Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Update Protection against Directory Traversal Vulnerability in IBM Tivoli Access Manager

Subscribe

Check Point Reference: CPAI-2006-031
Date Published:
Severity:
Last Updated:
Source: SecurityTracker ID: 1015582  
Industry Reference(s): CVE-2006-0513
Protection Provided by: VPN-1
  • NGX R61
  • NGX R60
  • NG with Application Intelligence R55W
  • NG with Application Intelligence R55
  • NG with Application Intelligence R54
InterSpect
  • NGX
  • 2.0 and 1.x
Who is Vulnerable?
Tivoli Access Manager versions 5.1.0.10, 6.0.0. Other versions may also be affected
Vulnerability Description
A vulnerability was reported in IBM Tivoli Access Manager. IBM Tivoli Access Manager provides access control security solutions. The vulnerability can be exploited via a specially crafted filename containing '../..' sequences. An attacker may attempt to exploit this vulnerability to place files on folders that are not otherwise permitted by the user.
Update/Patch Available
IBM has issued patches for versions 5.1 and 6.0:

Fixpack 5.1.0-TIV-WPI-FP0017 is available at: http://www-1.ibm.com/support/docview.wss?uid=swg24011562 
Fixpack 6.0.0-TIV-WPI-FP0001 is available at: http://www-1.ibm.com/support/docview.wss?uid=swg24011561.
Vulnerability Details
The vulnerability specifically exists in the Tivoli Web Server Plug-in component.  'pkmslogout' script does not properly validate user-supplied input in the 'filename' parameter.

Protection Overview
The Update enables the HTTP Worm Catcher to detect and block the vulnerability based on pre-defined worm signatures.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The update also includes the following protections:

  • Enhancement to the Microsoft Windows Media Player Vulnerability (CPAI-2006-016)
  • Trojan Spy Goldun.de Protection (CPAI-2006-025)
  • ezDatabase Remote File Inclusion Protection (CPAI-2006-026)
  • TFTPD32 Request Error Message Format String Protection (CPAI-2006-027) - InterSpect NGX only
  • Cisco IOS CDP Status Page Code Injection Protection (CPAI-2006-028)
  • SHOUTcast Filename Request Format String Protection (CPAI-2006-029)
  • Oracle Report File Overwrite/Oracle Report Directory Traversal Protection (CPAI-2006-030)
  • Google Talk via Gmail Web Interface Protection (CPSA-2006-02)
  • Protection Against NFS Vulnerabilities (CPAI-2006-032)
  • Protection against PmWiki multiple vulnerabilities

VPN-1 NGX R61

How Can I Protect My Network?
1. Users of VPN-1 NGX R61 should update their SmartDefense: Click the SmartDefense Services tab, In the left pane from the drop-down list, click Download Updates and then click the Online Update button.
2. On the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

IBM Tivoli Access Manager Directory Traversal

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: IBM Tivoli Access Manager Directory Traversal

VPN-1 NGX R60 / VPN-1 NG with Application Intelligence R55W

How Can I Protect My Network?
1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. On the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
3. Enable the following pattern:

IBM Tivoli Access Manager Directory Traversal

4. Install policy on all modules

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: IBM Tivoli Access Manager Directory Traversal

VPN-1 NG with Application Intelligence R55/R54

How Can I Protect My Network?
1. Update your SmartDefense by clicking Update Now in the SmartDashboard General window.
2. On the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.
3. Enable the following pattern:

IBM Tivoli Access Manager Directory Traversal

4. Install security policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: IBM Tivoli Access Manager Directory Traversal

InterSpect NGX

How Can I Protect My Network?
1. Update your SmartDefense: In the left pane from the drop-down list, select Profiles > SmartDefense Service and click the Online Update button.
2. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.  
3. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.
4. Enable the following pattern: I

IBM Tivoli Access Manager Directory Traversal

5. Install policy on all modules. 

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: IBM Tivoli Access Manager Directory Traversal

InterSpect 2.0

How Can I Protect My Network?
1. Update your SmartDefense by clicking Online Update in the SmartDashboard General window.
2. On the SmartDefense tree, click Malicious Code > General HTTP Worm Defender.
3. Enable the following pattern:

IBM Tivoli Access Manager Directory Traversal

4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: IBM Tivoli Access Manager Directory Traversal