8 matches found
CVE-2020-4385
CVE-2020-4385 affects IBM Verify Gateway (IVG) versions 1.0.0 and 1.0.1, where a hard-coded credential (password/cryptographic key) is used for inbound authentication, outbound communication to external components, or internal data encryption. The IBM advisories (Security Bulletin and X-Force ent...
CVE-2020-4371
IBM Verify Gateway (IVG) PAM components have a leftover debug header/file in installation packages that exposes sensitive information. Affected products/versions: IVG PAM 1.0.0 and 1.0.1. Root cause: leftover debugging code/file not meant for delivery in PAM components. Impact: could be used by a...
CVE-2020-4369
CVE-2020-4369 affects IBM Verify Gateway (IVG) 1.0.0 and 1.0.1, where the client-secret stored in cleartext in PAM configurations could be exposed. The IBM Security bulletin notes that IVG PAM components can encrypt the client-secret in /etc/pam_ibm_auth.json, but encryption is not enabled by def...
CVE-2020-4372
Summary: CVE-2020-4372 affects IBM Verify Gateway (IVG) components and enables exposure of client secrets when debug tracing is enabled, resulting in plaintext credentials readable by a local attacker. Affected products/versions (per IBM): IVG RADIUS 1.0.0; IVG PAM 1.0.0, 1.0.1; IVG Windows Login...
CVE-2020-4397
CVE-2020-4397 affects IBM Verify Gateway (IVG) PAM components (AIX PAM 1.0.0/1.0.1; Linux PAM 1.0.0/1.0.1) where the Authd service could expose sensitive data in cleartext over TCP, enabling eavesdropping/mitm. The IBM Security bulletin notes that as of IVG PAM v1.0.1 (AIX) and v1.0.2 (Linux), th...
CVE-2020-4399
Summary of CVE-2020-4399 (IBM Verify Gateway PAM) : The vulnerability affects IBM Verify Gateway (IVG) PAM components (AIX PAM v1.0.1 and Linux PAM v1.0.2 as the fixed versions). The issue stems from the Authd service, which listens on TCP port 12 and could be abused by an authenticated user to s...
CVE-2020-4400
CVE-2020-4400 concerns IBM Verify Gateway (IVG) where the account lockout settings were inadequate, enabling a remote attacker to brute‑force credentials. Affected IVG components include RADIUS 1.0.0, PAM 1.0.0/1.0.1, and WinLogin 1.0.0/1.0.1. The root cause is insufficient throttling of authenti...
CVE-2020-4405
Summary: IBM Verify Gateway (IVG) PAM components are affected in IVG 1.0.0 and 1.0.1, where debug log files can be world-readable and disclose potentially sensitive information to an authenticated user. The issue arises from logs written to /tmp via trace-file parameters, creating exposure of log...