IBM Support

Security Bulletin: Flex System Manager (FSM) and compatible IBM Systems Director agents are affected by vulnerabilities in OpenSSL (CVE-2014-0160 and CVE-2014-0076)

Created by Igets Administrator on
Published URL:
https://www.ibm.com/support/pages/node/864480
864480

Security Bulletin


Summary

Security vulnerabilities have been discovered in OpenSSL.

Vulnerability Details

Summary

Security vulnerabilities have been discovered in OpenSSL.

Vulnerability Details

CVE-ID: CVE-2014-0160

DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the TLS/DTLS heartbeat functionality. An attacker could exploit this vulnerability to expose 64k of private memory and retrieve secret keys. An attacker can repeatedly expose additional 64k chunks of memory. This vulnerability can be remotely exploited, authentication is not required and the exploit is not complex. It can be exploited on any system (ie. server, client, agent) receiving connections using the vulnerable OpenSSL library.
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92322
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:N/A:N)

Warning: We strongly encourage you to take action as soon as possible as potential implications to your environment may be more serious than indicated by the CVSS score.

CVE-ID: CVE-2014-0076

DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by an implementation error in ECDSA (Elliptic Curve Digital Signature Algorithm). An attacker could exploit this vulnerability using the FLUSH+RELOAD cache side-channel attack to recover ECDSA nonces. This vulnerability can only be exploited locally, authentication is not required and the exploit is not complex. An exploit can only partially affects confidentially, but not integrity or availability.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91990
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

FSM

Agents

  • Agents for FSM 1.3.0, 1.3.0.1,
  • Agents for FSM 1.3.1

Not Affected Products and Versions

Remediation/Fixes

IBM recommends:

  1. Updating to Flex System Manager.
  2. Updating the affected agents.
  3. Verifying fixes are installed

Warning: Your Flex Systems chassis environment may require additional fixes for other products, including non-IBM products. Please replace the SSL certificates and reset the user credentials after applying the necessary fixes to your chassis environment.

Directions for updating the Flex System Manager are immediately below. The directions for updating the affected agents are immediately below the direction for the Flex System Manager (near the bottom of the bulletin).


UPDATE THE FLEX SYSTEM MANAGER

For FSM 1.2.0, install FSMApplianceFixPackage-1-2-0-1 update package for Flex System Manager Node. The package is available on IBM Fix Central.

For FSM 1.2.1, install FSMApplianceFixPackage-1-2-1-1 update package for Flex System Manager Node. The package is available on IBM Fix Central.

For FSM 1.3.0, or 1.3.0.1, install FSMApplianceFixPackage-1-3-0-2 update package for Flex System Manager Node.  The package is available on IBM Fix Central.

For FSM 1.3.1, Install FSMApplianceFixPackage-1-3-1-1 update package for Flex System Manager Node. The package is available on IBM Fix Central. Additional steps may be needed to update the vulnerable certificates and password for this release. For the additional steps see the "Additional Steps for v1.3.1" later in this Remediation section

After applying this fix package, and any additional system chassis fixes to your chassis, two additional steps may be needed for CVE-2014-0160. You need to replace your Transport Layer Security (TLS) and private key, and you should change the passwords for accounts that may have compromised passwords.

  1. Replace your TLS certificate and private key for the user registry and reset the system password

    Before you update the user registry TLS certificate and private key for a management node that is managing one or more chassis in centralized user management mode, make sure that you remove the chassis from centralized management mode.

    Note: If you have already changed this user registry TLS certificate, and you did not change the user management mode to decentralized, see the Info Center troubleshooting topic "Centralized user management problems" and follow the instructions for recovering "After you changed the IP address for a management node".

    Note: If you have chassis in centralized user management mode and other chassis in decentralized management mode, only the chassis in centralized user management mode need to be changed to decentralized management mode before changing the certificate and key

    To temporarily remove chassis from centralized user management mode, update the user registry TLS certificate, and re-enable centralized user management mode, complete the following steps:

    1. From the IBM Flex System Manager management software command-line interface, run the following command to determine which chassis are centrally manage

      smcli lsCentrallyManagedChassis

      The output from the command shows the universally unique identifier (UUID) for each chassis that is centrally managed. If no centrally managed chassis are found, then skip to step 3.

    2. Run the following command for each centrally managed chassis to switch it to decentralized mode:

      smcli rmCentrallyManagedChassis -u chassis_UUID

      where chassis_UUID is the UUID for the chassis that you want to change from centralized to decentralized user management mode. Repeat this step for every chassis that is centrally managed.

      Note: The rmCentrallyManagedChassis command does not unmanage the chassis.

    3. Run the following command to create a new user registry TLS certificate:

      smcli resetLdapCerts

    4. Change the system password and restart.

      If you believe your IBM Flex System Manager may have been compromised it is recommended that the system password be changed while no chassis are centrally managed. If you do not change the system password, the IBM Flex System Manager will still need to be restarted after resetting the certificates.

      Changing the system password requires that you know the current system password. The system password was originally set when the IBM Flex System Manager was setup. During the setup process the system password was set to match the password that was entered for the USERID account

      When the system password has been changed the IBM Flex System Manager node will need to be restarted.

      o change system password for the IBM Flex System Manager use the chFsmSysPwd smcli command or the "Change System password" interface on the web interface

      In some versions the IBM Flex System Manager will not restart automatically. To restart the IBM Flex System Manager use this command

      smshutdown –r –t now

    5. If there were centrally managed chassis in step 2, restore each chassis to centralized user management mode by using the management software CLI, run the following command:

      smcli manageChassis --Uc –c userid:password@1.1.1.1 --Cu <centralized user ID> --Cp <centralized password> --Rp <RECOVERY_ID password>

      For more information about a command and its options, see the online command help.

  2. Reset User Passwords

    If the IBM Flex System Manager is configured to use the User Registry on the local IBM Flex System Manager you should reset all user passwords because they may have been compromised due to this vulnerability. If you are not using the local registry, you should verify that your registry provider was not vulnerable to this exposure.

    To determine if the IBM Flex System Manager is configured to use the local User Registry:

    1. Sign on to the IBM Flex System Manager web interface.
    2. Home tab >> Plug-ins >> IBM Flex System Manager >> Flex System Manger Status >> User Registry
    3. If the Registry location is an address located on this IBM Flex System Manger, then it is recommended that the user passwords be changed.

    It is recommended that you are familiar with the information contained in the Best Practices for FSM User Accounts and FSM Locked USERID Account articles before starting to update passwords, if you are using an IBM Flex System Manager release prior to 1.3.1.

    To change passwords for the IBM Flex System Manager use the chuserpwd smcli command or the "Change password" interface on the web interface.

    For more information on changing a user password see the online command help or the InfoCenter help.

  3. Additional Steps for v1.3.1

    If you have been using IBM Flex System Manger v1.3.1 there are additional certificates and passwords that may have been exposed.

    a) Replace the primary FSM web certificate. Replacing this certificate is always recommended when the FSM is setup. For more information on this process view the Planning Secure Sockets Layer configuration on IBM Flex System Manager topic in the Flex InfoCenter:
    http://pic.dhe.ibm.com/infocenter/flexsys/information/topic/com.ibm.acc.8731.doc/com.ibm.director.plan.helps.doc/fqm0_t_planning_ssl_configuration.html

    b) Any operating system user id or application password on a partition managed by the IBM Flex System Manager and accessed remotely using IBM Flex System Manger may have been exposed and should be changed.

UPDATE THE IBM SYSTEMS DIRECTOR AGENTS

Install SysDir6_3_x_0_IT01062_IT01063_IT01199 agent update on each node running the affected agent that will be communicating with FSM 1.2.0, 1.2.1, 1.3.0, or 1.3.0.1.

Install Flex System 1.3.1 Platform Agents IT00284 agent update on each node running the affected agent that will be communicating with FSM 1.3.1.

Installation instructions for each agent distribution can be found in the Readme file that is available with the agent update.

Verify fixes applied

To ensure that all the required fixes have been successfully installed on the IBM Flex System Manager, IBM recommends checking the firmware level of the IBM Flex System Manager’s Integrated Management Module II.

To verify the firmware level follow these steps:

  1. Sign on to the IBM Flex System Manager™ Integrated Management Module II™ web interface using an account with Supervisor access.

  2. Select the Server Management tab at the top of the window.

  3. Select Server Firmware from the drop-down list.

  4. Verify that the IMM2(Primary) build level is at the correct level.
    1. FSM 1.3.1.1 = IMM2 level 1AOO56G
    2. FSM 1.3.0.2 = IMM2 level 1AOO44V

If the firmware level is not correct, update the firmware to the correct level.

  1. Obtain the desired firmware level of IMM2 firmware from IBM Fix Central.
    1. FSM 1.3.1.1 = ibm_fw_imm2_1aoo56g-3.79_anyos_noarch
    2. FSM 1.3.0.2 = ibm_fw_imm2_1aoo44v-2.61_anyos_noarch

  2. Sign on to the IMM2 web console from a machine with the desired firmware  download stored on it.

  3. Click on the “Server Management” tab

  4. Click on the “Server Firmware” choice in the drop-down menu

  5. Click on the “Update Firmware…” button on the Server Firmware page

  6. Click “Select File” and browse to the location of the downloaded firmware

  7. Select the *.uxz file for the appropriate firmware update

  8. When the firmware update is complete you will need to restart the IMM2

  9. To verify the firmware level follow the verification steps above. 

  10. If your certificates were used in a production environment where they could have been exploited by the Heartbleed OpenSSL vulnerability before you installed the correct level IMM2 firmware, you should regenerate the certificate authority. Regenerating the certificate authority will automatically distribute the updated certificates to the IMM2.  The process for regenerating the certificate authority is described in the  Remediation section of this Chassis Management Module security bulletin: http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095143 

Workarounds and Mitigations

None known

References

Related Information

Acknowledgment

None

Change History

23 April 2014: Original Copy Published
02 May 2014: Updated to include fix packs for additional releases
03 May 2014: Updates in VERIFY FIXES APPLIED section
07 May 2014: Updates in VERIFY FIXES APPLIED section

* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response". IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY

Get Notified about Future Security Bulletins

References

On

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

Operating System

PureFlex System and Flex System:Operating system independent / None

[{"Type":"HW","Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"HW94A","label":"Flex System Manager Node"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
30 January 2019

UID

ibm1MIGR-5095202