Vulnerabilities > CVE-2012-0726 - Cryptographic Issues vulnerability in IBM Tivoli Directory Server

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
ibm
CWE-310
nessus

Summary

The default configuration of TLS in IBM Tivoli Directory Server (TDS) 6.3 and earlier supports the (1) NULL-MD5 and (2) NULL-SHA ciphers, which allows remote attackers to trigger unencrypted communication via the TLS Handshake Protocol.

Vulnerable Configurations

Part Description Count
Application
Ibm
147

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyWindows
    NASL idTIVOLI_DIRECTORY_SVR_63011.NASL
    descriptionAccording to its version, the installation of IBM Tivoli Directory Server on the remote host is prior to 6.1.0.47 / 6.2.0.22 / 6.3.0.11. It is, therefore, affected by one or more of the following vulnerabilities : - A custom LDAP client can be created which causes IBM Tivoli Directory Server to crash by sending a malformed paged search request. (IO15707, IO16001, IO16002) - In the default Tivoli Directory Server environment, with TLS enabled, the NULL-MD5, and NULL-SHA ciphers are enabled by default. (IO16035, IO16036, IOO15761)
    last seen2020-06-01
    modified2020-06-02
    plugin id58814
    published2012-04-20
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/58814
    titleIBM Tivoli Directory Server < 6.1.0.47 / 6.2.0.22 / 6.3.0.11 Multiple Vulnerabilities (credentialed check)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(58814);
      script_version("1.7");
      script_cvs_date("Date: 2018/08/01 17:36:15");
    
      script_cve_id("CVE-2012-0726", "CVE-2012-0743");
      script_bugtraq_id(53043);
    
      script_name(english:"IBM Tivoli Directory Server < 6.1.0.47 / 6.2.0.22 / 6.3.0.11 Multiple Vulnerabilities (credentialed check)");
      script_summary(english:"Checks the version of Tivoli Directory Server.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The version of IBM Tivoli Directory Server contains multiple security
    vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its version, the installation of IBM Tivoli Directory
    Server on the remote host is prior to 6.1.0.47 / 6.2.0.22 / 6.3.0.11. 
    It is, therefore, affected by one or more of the following
    vulnerabilities :
    
      - A custom LDAP client can be created which causes IBM 
        Tivoli Directory Server to crash by sending a malformed
        paged search request. (IO15707, IO16001, IO16002)
    
      - In the default Tivoli Directory Server environment, with
        TLS enabled, the NULL-MD5, and NULL-SHA ciphers are
        enabled by default. (IO16035, IO16036, IOO15761)");
      # https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_tivoli_directory_server_use_of_null_ciphers_in_default_transport_layer_security_configuration_would_result_in_unencrypted_communications_cve_2012_07261?lang=en_us
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1609f9e3");
      # https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_tivoli_directory_server_paged_search_may_cause_denial_of_service_may_crash_if_paged_searches_are_enabled_cve_2012_07435?lang=en_us
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b26c4617");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21591267");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21591272");
      script_set_attribute(attribute:"solution", value:
    "Install the appropriate fix based on the vendor's advisory :
    
      - 6.1.0.47-ISS-ITDS-IF0047
      - 6.2.0.22-ISS-ITDS-IF0022
      - 6.3.0.11-ISS-ITDS-IF0011");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2012/04/16");
      script_set_attribute(attribute:"patch_publication_date", value:"2012/04/16");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_directory_server");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.");
    
      script_dependencies("tivoli_directory_svr_installed.nasl");
      script_require_keys("installed_sw/IBM Security Directory Server");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("install_func.inc");
    include("misc_func.inc");
    
    app = "IBM Security Directory Server";
    install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
    
    version = install['version'];
    path    = install['path'];
    
    fixed = NULL;
    patch = NULL;
    
    # Determine the proper fix given the version number.
    #   6.1 branch : 6.1.0.47
    #   6.2 branch : 6.2.0.22
    #   6.3 branch : 6.3.0.11
    if (version =~ '^6\\.')
    {
      if (version =~ '^6\\.1\\.' && ver_compare(ver:version, fix:'6.1.0.47') == -1)
      {
        fixed = '6.1.0.47';
        patch = '6.1.0.47-ISS-ITDS-IF0047';
      }
      else if (version =~ '^6\\.2\\.' && ver_compare(ver:version, fix:'6.2.0.22') == -1)
      {
        fixed = '6.2.0.22';
        patch = '6.2.0.22-ISS-ITDS-IF0022';
      }
      else if (version =~ '^6\\.3\\.' && ver_compare(ver:version, fix:'6.3.0.11') == -1)
      {
        fixed = '6.3.0.11';
        patch = '6.3.0.11-ISS-ITDS-IF0011';
      }
    }
    
    if (isnull(fixed))
      audit(AUDIT_INST_PATH_NOT_VULN, 'IBM Tivoli Directory Server', version, path);
    
    port = get_kb_item("SMB/transport");
    if (!port) port = 445;
    
    if (report_verbosity > 0)
    {
      report =
        '\n  Path              : ' + path +
        '\n  Installed version : ' + version +
        '\n  Fixed version     : ' + fixed +
        '\n' +
        '\n  Install ' + patch  + ' to update installation.' +
        '\n';
      security_warning(port:port, extra:report);
    }
    else security_warning(port);
    
  • NASL familyGeneral
    NASL idTIVOLI_DIRECTORY_SRV_NULL_CIPHER.NASL
    descriptionThe IBM Tivoli Directory Server hosted on the remote host supports TLS NULL-MD5 or NULL_SHA ciphers. This allows remote, unauthenticated attackers to trigger unencrypted communication via the TLS handshake protocol. Note that this version of Directory Server likely has other vulnerabilities (i.e., CVE-2012-0743), but Nessus has not checked for those issues.
    last seen2019-10-28
    modified2012-10-17
    plugin id62574
    published2012-10-17
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62574
    titleIBM Tivoli Directory Server TLS NULL Cipher (uncredentialed check)