Vulnerabilities > CVE-2012-2190 - Cryptographic Issues vulnerability in IBM Websphere Application Server

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(61459);
  script_version("1.13");
  script_cvs_date("Date: 2019/12/04");

  script_cve_id(
    "CVE-2012-2159",
    "CVE-2012-2161",
    "CVE-2012-2170",
    "CVE-2012-2190",
    "CVE-2012-2191",
    "CVE-2012-3293"
  );
  script_bugtraq_id(
    53755,
    53884,
    54051,
    54743,
    54819,
    55149,
    55185
  );

  script_name(english:"IBM WebSphere Application Server 8.0 < Fix Pack 4 Multiple Vulnerabilities");
  script_summary(english:"Reads the version number from the SOAP port");

  script_set_attribute(attribute:"synopsis", value:
"The remote application server may be affected by multiple 
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"IBM WebSphere Application Server 8.0 before Fix Pack 4 appears to be
running on the remote host and is potentially affected by the
following vulnerabilities :

  - An input validation error exists related to the 'Eclipse
    Help System' that can allow arbitrary redirect responses
    to HTTP requests. (CVE-2012-2159, CVE-2012-2161,
    PM62795)

  - An error exists related to 'Application Snoop Servlet'
    and missing access controls. This error can allow
    sensitive information to be disclosed. Note that
    exploiting this issue requires that the default
    'Application Snoop Servlet' be installed and running.
    (CVE-2012-2170, PM56183)

  - Several errors exist related to SSL/TLS that can allow
    an attacker to carry out denial of service attacks 
    against the application. (CVE-2012-2190, CVE-2012-2191, 
    PM66218)

  - Unspecified cross-site scripting issues exist related to
    the administrative console. (CVE-2012-3293, PM60839)");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21606096");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg27022958#8004");
  script_set_attribute(attribute:"solution", value:
"Apply Fix Pack 4 for version 8.0 (8.0.0.4) or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-2159");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/08/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/09");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("websphere_detect.nasl");
  script_require_keys("www/WebSphere");
  script_require_ports("Services/www", 8880, 8881);

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:8880, embedded:0);

version = get_kb_item_or_exit("www/WebSphere/"+port+"/version");
if (version =~ "^[0-9]+(\.[0-9]+)?$")
  exit(1, "Failed to extract a granular version from the IBM WebSphere Application Server instance listening on port " + port + ".");

ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

if (ver[0] == 8 && ver[1] == 0 && ver[2] == 0 && ver[3] < 4)
{
  set_kb_item(name:'www/'+port+'/XSS', value:TRUE);

  if (report_verbosity > 0)
  {
    source = get_kb_item_or_exit("www/WebSphere/"+port+"/source");

    report = 
      '\n  Version source    : ' + source + 
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 8.0.0.4' +
      '\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "WebSphere", port, version);

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(77116);
  script_version("1.4");
  script_cvs_date("Date: 2019/11/25");

  script_cve_id("CVE-2012-2190", "CVE-2012-2191", "CVE-2013-0169");
  script_bugtraq_id(54743, 55185, 57778);

  script_name(english:"IBM Tivoli Storage Manager Server 5.5.x Multiple Vulnerabilities");
  script_summary(english:"Checks the version of IBM TSM.");

  script_set_attribute(attribute:"synopsis", value:
"The remote backup service is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of IBM Tivoli Storage Manager installed on the remote host
is 5.5 running on Windows or AIX. It is, therefore, potentially
affected by multiple flaws in its bundled SSL library:

  - A flaw that could allow a remote attacker to cause a
    denial of service via a specially crafted 'ClientHello'
    message. (CVE-2012-2190).

  - A flaw that could allow a remote attacker to cause a
    denial of service via a specially crafted value in
    the TLS Record Layer. (CVE-2012-2191).

  - A flaw that could allow a remote attacker to perform a
    statistical timing attack known as 'Lucky Thirteen'.
    (CVE-2013-0169).");
  # http://www-01.ibm.com/support/docview.wss?uid=swg21672360
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7d4a4639");
  # http://www-01.ibm.com/support/docview.wss?uid=swg21672362
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?004af981");
  # http://www-01.ibm.com/support/docview.wss?uid=swg21672363
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9986de60");
  # https://www.ibm.com/blogs/psirt/ibm-security-bulletin-tivoli-storage-manager-server-gskit-session-id-vulnerability-cve-2012-2190/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c6ba80ec");
  # https://www.ibm.com/blogs/psirt/ibm-security-bulletin-tivoli-storage-manager-server-gskit-encrypted-record-length-vulnerability-cve-2012-2191/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8e222bc8");
  # https://www.ibm.com/blogs/psirt/ibm-security-bulletin-tivoli-storage-manager-server-gskit-lucky-13-vulnerability-cve-2013-0169/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?002f4534");
  script_set_attribute(attribute:"solution", value:
"Upgrade to IBM Tivoli Storage Manager 6.2.6.0, 6.3.4.200 or later or
disable SSL.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-0169");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/08/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/03/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/08/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ibm_tsm_detect.nasl");
  script_require_keys("installed_sw/IBM Tivoli Storage Manager");
  script_require_ports("Services/tsm-agent");

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");
include("install_func.inc");

port = get_service(svc:"tsm-agent",exit_on_fail:TRUE);
prod = "IBM Tivoli Storage Manager";
get_install_count(app_name:prod, exit_if_zero:TRUE);
install = get_single_install(app_name:prod, port:port);

# Install data
os      = install["ReportedOS"]; # In very old versions this can be null
version = install["version"];

# We only care about 5.5 specifically
if(version !~ "^5\.5(\.|$)") audit(AUDIT_NOT_LISTEN, prod+" 5.5", port);

# See if SSL is on for the port we're checking
sslon = get_kb_item("Transports/TCP/"+port);
sslon = (sslon && sslon > ENCAPS_IP);

# If we cant determine the OS and we don't have paranoia on we don't continue
# this is probably a version so old it doesn't matter for these checks anyway
if(isnull(os) && report_paranoia < 2) exit(1,"Cannot determine operating system type");

# Work around is to turn SSL off
if(!sslon && report_paranoia < 2) audit(AUDIT_LISTEN_NOT_VULN, prod, port);

# Only Windows and AIX are affected.
if("Windows" >!< os  && "AIX" >!< os) audit(AUDIT_LISTEN_NOT_VULN, prod, port);

if(report_verbosity > 0)
{
  report =
    '\n  Port              : ' + port +
    '\n  Product           : ' + prod +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : 6.2.6.0 / 6.3.4.200' +
    '\n';
    security_note(port:port,extra:report);
} else security_note(port);