Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMD81A766C5E444FF35DD4FDC2578307F527EE9E0C0A986647D6ED5CA262EFFCB5
HistoryNov 04, 2019 - 6:11 a.m.

Security Bulletin: Information Exposure vulnerability found on IBM Security Secret Server (CVE-2019-4634)

2019-11-0406:11:48
www.ibm.com
13
JSON

Summary

This security bulletin describes plugging some potential, minor yet significant, information leaks by the IBM Security Secret Server Web server.
IBM Security Secret Server may unintentionally disclose information about their underlying technologies through headers, error messages, version numbers, or other identifying information. An attacker can use that information to research vulnerabilities in those technologies to attack the application to breach the system.

Vulnerability Details

CVEID:CVE-2019-4634
DESCRIPTION:
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products and Versions

IBM Security Secret Server, All Versions

Remediation/Fixes

I. Hide the IIS version.

The HTTP header “X-Powered-By” reveals the version of IIS used on the server. To stop this, remove the header:

  1. Open the IIS Manager.
  2. In the Connections tree, select the website that SS is running under.
  3. Click the HTTP Response Headers button on the right. The HTTP Response Headers panel appears.
  4. Click to select the X-Powered-By HTTP header.
  5. Click the Remove button in theActions panel. The header disappears.

II. Hide the ASP.NET version.

The HTTP header “X-ASPNET-VERSION” reveals the version of ASP.NET being used by the SS application pool. To stop this, remove the header:

  1. Open the web.config file for SS, which is located in the root directory for the website.
  2. Inside the <system.web> tag, add the tag <httpRuntime enableVersionHeader="false"/>.
  3. Save the file.

III. Hide the server type.

The HTTP header line Server: Microsoft-HTTPAPI/2.0 is added to the header by the .NET framework. To remove that information, you must update the Windows registry:

> Important: Do not simply remove the Server header variable—it will cause parts of SS to malfunction.

  1. Open the Windows Registry Editor.
  2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters.
  3. Change the DisableServerHeader (REG_DWORD type) registry key from 0 to 1.

> Note: There are other ways to hide the server type. However this is the recommended approach.

Workarounds and Mitigations

None

Related

symantec 1
cve 1
symantec
symantec
IBM Security Secret Server CVE-2019-4634 Multiple Information Disclosure Vulnerabilities
2019-11-04 00:00:00
cve
cve
CVE-2019-4634
2022-02-25 23:32:45
JSON
Related for D81A766C5E444FF35DD4FDC2578307F527EE9E0C0A986647D6ED5CA262EFFCB5
symantec1cve1