IBM has patched a vulnerability in Verify Gateway (IVG) that allows attackers to brute-force their way into systems remotely.
IVG is software designed to protect enterprise systems through multi-factor authentication features and pre-built credential provider services. IVG supports a range of operating systems and platforms including Windows, RedHat, Centos, Ubuntu, Debian, AIX, and SuSE.
This week, the tech giant issued a set of security advisories relating to versions 1.0.0 and 1.0.1 of the software, the most serious being the disclosure of CVE-2020-4400.
Issued a CVSS severity score of 7.5, the vulnerability has been caused by an account lockout mechanism deemed "inadequate" which does not prevent multiple access attempts. In automated brute-force attacks, threat actors will hammer a system with usernames and passwords until they come across the right combinations, and to prevent these forms of attacks from being successful, software will often include login attempt restrictions.
However, IVG's settings did not reach this standard when it comes to time-based one-time passwords (TOTPs), and so the bug "could allow a remote attacker to brute-force account credentials," according to IBM.
The patched version of the software -- v1.0.1 IVG for RADIUS and AIX PAM -- as well as v1.0.2 of IVG for Linux PAM and IVG for Windows Login, has now added a throttling mechanism.
This vulnerability is based on how IVG (AIX PAM and Linux PAM) manages the encryption of client-side property. While PAM allows encryption through the pam_ibm_auth.json file, this is not enabled by default, and so users have to remember to add obfuscation commands manually.
As this relies on customers to implement encryption, this may be considered a potential security risk that does not need to exist, and one that could lead to the "storage [of] highly sensitive information in cleartext that could be obtained by a user," the company says.
Now, IBM has now added client-side encryption by default in AIX PAM and Linux PAM.
In addition, IBM has also tackled CVE-2020-4372, another information disclosure issue present in IVG for RADIUS, AIX PAM, Linux PAM, and Windows Login.
The vulnerability occurs when IVG components are running with debug tracing. When active, client secrets are exposed in cleartext via the debug log, including client usernames, passwords, and client IDs.
IBM has patched the issue by suppressing client secrets when debug tracing is active.
The company recommends that users install the latest updates of IVG, now renamed as IBM Security Verify Gateway.
Previous and related coverage
- IBM beats Q2 expectations on 30% cloud revenue growth
- IBM, Red Hat, Adobe team up to help regulated industries with data-driven marketing
- IBM, Verizon partner to develop 5G enabled IoT technologies for industrial sector
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0