IBM Support

Security Bulletin: Information Exposure vulnerability found on IBM Security Secret Server (CVE-2019-4634)

Security Bulletin


Summary

This security bulletin describes plugging some potential, minor yet significant, information leaks by the IBM Security Secret Server Web server.
IBM Security Secret Server may unintentionally disclose information about their underlying technologies through headers, error messages, version numbers, or other identifying information. An attacker can use that information to research vulnerabilities in those technologies to attack the application to breach the system.

Vulnerability Details

CVEID:   CVE-2019-4634
DESCRIPTION:  
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170008 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected Products and Versions

IBM Security Secret Server, All Versions

Remediation/Fixes

I. Hide the IIS version.

The HTTP header “X-Powered-By” reveals the version of IIS used on the server. To stop this, remove the header:

  1. Open the IIS Manager.
  2. In the Connections tree, select the website that SS is running under.
  3. Click the HTTP Response Headers button on the right. The HTTP Response Headers panel appears.
  4. Click to select the X-Powered-By HTTP header.
  5. Click the Remove button in the Actions panel. The header disappears.

II. Hide the ASP.NET version.

The HTTP header “X-ASPNET-VERSION” reveals the version of ASP.NET being used by the SS application pool. To stop this, remove the header:

  1. Open the web.config file for SS, which is located in the root directory for the website.
  2. Inside the <system.web> tag, add the tag <httpRuntime enableVersionHeader="false"/>.
  3. Save the file.

III. Hide the server type.

The HTTP header line Server: Microsoft-HTTPAPI/2.0 is added to the header by the .NET framework. To remove that information, you must update the Windows registry:

Important: Do not simply remove the Server header variable—it will cause parts of SS to malfunction.

  1. Open the Windows Registry Editor.
  2. Navigate to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters.
  3. Change the DisableServerHeader (REG_DWORD type) registry key from 0 to 1.

Note: There are other ways to hide the server type. However this is the recommended approach.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWHLP","label":"IBM Security Secret Server"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
04 November 2019

UID

ibm11099773

Page Feedback