IBM Support

Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System

Security Bulletin


Summary

Redhat provided OpenSSH is used by IBM Integrated Analytics System. This bulletin provides mitigation for the reported CVE.

Vulnerability Details

CVEID:   CVE-2020-14145
DESCRIPTION:   OpenSSH is vulnerable to a man-in-the-middle attack, caused by an observable discrepancy flaw. An attacker could exploit this vulnerability to launch a man-in-the-middle attack and gain access to the communication channel between endpoints to obtain sensitive information or further compromise the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184514 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Integrated Analytics System1.0.0-1.0.24.0

Remediation/Fixes

None

Workarounds and Mitigations

Mitigation for reported CVE  CVE-2020-14145 is as follows:

  • This is a flaw in OpenSSH, which allows a man in the middle attack to determine, if a client already has prior knowledge of the remote hosts fingerprint. An attacker could use this information to ignore clients, which will show an error message during an man in the middle attack, while new clients can be intercepted without alerting them of the man in the middle attack.

    This essentially means that this flaw can help attacker's identify targets an MITM attack. However such a attack would still require the attacker to either have control over DNS or control over the network traffic.

    If the network is untrusted, we suggests the use ssh certificates for even more confidence and less human factor involved or gssapi key exchange, where kerberos is used to verify identity of the server.

  • Always connect to SSH servers with verified host keys to avoid any possibilities of man-in-the-middle attack.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

13 May 2021: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHRBY","label":"IBM Integrated Analytics System"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
13 May 2021

Initial Publish date:
13 May 2021

UID

ibm16452607

Page Feedback