Vulnerabilities > CVE-2012-0726 - Cryptographic Issues vulnerability in IBM Tivoli Directory Server
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
The default configuration of TLS in IBM Tivoli Directory Server (TDS) 6.3 and earlier supports the (1) NULL-MD5 and (2) NULL-SHA ciphers, which allows remote attackers to trigger unencrypted communication via the TLS Handshake Protocol.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Windows NASL id TIVOLI_DIRECTORY_SVR_63011.NASL description According to its version, the installation of IBM Tivoli Directory Server on the remote host is prior to 6.1.0.47 / 6.2.0.22 / 6.3.0.11. It is, therefore, affected by one or more of the following vulnerabilities : - A custom LDAP client can be created which causes IBM Tivoli Directory Server to crash by sending a malformed paged search request. (IO15707, IO16001, IO16002) - In the default Tivoli Directory Server environment, with TLS enabled, the NULL-MD5, and NULL-SHA ciphers are enabled by default. (IO16035, IO16036, IOO15761) last seen 2020-06-01 modified 2020-06-02 plugin id 58814 published 2012-04-20 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58814 title IBM Tivoli Directory Server < 6.1.0.47 / 6.2.0.22 / 6.3.0.11 Multiple Vulnerabilities (credentialed check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(58814); script_version("1.7"); script_cvs_date("Date: 2018/08/01 17:36:15"); script_cve_id("CVE-2012-0726", "CVE-2012-0743"); script_bugtraq_id(53043); script_name(english:"IBM Tivoli Directory Server < 6.1.0.47 / 6.2.0.22 / 6.3.0.11 Multiple Vulnerabilities (credentialed check)"); script_summary(english:"Checks the version of Tivoli Directory Server."); script_set_attribute(attribute:"synopsis", value: "The version of IBM Tivoli Directory Server contains multiple security vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its version, the installation of IBM Tivoli Directory Server on the remote host is prior to 6.1.0.47 / 6.2.0.22 / 6.3.0.11. It is, therefore, affected by one or more of the following vulnerabilities : - A custom LDAP client can be created which causes IBM Tivoli Directory Server to crash by sending a malformed paged search request. (IO15707, IO16001, IO16002) - In the default Tivoli Directory Server environment, with TLS enabled, the NULL-MD5, and NULL-SHA ciphers are enabled by default. (IO16035, IO16036, IOO15761)"); # https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_tivoli_directory_server_use_of_null_ciphers_in_default_transport_layer_security_configuration_would_result_in_unencrypted_communications_cve_2012_07261?lang=en_us script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1609f9e3"); # https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_tivoli_directory_server_paged_search_may_cause_denial_of_service_may_crash_if_paged_searches_are_enabled_cve_2012_07435?lang=en_us script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b26c4617"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21591267"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21591272"); script_set_attribute(attribute:"solution", value: "Install the appropriate fix based on the vendor's advisory : - 6.1.0.47-ISS-ITDS-IF0047 - 6.2.0.22-ISS-ITDS-IF0022 - 6.3.0.11-ISS-ITDS-IF0011"); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/16"); script_set_attribute(attribute:"patch_publication_date", value:"2012/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/20"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_directory_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies("tivoli_directory_svr_installed.nasl"); script_require_keys("installed_sw/IBM Security Directory Server"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("install_func.inc"); include("misc_func.inc"); app = "IBM Security Directory Server"; install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE); version = install['version']; path = install['path']; fixed = NULL; patch = NULL; # Determine the proper fix given the version number. # 6.1 branch : 6.1.0.47 # 6.2 branch : 6.2.0.22 # 6.3 branch : 6.3.0.11 if (version =~ '^6\\.') { if (version =~ '^6\\.1\\.' && ver_compare(ver:version, fix:'6.1.0.47') == -1) { fixed = '6.1.0.47'; patch = '6.1.0.47-ISS-ITDS-IF0047'; } else if (version =~ '^6\\.2\\.' && ver_compare(ver:version, fix:'6.2.0.22') == -1) { fixed = '6.2.0.22'; patch = '6.2.0.22-ISS-ITDS-IF0022'; } else if (version =~ '^6\\.3\\.' && ver_compare(ver:version, fix:'6.3.0.11') == -1) { fixed = '6.3.0.11'; patch = '6.3.0.11-ISS-ITDS-IF0011'; } } if (isnull(fixed)) audit(AUDIT_INST_PATH_NOT_VULN, 'IBM Tivoli Directory Server', version, path); port = get_kb_item("SMB/transport"); if (!port) port = 445; if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + version + '\n Fixed version : ' + fixed + '\n' + '\n Install ' + patch + ' to update installation.' + '\n'; security_warning(port:port, extra:report); } else security_warning(port);NASL family General NASL id TIVOLI_DIRECTORY_SRV_NULL_CIPHER.NASL description The IBM Tivoli Directory Server hosted on the remote host supports TLS NULL-MD5 or NULL_SHA ciphers. This allows remote, unauthenticated attackers to trigger unencrypted communication via the TLS handshake protocol. Note that this version of Directory Server likely has other vulnerabilities (i.e., CVE-2012-0743), but Nessus has not checked for those issues. last seen 2019-10-28 modified 2012-10-17 plugin id 62574 published 2012-10-17 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62574 title IBM Tivoli Directory Server TLS NULL Cipher (uncredentialed check)
References
- http://www.ibm.com/support/docview.wss?uid=swg1IO15761
- http://www.ibm.com/support/docview.wss?uid=swg1IO16035
- http://www.ibm.com/support/docview.wss?uid=swg1IO16036
- http://www.securityfocus.com/bid/53043
- http://www.securitytracker.com/id?1026939
- http://www-01.ibm.com/support/docview.wss?uid=swg21591272
- https://exchange.xforce.ibmcloud.com/vulnerabilities/74303