SB2022092017 - Multiple vulnerabilities in IBM MaaS360 Cloud Extender and Modules

Description

This security bulletin contains information about 11 secuirty vulnerabilities.

1) Man-in-the-Middle (MitM) attack (CVE-ID: CVE-2021-22890)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to an error when handling TLS 1.3 session tickets. When using a HTTPS proxy and TLS 1.3, libcurl can confuse session tickets arriving from the HTTPS proxy but work as if they arrived from the remote server and then wrongly "short-cut" the host handshake. The reason for this confusion is the modified sequence from TLS 1.2 when the session ids would provided only during the TLS handshake, while in TLS 1.3 it happens post hand-shake and the code was not updated to take that changed behavior into account.

When confusing the tickets, a HTTPS proxy can trick libcurl to use the wrong session ticket resume for the host and thereby circumvent the server TLS certificate check and make a MITM attack to be possible to perform unnoticed.

This flaw can allow a malicious HTTPS proxy to MITM the traffic. Such a malicious HTTPS proxy needs to provide a certificate that curl will accept for the MITMed server for an attack to work - unless curl has been told to ignore the server certificate check.

2) Information disclosure (CVE-ID: CVE-2021-22876)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to libcurl does not strip off user credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing HTTP requests and therefore risks leaking sensitive data to the server that is the target of the second HTTP request.

3) Cryptographic issues (CVE-ID: CVE-2021-23839)

The vulnerability allows a remote attacker to perform a MitM attack.

The vulnerability exists due to a faulty implementation of the padding check when server is configured to support SSLv2 protocol. A remote attacker can perform a MitM attack and force the server to use less secure protocols.

4) Input validation error (CVE-ID: CVE-2021-23840)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input during EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate calls. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

5) NULL pointer dereference (CVE-ID: CVE-2021-23841)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the X509_issuer_and_serial_hash() function when parsing the issuer field in the X509 certificate. A remote attacker can supply a specially crafted certificate, trigger a NULL pointer dereference error and perform a denial of service (DoS) attack.

6) NULL pointer dereference (CVE-ID: CVE-2020-1971)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via the API functions TS_RESP_verify_response and TS_RESP_verify_token). If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack.

7) Use-after-free (CVE-ID: CVE-2021-20227)

The vulnerability allows an attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing SELECT queries in "src/select.c" if a subquery with both a correlated WHERE clause and a "HAVING 0" clause is used and the parent query is an aggregate. A remote attacker can execute a specially crafted query to trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

8) Improper authentication (CVE-ID: CVE-2020-15078)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests. A remote attacker can bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Under certain circumstances an attacker can trick the server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.

9) Inadequate encryption strength (CVE-ID: CVE-2021-22897)

The vulnerability allows a remote attacker to force applications use weak cryptographic ciphers.

The vulnerability exists due to a logic error when selecting TLS ciphers during connection via the CURLOPT_SSL_CIPHER_LIST option in libcurl. The selected cipher set was stored in a single "static" variable in the library that is used for multiple concurrent transfers within the specific application, the last one that sets the ciphers will accidentally control the set used by all transfers.

The vulnerability can be triggered when Schannel is used, which is the native TLS library in Microsoft Windows.

10) Use-after-free (CVE-ID: CVE-2021-22901)

The vulnerability allows a remote attacker to crash the application or compromise the vulnerable system.

The vulnerability exists due to a use-after-free error when processing creation of new TLS sessions or during client certificate negotiation. A remote attacker can force the application to connect to a malicious server, trigger a use-after-free error and crash the application.

Remote code execution is also possible if the application can be forced to initiate multiple transfers with a reused HTTP/1.1 connection or multiplexed HTTP/2 connection in order to inject a crafted memory content into the correct place in memory.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system but requires that libcurl is using OpenSSL.

11) Use of uninitialized variable (CVE-ID: CVE-2021-22898)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.

Proof of concept:

curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/"
• https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-was-identified-and-remediated-in-the-ibm-maas360-cloud-extender-v2-103-000-051-and-modules/</a><br>
• https://www.ibm.com/support/pages/node/6479935<br><br></p>