The IBM Verify Gateway (IVG) PAM components allow encryption of the client-secret property in the /etc/pam_ibm_auth.json file, but itβs not the default configuration. Instead, customers must remember to add an --obfuscation command-line flag to encrypt the property. As of v1.0.1 of IVG for AIX PAM, and v1.0.2 of IVG for Linux PAM, the client-secret property is encrypted by default.
CVEID:CVE-2020-4369
**DESCRIPTION:**IBM Verify Gateway (IVG) stores highly sensitive information in cleartext that could be obtained by a user.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179004 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM Verify Gateway (IVG) | PAM 1.0.0, 1.0.1 |
Log in to IBM X-Force Exchange / App Exchange and download and install the latest IBM Security Verify Gateway (renamed from IBM Verify Gateway) PAM components. Specifically:
Add the --obf command-line flag when running /opt/ibm/ibm_auth/ibm_authd in order to generate an encrypted version of the client secret. Then, store the encrypted version in /etc/pam_ibm_auth.json by using the βobf-client-secretβ parameter. For details, see the IBM Knowledge Center topic at <https://www.ibm.com/support/knowledgecenter/en/SSCT62/com.ibm.iamservice.doc/references/r_verify_pam_ibmauthapi.html>.