Security Bulletin: A vulnerability in Pluggable Authentication Modules (PAM) affects IBM Security Network Protection (CVE-2015-3238)

Summary

Pluggable Authentication Modules (PAM) provide a system whereby administrators can set up authentication policies without having to recompile programs to handle authentication. A security vulnerability has been discovered in PAM used with IBM Security Network Protection.

Vulnerability Details

CVEID: CVE-2015-3238**
DESCRIPTION:** Linux-PAM could allow a local attacker to obtain sensitive information, caused by an error in the _unix_run_helper_binary function in the pam_unix module. An attacker could exploit this vulnerability using an overly large password to enumerate usernames and cause the system to hang.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106368 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

IBM Security Network Protection 5.2
IBM Security Network Protection 5.3.1
IBM Security Network Protection 5.3.2

Remediation/Fixes

Product

| VRMF| Remediation/First Fix
—|—|—
IBM Security Network Protection | Firmware version 5.2| Download 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0013 from IBM Fix Central and upload and install via the Fix Packs page of the Local Management Interface.
IBM Security Network Protection| Firmware version 5.3.1| Download Firmware 5.3.1.6 from IBM Security License Key and Download Center and upload and install via the Available Updates page of the Local Management Interface.
IBM Security Network Protection| Firmware version 5.3.2| Install Firmware 5.3.2.1 from the Available Updates page of the Local Management Interface, or by performing a One Time Scheduled Installation from SiteProtector.

Workarounds and Mitigations

None