Vulnerabilities > CVE-2014-0890 - Credentials Management vulnerability in IBM Sametime

CVSS 1.9 - LOW

Attack vector

LOCAL

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

local

ibm

CWE-255

nessus

NVD

Published: 2014-03-06

Updated: 2017-08-29

Summary

The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1, 9.0, and 9.0.0.1, when a certain com.ibm.collaboration.realtime.telephony.*.level setting is used, logs cleartext passwords during Audio/Video chat sessions, which allows local users to obtain sensitive information by reading a log file.

Vulnerable Configurations

Part	Description	Count
Application	Ibm IBM Sametime 8.5.1.0 IBM Sametime 8.5.1.1 IBM Sametime 8.5.1.2 IBM Sametime 8.5.2.0 IBM Sametime 8.5.2.1 IBM Sametime 9.0.0.0 IBM Sametime 9.0.0.1	7

Common Weakness Enumeration (CWE)

CWE-255 - Credentials Management

Nessus

NASL family	Windows
NASL id	LOTUS_SAMETIME_CONNECT_SWG21665658.NASL
description	The version of IBM Lotus Sametime Connect installed on the remote Windows host is potentially affected by an information disclosure vulnerability. If a user sets a certain log flag to high and uses Audio/Video chat, the user
last seen	2020-06-01
modified	2020-06-02
plugin id	72880
published	2014-03-07
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/72880
title	IBM Lotus Sametime Connect Audio / Video Chat Information Disclosure
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(72880); script_version("1.6"); script_cvs_date("Date: 2019/11/26"); script_cve_id("CVE-2014-0890"); script_bugtraq_id(65937); script_name(english:"IBM Lotus Sametime Connect Audio / Video Chat Information Disclosure"); script_summary(english:"Checks version of IBM Lotus Sametime Connect Client"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host has a chat client that is affected by an information disclosure vulnerability."); script_set_attribute(attribute:"description", value: "The version of IBM Lotus Sametime Connect installed on the remote Windows host is potentially affected by an information disclosure vulnerability. If a user sets a certain log flag to high and uses Audio/Video chat, the user's password is stored in plaintext (unencrypted)."); script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21665658"); # https://www.ibm.com/blogs/psirt/ibm-security-bulletin-passwords-may-be-logged-when-some-high-logging-level-flag-is-used-cve-2014-0890/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?122c1e05"); # https://packetstormsecurity.com/files/125326/Lotus-Sametime-8.5.1-Password-Disclosure.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?74a641a5"); script_set_attribute(attribute:"solution", value: "Apply the patch referenced in the advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0890"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/02/21"); script_set_attribute(attribute:"patch_publication_date", value:"2014/02/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/03/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:sametime"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("lotus_sametime_connect_installed.nasl", "smb_hotfixes.nasl"); script_require_keys("SMB/IBM Lotus Sametime Client/Path", "SMB/IBM Lotus Sametime Client/Version", "SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_reg_query.inc"); include("misc_func.inc"); app_name = "IBM Lotus Sametime Connect Client"; version = get_kb_item_or_exit('SMB/IBM Lotus Sametime Client/Version'); path = get_kb_item_or_exit('SMB/IBM Lotus Sametime Client/Path'); fixpackdate = get_kb_item('SMB/IBM Lotus Sametime Client/fixpackdate'); winver = get_kb_item_or_exit("SMB/WindowsVersion"); # Looks for Sametime preference files with vulnerable log flags. function check_sametime_logging(dir) { local_var hklm, subkeys, profile_key, sid; local_var system_root; local_var vulnerable_files; vulnerable_files = make_list(); registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); profile_key = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"; subkeys = get_registry_subkeys(handle:hklm, key:profile_key); RegCloseKey(handle:hklm); system_root = hotfix_get_systemroot(); if (isnull(system_root)) exit(1, "Unable to get system root directory."); if (!isnull(subkeys)) { foreach sid (subkeys) { local_var appdata_path; registry_init(); hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE); appdata_path = get_registry_value(handle:hklm, item:strcat(profile_key,"\",sid,"\ProfileImagePath")); RegCloseKey(handle:hklm); if (!isnull(appdata_path)) { local_var sametime_log_path; sametime_log_path = hotfix_append_path(path:appdata_path, value:strcat(dir, "\.config\rcpinstall.properties")); sametime_log_path = str_replace(string:sametime_log_path, find:"%systemroot%", replace:system_root); if (hotfix_file_exists(path:sametime_log_path)) { local_var contents; contents = hotfix_get_file_contents(sametime_log_path); if ( contents['error'] == HCF_OK && ereg(string:contents['data'], pattern:"com\.ibm\.collaboration\.realtime\.telephony(\..)?\.level=FINE", multiline:TRUE)) { vulnerable_files = make_list(vulnerable_files, sametime_log_path); } } } } } RegCloseKey(handle:hklm); close_registry(); return vulnerable_files; } # Add vulnerable files to report. function report_high_logging(report, logs) { local_var log; report += '\n High level log flags were detected in the following files:'; foreach log (logs) { report += '\n - ' + log; } report += '\n'; return report; } vuln = FALSE; fixdate = NULL; workspace_dir = NULL; if (winver < 6) base_workspace = "\Application Data"; else base_workspace = "\AppData\Roaming"; # Only 8.5.1, 8.5.2 and 9.0.0 are affected. if (version =~ "^8\.5\.1( .)?$") { # Check the fixpack timestamp if (isnull(fixpackdate)) vuln = TRUE; else { fixdate = "20140224"; fixpackdate = ereg_replace(pattern:'^([0-9]+)-[0-9]+$', replace:"\1", string:fixpackdate); if (int(fixpackdate) < fixdate) vuln = TRUE; } workspace_dir = hotfix_append_path(path:base_workspace, value:"\Lotus\Sametime"); } else if (version =~ "^8\.5\.2( .)?$") { # Check the fixpack timestamp if (isnull(fixpackdate)) vuln = TRUE; else { fixdate = "20140225"; fixpackdate = ereg_replace(pattern:'^([0-9]+)-[0-9]+$', replace:"\1", string:fixpackdate); if (int(fixpackdate) < fixdate) vuln = TRUE; } workspace_dir = hotfix_append_path(path:base_workspace, value:"\Lotus\Sametime"); } else if (version =~ "^9\.0\.0( .)?$") { # Check the fixpack timestamp if (isnull(fixpackdate)) vuln = TRUE; else { fixdate = "20140225"; fixpackdate = ereg_replace(pattern:'^([0-9]+)-[0-9]+$', replace:"\1", string:fixpackdate); if (int(fixpackdate) < fixdate) vuln = TRUE; } workspace_dir = hotfix_append_path(path:base_workspace, value:"\IBM\Sametime"); } # If doing a paranoid scan, then we're done. Otherwise, if not doing # a paranoid scan and detected a vulnerable version, check logging # levels per the advisory. if (vuln && report_paranoia < 2) { vuln = FALSE; logs = check_sametime_logging(dir:workspace_dir); if (max_index(logs) > 0) vuln = TRUE; } if (vuln) { port = kb_smb_transport(); if (report_verbosity > 0) { report = '\n Path : ' + path + '\n Installed version : ' + version; if (!isnull(fixpackdate)) { report += '\n Installed Fix Pack date : ' + fixpackdate + '\n Fixed Fix Pack date : ' + fixdate + '\n'; } else report += '\n No Fix Packs have been applied.\n'; if (logs) report = report_high_logging(report:report, logs:logs); security_note(port:port, extra:report); } else security_note(port); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 65937 CVE(CAN) ID: CVE-2014-0890 IBM& Sametime 产品将实时社交通信功能集成到业务环境中，通过即时消息传递、在线会议、语音、视频和数据，实现统一的用户体验。 IBM Sametime Connect 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1, 9.0, 9.0.0.1版本在实现上存在信息泄露漏洞，如果用户将特殊的日志标记设置为高级并使用音频、视频聊天，则该用户的密码将以明文或编码（未加密）形式记录。攻击者可利用此漏洞获取敏感信息。 0 IBM Sametime Connect 9.0.0.1 IBM Sametime Connect 9.0 IBM Sametime Connect 8.5.2.1 IBM Sametime Connect 8.5.2 IBM Sametime Connect 8.5.1.2 IBM Sametime Connect 8.5.1.1 IBM Sametime Connect 8.5.1 厂商补丁： IBM --- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.ibm.com/support/docview.wss?uid=swg21665652
id	SSV:61659
last seen	2017-11-19
modified	2014-03-05
published	2014-03-05
reporter	Root
title	IBM Sametime Connect信息泄露漏洞(CVE-2014-0890)

bulletinFamily	exploit
description	Bugtraq ID:65937 CVE ID:CVE-2014-0890 IBM Sametime提供了一套整合的企业级即时通讯软件,能够更轻松地查找和联系同事、客户和业务合作伙伴,并展开协作,极大地提高员工实时沟通的能力。如果用户设置日志标记至高级别，使用Audio/Video聊天时，应用会把用户密码以明文方式或编码的方式存储，允许攻击者利用漏洞获取敏感信息。 0 IBM Sametime Connect 8.5.1 IBM Sametime Connect 8.5.1.1 IBM Sametime Connect 8.5.1.2 IBM Sametime Connect 8.5.2 IBM Sametime Connect 8.5.2.1 IBM Sametime Connect 9.0 IBM Sametime Connect 9.0.0.1 厂商补丁： IBM ----- 用户可参考如下厂商提供的安全公告获取补丁以修复该漏洞： http://www-01.ibm.com/support/docview.wss?uid=swg21665658
id	SSV:61694
last seen	2017-11-19
modified	2014-03-07
published	2014-03-07
reporter	Root
title	IBM Sametime Connect日志信息泄漏漏洞

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Seebug

References