IBM SECURITY ADVISORY First Issued: Wed Jan 31 13:51:19 CST 2024 The most recent version of this document is available here: https://aix.software.ibm.com/aix/efixes/powersc/security/powersc_advisory.asc Security Bulletin: Multiple vulnerabilities affect PowerSC and PowerSC MFA =============================================================================== SUMMARY: There are multiple vulnerabilities in PowerSC and PowerSC MFA. =============================================================================== VULNERABILITY DETAILS: CVEID: CVE-2023-50939 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50939 DESCRIPTION: IBM PowerSC uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base score: 5.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275129 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2023-50326 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50326 DESCRIPTION: IBM PowerSC uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275107 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2023-50325 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50325 DESCRIPTION: IBM PowerSC uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275106 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2023-50933 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50933 DESCRIPTION: IBM PowerSC is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275113 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2023-50937 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-105452 DESCRIPTION: IBM PowerSC uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. CVSS Base score: 5.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275117 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2023-50327 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50327 DESCRIPTION: IBM PowerSC uses insecure HTTP methods which could allow a remote attacker to perform unauthorized file request modification. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275109 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2023-50936 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50936 DESCRIPTION: IBM PowerSC does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. CVSS Base score: 6.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275116 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2023-50934 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50934 DESCRIPTION: IBM PowerSC uses single-factor authentication which can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275114 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2023-50941 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50941 DESCRIPTION: PowerSC does not provide logout functionality, which could allow an authenticated user to gain access to an unauthorized user using session fixation. CVSS Base score: 6.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275131 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) CVEID: CVE-2023-50935 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50935 DESCRIPTION: IBM PowerSC fails to properly restrict access to a URL or resource, which may allow a remote attacker to obtain unauthorized access to application functionality and/or resources. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275115 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2023-50938 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50938 DESCRIPTION: IBM PowerSC could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275128 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2023-50328 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50328 DESCRIPTION: IBM PowerSC may allow a remote attacker to view session identifiers passed via URL query strings. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275110 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2023-50962 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50962 DESCRIPTION: IBM PowerSC MFA does not implement the "HTTP Strict Transport Security" (HSTS) web security policy mechanism. CVSS Base score: 5.9 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/276004 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2023-50940 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50940 DESCRIPTION: IBM PowerSC uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/275130 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) AFFECTED PRODUCTS AND VERSIONS: PowerSC 1.3, 2.0, 2.1 The vulnerabilities in the following filesets are being addressed: key_fileset = powerscStd.tnc_pm Fileset Lower Level Upper Level KEY --------------------------------------------------------------- powerscStd.uiServer 1.3.0.4 2.1.0.6 key_w_fs powerscStd.uiAgent 1.3.0.4 2.1.0.6 key_w_fs powerscMFA.server 1.3.0.4 2.1.0.6 key_w_fs Note: To find out whether the affected PowerSC filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. To find out whether the affected curl filesets are installed on your systems, refer to the rpm command found in AIX user's guide. Example: lslpp -l | grep powerscStd REMEDIATION: IBM strongly recommends addressing the vulnerabilities now. Recommended remediation is to update to PowerSC 2.2: https://www.ibm.com/support/fixcentral/swg/selectFixes?fixids=PowerSC-2.2.0.0&product=ibm%2Fpower%2FIBM%20PowerSC&source=dbluesearch&mhsrc=ibmsearch_a&mhq=PowerSC&function=fixId&parent=ibm/Other%20software WORKAROUNDS AND MITIGATIONS: None. =============================================================================== CONTACT US: Note: Keywords labeled as KEY in this document are used for parsing purposes. If you would like to receive PowerSC Security Advisories via email, please visit "My Notifications": https://www.ibm.com/support/mynotifications Contact IBM Support for questions related to this announcement: https://ibm.com/support/ To obtain the OpenSSL public key that can be used to verify the signed advisories and ifixes: Download the key from our web page: ftp://ftp.software.ibm.com/systems/power/AIX/systems_p_os_aix_security_pubkey.txt Please contact your local IBM AIX support center for any assistance. REFERENCES: Complete CVSS v3 Guide: https://www.first.org/cvss/user-guide On-line Calculator v3: https://www.first.org/cvss/calculator/3.0 ACKNOWLEDGEMENTS: None. CHANGE HISTORY: First Issued: Wed Jan 31 13:51:19 CST 2024 =============================================================================== *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.