Security Bulletin
Summary
Customers using secure network protocols such as https and ssh with the Remote Supervisor Adapter II are impacted by a recently discovered weakness in the generation of RSA keys that are used with those protocols. The weakness in the key generation process may allow the corresponding private key to be remotely compromised by an attacker.
Vulnerability Details
Summary
- Weak RSA keys were found to be generated by the Remote Supervisor Adapter II firmware.
Vulnerability Details
CVE ID: CVE-2012-2187
Description:
Customers using secure network protocols such as https and ssh with
the Remote Supervisor Adapter II are impacted by a recently
discovered weakness in the generation of RSA keys that are used
with those protocols. The weakness in the key generation process
may allow the corresponding private key to be remotely compromised
by an attacker.
CVSS:
CVSS Base Score: 7.8
CVSS Temporal Score: Undefined
CVSS Environmental Score*: See http://xforce.iss.net/xforce/xfdb/75885
for the current score
CVSS String: (AV:N/AC:L/Au:N/C:C/I:N/A:N)
Affected Platforms:
List the affected versions/releases/platforms, as best possible.
- The Remote Supervisor Adapter II firmware for System x3850 M2 and System x3950 M2 (version 1.13 or older, Build ID A3EP46A or older)
- The Remote Supervisor Adapter II firmware for System x3650 (version 1.13 or older, Build ID GGEP41A or older)
Remediation:
The recommended solution is to apply the fix for the Remote Supervisor Adapter II in each named product as soon as practical. After applying the fix, generate new ssh keys and self-signed certificates, or certificate signing requests to be used by ssh and https protocols on the Remote Supervisor Adapter II. Please see below for information on the firmware fixes available.Fixes:
Remote Supervisor Adapter II firmware for System x3850 M2 and System x3950 M2:
- Zip Update Package
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5086633 - Linux Update Package
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5086634 - Windows Update Package
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5086635
Remote Supervisor Adapter II firmware for System x3650:
- Zip Update Package
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-64575 - Linux Update Package
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-64576 - Windows Update Package
http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-64577
Workaround:
- None known, apply fixes
Mitigation:
- None known
References:
Related Information:
Acknowledgement:
The vulnerability was reported to IBM during a larger security study by researchers at the University of Michigan and UC San Diego. https://freedom-to-tinker.com/blog/nadiah/new-research-theres-no-need-panic-over-factorable-keys-just-mind-your-ps-and-qs
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
30 January 2019
UID
ibm1MIGR-5091525