IBM BigFix Platform 9.2.x < 9.2.12 / 9.5.x < 9.5.7 Multiple Vulnerabilities

Medium Nessus Plugin ID 104357

Synopsis

An infrastructure management application running on the remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version, the IBM BigFix Platform application running on the remote host is 9.2.x prior to 9.2.12, or 9.5.x prior to 9.5.7. It is, therefore, affected by multiple vulnerabilities :

- An unspecified cross-site request forgery (XSRF) vulnerability allows an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. (CVE-2017-1218)

- An unspecified flaw allows the disclosure of sensitive information to unauthorized users. (CVE-2017-1220)

- A failure to perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. (CVE-2017-1222)

- An information disclosure vulnerability exists due to sensitive information in URL parameters being stored in server logs, referrer headers and browser history.
(CVE-2017-1225, CVE-2017-1226)

- An information disclosure vulnerability exists due to a failure to properly enable the secure cookie attribute. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. (CVE-2017-1228)

- An information disclosure vulnerability exists due to the use of insufficiently random numbers in a security context that depends on unpredictable numbers. This weakness allows attackers to expose sensitive information by guessing tokens or identifiers.
(CVE-2017-1230)

- An information disclosure vulnerability exists as sensitive data is transmitted in cleartext.
(CVE-2017-1232)

- A cross-site scripting vulnerability allows an attacker to embed arbitrary JavaScript code in WebReports leading to credentials disclosure within a trusted session. (CVE-2017-1521)

IBM BigFix Platform was formerly known as Tivoli Endpoint Manager, IBM Endpoint Manager, and IBM BigFix Endpoint Manager.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to IBM BigFix Platform version 9.2.12 / 9.5.7 or later.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg22009673

Plugin Details

Severity: Medium

ID: 104357

File Name: ibm_tem_9_5_7.nasl

Version: 1.6

Type: remote

Family: Web Servers

Published: 2017/11/02

Updated: 2019/02/26

Dependencies: 66269

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2017-1218

CVSS v2.0

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:tivoli_endpoint_manager, cpe:/a:ibm:bigfix_platform

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/10/23

Vulnerability Publication Date: 2017/10/23

Reference Information

CVE: CVE-2017-1218, CVE-2017-1220, CVE-2017-1222, CVE-2017-1225, CVE-2017-1226, CVE-2017-1228, CVE-2017-1230, CVE-2017-1232, CVE-2017-1521

BID: 99916, 101571