IBM Verify Gateway vulnerability allowed remote attackers to brute-force their way in

The severe bug could be harnessed for brute-force attacks.

How MIT and IBM are fighting COVID-19 with AI

IBM has patched a vulnerability in Verify Gateway (IVG) that allows attackers to brute-force their way into systems remotely.

IVG is software designed to protect enterprise systems through multi-factor authentication features and pre-built credential provider services. IVG supports a range of operating systems and platforms including Windows, RedHat, Centos, Ubuntu, Debian, AIX, and SuSE.

This week, the tech giant issued a set of security advisories relating to versions 1.0.0 and 1.0.1 of the software, the most serious being the disclosure of CVE-2020-4400

Issued a CVSS severity score of 7.5, the vulnerability has been caused by an account lockout mechanism deemed "inadequate" which does not prevent multiple access attempts. In automated brute-force attacks, threat actors will hammer a system with usernames and passwords until they come across the right combinations, and to prevent these forms of attacks from being successful, software will often include login attempt restrictions.

See also: IBM intros new security dashboard for its financial services cloud

However, IVG's settings did not reach this standard when it comes to time-based one-time passwords (TOTPs), and so the bug "could allow a remote attacker to brute-force account credentials," according to IBM. 

The patched version of the software -- v1.0.1 IVG for RADIUS and AIX PAM -- as well as v1.0.2 of IVG for Linux PAM and IVG for Windows Login, has now added a throttling mechanism.  

IBM has also released a security advisory for CVE-2020-4369, a vulnerability in the privileged access management (PAM) components of the authentication gateway. 

This vulnerability is based on how IVG (AIX PAM and Linux PAM) manages the encryption of client-side property. While PAM allows encryption through the pam_ibm_auth.json file, this is not enabled by default, and so users have to remember to add obfuscation commands manually. 

CNET: Apple's new security program gives special iPhone hardware, with restrictions attached

As this relies on customers to implement encryption, this may be considered a potential security risk that does not need to exist, and one that could lead to the "storage [of] highly sensitive information in cleartext that could be obtained by a user," the company says. 

Now, IBM has now added client-side encryption by default in AIX PAM and Linux PAM. 

In addition, IBM has also tackled CVE-2020-4372, another information disclosure issue present in IVG for RADIUS, AIX PAM, Linux PAM, and Windows Login. 

TechRepublic: Phishing attacks and ransomware are the most challenging threats for many organizations

The vulnerability occurs when IVG components are running with debug tracing. When active, client secrets are exposed in cleartext via the debug log, including client usernames, passwords, and client IDs. 

IBM has patched the issue by suppressing client secrets when debug tracing is active. 

The company recommends that users install the latest updates of IVG, now renamed as IBM Security Verify Gateway.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0