Security Bulletin
Summary
Security vulnerabilities have been discovered in OpenSSL.
Vulnerability Details
Summary
Security vulnerabilities have been discovered in OpenSSL.
Vulnerability Details
CVE-ID: CVE-2014-0160
DESCRIPTION: OpenSSL could allow a remote
attacker to obtain sensitive information, caused by an error in the
TLS/DTLS heartbeat functionality. An attacker could exploit this
vulnerability to expose 64k of private memory and retrieve secret
keys. An attacker can repeatedly expose additional 64k chunks of
memory. This vulnerability can be remotely exploited,
authentication is not required and the exploit is not complex. It
can be exploited on any system (ie. server, client, agent)
receiving connections using the vulnerable OpenSSL library.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)
Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score.
CVE-ID: CVE-2014-0076
DESCRIPTION: OpenSSL could allow a local
attacker to obtain sensitive information, caused by an
implementation error in ECDSA (Elliptic Curve Digital Signature
Algorithm). An attacker could exploit this vulnerability using the
FLUSH+RELOAD cache side-channel attack to recover ECDSA nonces.
This vulnerability can only be exploited locally, authentication is
not required and the exploit is not complex. An exploit can only
partially affects confidentially, but not integrity or
availability.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91990
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
FSM
- Flex System Manager 1.2.0
- Flex System Manager 1.2.1
- Flex System Manager 1.3.0
- Flex System Manager 1.3.0.1
- Flex System Manager 1.3.1
Agents
- Agents for FSM 1.2.0 or
1.2.1
- IBM Systems Director Platform Agent for Windows 6.3.2
- IBM Systems Director Common Agent for Windows 6.3.2
- IBM Systems Director Platform Agent for Linux 6.3.2
- IBM Systems Director Common Agent for Linux 6.3.2
- Agents for FSM 1.3.0, 1.3.0.1,
-
- IBM Systems Director Platform Agent for Windows 6.3.4
- IBM Systems Director Common Agent for Windows 6.3.4
- IBM Systems Director Platform Agent for Linux 6.3.4
- IBM Systems Director Common Agent for Linux 6.3.4
- Agents for FSM 1.3.1
- IBM Flex System Platform Agent for Windows 1.3.1
- IBM Flex System Common Agent for Windows 1.3.1
- IBM Flex System Platform Agent for Linux 1.3.1
- IBM Flex System Common Agent for Linux 1.3.1
Not Affected Products and Versions
- Flex System Manager 1.1.0
- Flex System Manager 1.1.0.1
- Flex System Manager 1.1.1
Remediation/Fixes
IBM recommends:
- Updating to Flex System Manager.
- Updating the affected agents.
- Verifying fixes are installed
Warning: Your Flex Systems chassis environment
may require additional fixes for other products, including non-IBM
products. Please replace the SSL certificates and reset the user
credentials after applying the necessary fixes to your chassis
environment.
Directions for updating the Flex System Manager are immediately
below. The directions for updating the affected agents are
immediately below the direction for the Flex System Manager (near
the bottom of the bulletin).
UPDATE THE FLEX SYSTEM MANAGER
For FSM 1.2.0, install FSMApplianceFixPackage-1-2-0-1 update package for Flex System Manager Node. The package is available on IBM Fix Central.
For FSM 1.2.1, install FSMApplianceFixPackage-1-2-1-1 update package for Flex System Manager Node. The package is available on IBM Fix Central.
For FSM 1.3.0, or 1.3.0.1, install FSMApplianceFixPackage-1-3-0-2 update package for Flex System Manager Node. The package is available on IBM Fix Central.
For FSM 1.3.1, Install FSMApplianceFixPackage-1-3-1-1 update package for Flex System Manager Node. The package is available on IBM Fix Central. Additional steps may be needed to update the vulnerable certificates and password for this release. For the additional steps see the "Additional Steps for v1.3.1" later in this Remediation section
After applying this fix package, and any additional system chassis fixes to your chassis, two additional steps may be needed for CVE-2014-0160. You need to replace your Transport Layer Security (TLS) and private key, and you should change the passwords for accounts that may have compromised passwords.
- Replace your TLS certificate and private key for the
user registry and reset the system password
Before you update the user registry TLS certificate and private key for a management node that is managing one or more chassis in centralized user management mode, make sure that you remove the chassis from centralized management mode.
Note: If you have already changed this user registry TLS certificate, and you did not change the user management mode to decentralized, see the Info Center troubleshooting topic "Centralized user management problems" and follow the instructions for recovering "After you changed the IP address for a management node".
Note: If you have chassis in centralized user management mode and other chassis in decentralized management mode, only the chassis in centralized user management mode need to be changed to decentralized management mode before changing the certificate and key
To temporarily remove chassis from centralized user management mode, update the user registry TLS certificate, and re-enable centralized user management mode, complete the following steps:
- From the IBM Flex System Manager management software
command-line interface, run the following command to determine
which chassis are centrally manage
smcli lsCentrallyManagedChassisThe output from the command shows the universally unique identifier (UUID) for each chassis that is centrally managed. If no centrally managed chassis are found, then skip to step 3.
- Run the following command for each centrally managed chassis to
switch it to decentralized mode:
smcli rmCentrallyManagedChassis -u chassis_UUIDwhere
chassis_UUIDis the UUID for the chassis that you want to change from centralized to decentralized user management mode. Repeat this step for every chassis that is centrally managed.Note: The
rmCentrallyManagedChassiscommand does not unmanage the chassis. - Run the following command to create a new user registry TLS
certificate:
smcli resetLdapCerts - Change the system password and restart.
If you believe your IBM Flex System Manager may have been compromised it is recommended that the system password be changed while no chassis are centrally managed. If you do not change the system password, the IBM Flex System Manager will still need to be restarted after resetting the certificates.
Changing the system password requires that you know the current system password. The system password was originally set when the IBM Flex System Manager was setup. During the setup process the system password was set to match the password that was entered for the USERID account
When the system password has been changed the IBM Flex System Manager node will need to be restarted.
o change system password for the IBM Flex System Manager use the chFsmSysPwd smcli command or the "Change System password" interface on the web interface
In some versions the IBM Flex System Manager will not restart automatically. To restart the IBM Flex System Manager use this command
smshutdown –r –t now - If there were centrally managed chassis in step 2, restore each
chassis to centralized user management mode by using the management
software CLI, run the following command:
smcli manageChassis --Uc –c userid:password@1.1.1.1 --Cu <centralized user ID> --Cp <centralized password> --Rp <RECOVERY_ID password>For more information about a command and its options, see the online command help.
- From the IBM Flex System Manager management software
command-line interface, run the following command to determine
which chassis are centrally manage
- Reset User Passwords
If the IBM Flex System Manager is configured to use the User Registry on the local IBM Flex System Manager you should reset all user passwords because they may have been compromised due to this vulnerability. If you are not using the local registry, you should verify that your registry provider was not vulnerable to this exposure.
To determine if the IBM Flex System Manager is configured to use the local User Registry:
- Sign on to the IBM Flex System Manager web interface.
- Home tab >> Plug-ins >> IBM Flex System Manager >> Flex System Manger Status >> User Registry
- If the Registry location is an address located on this IBM Flex System Manger, then it is recommended that the user passwords be changed.
It is recommended that you are familiar with the information contained in the Best Practices for FSM User Accounts and FSM Locked USERID Account articles before starting to update passwords, if you are using an IBM Flex System Manager release prior to 1.3.1.
To change passwords for the IBM Flex System Manager use the
chuserpwd smclicommand or the "Change password" interface on the web interface.For more information on changing a user password see the online command help or the InfoCenter help.
- Additional Steps for v1.3.1
If you have been using IBM Flex System Manger v1.3.1 there are additional certificates and passwords that may have been exposed.
a) Replace the primary FSM web certificate. Replacing this certificate is always recommended when the FSM is setup. For more information on this process view the Planning Secure Sockets Layer configuration on IBM Flex System Manager topic in the Flex InfoCenter:
http://pic.dhe.ibm.com/infocenter/flexsys/information/topic/com.ibm.acc.8731.doc/com.ibm.director.plan.helps.doc/fqm0_t_planning_ssl_configuration.html
b) Any operating system user id or application password on a partition managed by the IBM Flex System Manager and accessed remotely using IBM Flex System Manger may have been exposed and should be changed.
UPDATE THE IBM SYSTEMS DIRECTOR AGENTS
Install SysDir6_3_x_0_IT01062_IT01063_IT01199 agent update on each node running the affected agent that will be communicating with FSM 1.2.0, 1.2.1, 1.3.0, or 1.3.0.1.
Install
Flex System 1.3.1 Platform Agents IT00284 agent update on each
node running the affected agent that will be communicating with FSM
1.3.1.
Installation instructions for each agent distribution can be found
in the Readme file that is available with the agent update.
Verify fixes applied
To ensure that all the required fixes have been successfully
installed on the IBM Flex System Manager, IBM recommends checking
the firmware level of the IBM Flex System
Manager’s Integrated Management Module II.
To verify the firmware level follow these steps:
- Sign on to the IBM Flex System Manager™
Integrated Management Module II™ web interface using
an account with Supervisor access.
- Select the Server Management tab at the top of
the window.
- Select Server Firmware from the drop-down
list.
- Verify that the IMM2(Primary) build level is
at the correct level.
- FSM 1.3.1.1 = IMM2 level 1AOO56G
- FSM 1.3.0.2 = IMM2 level 1AOO44V
If the firmware level is not correct, update the firmware to the correct level.
- Obtain the desired firmware level of IMM2 firmware from IBM Fix Central.
-
- FSM 1.3.1.1 = ibm_fw_imm2_1aoo56g-3.79_anyos_noarch
- FSM 1.3.0.2 =
ibm_fw_imm2_1aoo44v-2.61_anyos_noarch
- Sign on to the IMM2 web console from a machine with the desired
firmware download stored on it.
- Click on the “Server Management” tab
- Click on the “Server Firmware” choice in the
drop-down menu
- Click on the “Update Firmware…” button on
the Server Firmware page
- Click “Select File” and browse to the location of
the downloaded firmware
- Select the *.uxz file for the appropriate firmware update
- When the firmware update is complete you will need to restart
the IMM2
- To verify the firmware level follow the verification steps
above.
- If your certificates were used in a production environment where they could have been exploited by the Heartbleed OpenSSL vulnerability before you installed the correct level IMM2 firmware, you should regenerate the certificate authority. Regenerating the certificate authority will automatically distribute the updated certificates to the IMM2. The process for regenerating the certificate authority is described in the Remediation section of this Chassis Management Module security bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095143
Workarounds and Mitigations
None known
References
- Complete CVSS Guide
- On-line Calculator V2
- OpenSSL Project vulnerability website
- Heartbleed
- Best Practices for FSM User Accounts
- FSM Locked USERID Account
Related Information
Acknowledgment
None
Change History
23 April 2014: Original Copy Published
02 May 2014: Updated to include fix packs for additional
releases
03 May 2014: Updates in VERIFY FIXES APPLIED section
07 May 2014: Updates in VERIFY FIXES APPLIED section
* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response". IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
30 January 2019
UID
ibm1MIGR-5095202