IBM Rational ClearQuest 7.1.x < 7.1.2.8 / 8.0.0.x < 8.0.0.4 GSKit Spoofing (credentialed check)

This script is Copyright (C) 2012-2015 Tenable Network Security, Inc.


Synopsis :

The remote host has software installed that is affected by a spoofing
vulnerability.

Description :

The remote host has a version of IBM Rational ClearQuest 7.1.x prior
to 7.1.2.8 / 8.0.0.x prior to 8.0.0.4 installed. It is, therefore,
affected by a spoofing vulnerability related to the included Global
Security Kit (GSKit) and certificate objects.

The GSKit does not enforce file integrity of the PKCS #12 files it
uses and is vulnerable to SSL server spoofing because the insertion
of arbitrary CA certificates is possible.

Note that deployments not using LDAP are not affected and that PKCS
#12 is not the default format used by ClearQuest.

See also :

http://www-01.ibm.com/support/docview.wss?uid=swg21612036
http://www-01.ibm.com/support/docview.wss?uid=swg21612033

Solution :

Upgrade to IBM Rational ClearQuest 7.1.2.8 / 8.0.0.4 or later.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 5.0
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows

Nessus Plugin ID: 62786 ()

Bugtraq ID: 54743

CVE ID: CVE-2012-2203

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now