NET being used by the SS application pool. To stop this, remove the header:
web.config
file for SS, which is located in the root directory for the website.<system.web>
tag, add the tag <httpRuntime enableVersionHeader="false"/>
.III. Hide the server type.
The HTTP header line Server: Microsoft-HTTPAPI/2.0
is added to the header by the .NET framework. To remove that information, you must update the Windows registry:
> Important: Do not simply remove the Server header variable—it will cause parts of SS to malfunction.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters
.DisableServerHeader
(REG_DWORD type) registry key from 0
to 1
.> Note: There are other ways to hide the server type. However this is the recommended approach.
None