Security Bulletin: IBM Verify Gateway PAM components default to cleartext storage of client secret (CVE-2020-4369)

Summary

The IBM Verify Gateway (IVG) PAM components allow encryption of the client-secret property in the /etc/pam_ibm_auth.json file, but it’s not the default configuration. Instead, customers must remember to add an --obfuscation command-line flag to encrypt the property. As of v1.0.1 of IVG for AIX PAM, and v1.0.2 of IVG for Linux PAM, the client-secret property is encrypted by default.

Vulnerability Details

CVEID:CVE-2020-4369
**DESCRIPTION:**IBM Verify Gateway (IVG) stores highly sensitive information in cleartext that could be obtained by a user.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179004 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Log in to IBM X-Force Exchange / App Exchange and download and install the latest IBM Security Verify Gateway (renamed from IBM Verify Gateway) PAM components. Specifically:

• IBM Security Verify Gateway for AIX PAM (Pluggable Authentication Modules) v1.0.1 at <https://exchange.xforce.ibmcloud.com/hub/extension/e506cf66c5f51340cef3e1b40e8b4840&gt;
• IBM Security Verify Gateway for Linux PAM (Pluggable Authentication Modules) v1.0.2 at <https://exchange.xforce.ibmcloud.com/hub/extension/80eca9a1094b416db69dfff40eb10c5a&gt;

Workarounds and Mitigations

Add the --obf command-line flag when running /opt/ibm/ibm_auth/ibm_authd in order to generate an encrypted version of the client secret. Then, store the encrypted version in /etc/pam_ibm_auth.json by using the “obf-client-secret” parameter. For details, see the IBM Knowledge Center topic at <https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/references/r_verify_pam_ibmauthapi.html&gt;.