IBMA6828F10A4D939E9BBACCBE431492210C2796D4E301FCFD951E78371CF3160F5Security Bulletin: AIX is vulnerable to information disclosure due to openCryptoki (CVE-2024-0914)
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
40.7%
Summary
Vulnerability in openCryptoki could allow a remote attacker to obtain sensitive information (CVE-2024-0914).
Vulnerability Details
CVEID:CVE-2024-0914
**DESCRIPTION:**openCryptoki could allow a remote attacker to obtain sensitive information, caused by a flaw when processing RSA PKCS#1 v1.5 padded ciphertexts. By utilize timing side-channel attack techniques, an attacker could exploit this vulnerability to obtain RSA ciphertext information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281283 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| AIX | 7.2 |
| AIX | 7.3 |
The vulnerabilities in the following filesets are being addressed:
| Fileset | Lower Level | Upper Level |
|---|---|---|
| opencki.base | 3.21.0.0 | 3.21.0.1000 |
To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide.
Example: lslpp -L | grep -i opencki.base
Remediation/Fixes
FIXES
IBM strongly recommends addressing the vulnerability now.
A fix is available, and it can be downloaded from:
https://www.ibm.com/resources/mrs/assets?source=aixbp&S_PKG=opencryptoki
To extract the fixes from the tar file:
zcat opencki-3.23.0.tar.Z | tar xvf -
IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.
Note that all the previously reported security vulnerability fixes are also included in above mentioned fileset level.
To preview the fix installation:
installp -apYd . opencki
To install the fix package:
installp -aXYd . opencki
openssl dgst -sha256 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]
openssl dgst -sha256 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]
Published advisory OpenSSL signature file location:
<https://aix.software.ibm.com/aix/efixes/security/opencryptoki_advisory.asc.sig>
Workarounds and Mitigations
None
Affected configurations
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
6 Medium
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
40.7%