IBM Support

IT21980: INSUFFICIENT SEPARATION OF PRIVILEGE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Users of the Filegateway and EBICS Client application are able
    to carry out or access information otherwise restricted to
    them.
    This includes:
    1) SFG admin user can reset other SFG admin or other user's
    password via the filegateway interface. By replacing the userid
    sent in the body of the request while resetting their own
    account, it is possible to reset other user's password.
    Normally, SFG admin has to log into the EBICS dashboard to
    reset the password, but this is done via the Filegateway
    interface. Note, that the attacker needs to know the target
    username and get the current password of the victim correct for
    successful attack. However, as the application has a weak
    password policy, and this request is not protected against CSRF
    attacks, it is possible to bruteforce the target account with
    common weak passwords.
    Please note that it is not clear whether the Filegateway
    interface sends information to the EBICS dashboard on the
    server side. It is not verified whether this attack can be
    carried out by a low privileged user as such an account was not
    facilitated for Filegateway.
    2) A user is able to view event logs accessible to another user
    (non-admin). By manipulating the event log ID number sent as
    part of the URI, it is possible to access other user's event
    logs even when it is not visible to the current user.
    Due to the uncertainties around the full extent of the issues,
    this issue has been given a medium risk rating. However, this
    issue should be treated as a priority and resolved at the
    earliest.
    IMPACT:
    1) The impact of this issue is currently rated as medium as the
    information currently being logged did not contain any sensitive
    information. However, the full extent of this issue is unknown
    as it is not known whether admin level users can access EBICS
    Client and if logs may contain sensitive information. This
    technique could be used to enumerate valid usernames.
    2) The impact of this issue is currently rated as medium as
    initial tests show that the attack does not work on the
    administration panel of EBICS dashboard. However, it is not
    known if this information is used on a separate application,
    outside the scope of this engagement.
    REMEDIATION:
    All administrative functions should be hidden from low
    privilege users
    and should require authentication to perform the actions. Only
    administrators should be able to perform administrative
    functions.
    

Local fix

  • No workaround exists.
    

Problem summary

  • Users Affected:
    All EBICS Users
    
    Problem Description:
    In the EBICS client one user was able to see the event details
    corresponding to another user.
    
    Platforms Affected:
    All
    

Problem conclusion

  • Resolution Summary:
    A code fix is provided.
    
    Delivered In:
    5020603_3
    

Temporary fix

Comments

APAR Information

  • APAR number

    IT21980

  • Reported component name

    STR B2B INTEGRA

  • Reported component ID

    5725D0600

  • Reported release

    525

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-08-11

  • Closed date

    2017-11-20

  • Last modified date

    2017-11-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR B2B INTEGRA

  • Fixed component ID

    5725D0600

Applicable component levels

  • R526 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.5","Edition":"","Line of Business":{"code":"LOB02","label":"AI Applications"}}]

Document Information

Modified date:
21 November 2017