Detections
Analytics

IBM BigFix Compliance 1.9.70 Multiple Vulnerabilities

critical Nessus Plugin ID 100720

Language:

Synopsis

An infrastructure management application running on the remote web server is affected by multiple vulnerabilities.

Description

According to its self-reported version, the instance of IBM BigFix Compliance running on the remote web server is 1.9.70. It is, therefore, affected by multiple vulnerabilities :

 - A stored cross-site scripting (XSS) vulnerability exists in the Analytics component in the Web UI due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2017-1178)

 - An information disclosure vulnerability exists in the Analytics component due to the use of outdated encryption algorithms. A man-in-the-middle (MitM) attacker can exploit this to disclose sensitive information. (CVE-2017-1179)

 - An information disclosure vulnerability exists in the Analytics component due to a weak default password policy. An unauthenticated, remote attacker can exploit this, via a brute-force attack, to disclose user account credentials. (CVE-2017-1196)

 - A security weakness exists in the Analytics component due to a failure to securely lockout accounts after multiple failed authentication attempts. An unauthenticated, remote attacker can exploit this to perform brute-force attacks. (CVE-2017-1197)

Solution

Upgrade to IBM BigFix Compliance version 1.9.79 or later.

See Also

https://www-01.ibm.com/support/docview.wss?uid=swg22004161

https://www-01.ibm.com/support/docview.wss?uid=swg22004164

https://www-01.ibm.com/support/docview.wss?uid=swg22004168

https://www-01.ibm.com/support/docview.wss?uid=swg22004170

Plugin Details

Severity: Critical

ID: 100720

File Name: ibm_bigfix_compliance_1_9_70.nasl

Version: 1.5

Type: remote

Family: Misc.

Published: 6/9/2017

Updated: 11/13/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2017-1197

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: x-cpe:/a:ibm:bigfix_compliance

Required KB Items: installed_sw/IBM BigFix Compliance

Exploit Ease: No known exploits are available

Patch Publication Date: 5/24/2017

Vulnerability Publication Date: 6/6/2017

Reference Information

CVE: CVE-2017-1178, CVE-2017-1179, CVE-2017-1196, CVE-2017-1197

BID: 98909, 98910, 98911

IAVB: 2017-B-0063