Security Bulletin: IBM WebSphere Installer used by WebSphere Message Broker, IBM Integration Bus, IBM Integration Bus Healthcare Pack, Manufacturing Pack, and Retail Pack is susceptible to DLL-planting vulnerability (CVE-2016-4560)

Summary

The Windows graphical user interface installer (setup.exe) used by WebSphere Message Broker, IBM Integration Bus, IBM Integration Bus Healthcare Pack, IBM Integration Bus Manufacturing Pack, and IBM Integration Bus Retail Pack, is susceptible to a DLL-planting vulnerability, where a malicious DLL that is present in the Windows search path could be loaded by the operating system in place of the genuine file.

Vulnerability Details

CVEID: CVE-2016-4560**
DESCRIPTION:** Flexera InstallAnywhere could allow a local attacker to gain elevated privileges on the system, caused by an untrusted search path. An attacker could exploit this vulnerability, by using a Trojan horse DLL in the current working directory of a setup-launcher executable file, to gain elevated privileges on the system.
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113016 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

The vulnerability affects the executable (.exe file extension) installers and fix packs:

IBM Integration Bus V9 for Windows (V9.0.0.0 -> V9.0.0.5)

WebSphere Message Broker V8 for Windows (V8.0.0.0 -> V8.0.0.7)

IBM Integration Bus Healthcare Pack V3 for Windows (V3.0.0.0 -> V3.0.0.1)

WebSphere Message Broker Connectivity Pack for Healthcare V8 for Windows (V8.0.0.0)

WebSphere Message Broker Connectivity Pack for Healthcare V7 for Windows (V7.0.0.0 -> V7.0.0.2)

IBM Integration Bus Manufacturing Pack V1 for Windows (V1.0.0.0 -> V1.0.0.1)

IBM Integration Bus Retail Pack V1 for Windows (V1.0.0.0)

Remediation/Fixes

Product

| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus Manufacturing Pack| V1| IT15616| The APAR is available in Fix Pack 1.0.0.2

<http://www-01.ibm.com/support/docview.wss?uid=swg21987596&gt;
IBM Integration Bus| V9| IT15601 | The APAR is available in Fix Pack 9.0.0.6

<https://www-304.ibm.com/support/docview.wss?uid=swg24042598&gt;

WebSphere Message Broker| V8| IT15601| The APAR is available in Fix Pack 8.0.0.8

<https://www-304.ibm.com/support/docview.wss?uid=swg24042925&gt;
IBM Integration Bus Retail Pack| V1| IT15611 | IBM Integration Bus Retail Pack 1.0.0.0 has been repackaged to no longer be susceptible to the described vulnerability. The updated package is available via IBM Passport Advantage.
The following link directs you to the Passport Advantage Online web site. Passport Advantage is a secure web site that requires an account ID and password.

http://www.ibm.com/software/how-to-buy/passportadvantage/pao_customers.htm

For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?uid=swg27006308

Workarounds and Mitigations

Complete these steps to work around the InstallAnywhere vulnerability.

To avoid the untrusted search path vulnerability, where users could gain increased privileges, complete the following steps:

1. Create a new, empty, secure directory in a temporary location.
   The directory must not exist previously and only the administrator should have write access to it.
2. Either copy or move the installer executable, or unpack the installation zip file into the new, empty folder created in Step 1.
3. Ensure that there are no DLL files in this directory.
4. Launch the installer executable from its new location.