Sign-up

ID

VAR-202007-1371


CVE

CVE-2020-4385


TITLE

IBM Verify Gateway Vulnerability in using hard-coded credentials in

Trust: 0.8

sources: JVNDB: JVNDB-2020-008196

DESCRIPTION

IBM Verify Gateway (IVG) 1.0.0 and 1.0.1 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 179266. Vendor exploits this vulnerability IBM X-Force ID: 179266 It is published as.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. IBM Verify Gateway (IVG) is a set of cloud-based identity verification solutions from IBM Corporation in the United States. Currently there is no information about this vulnerability, please keep an eye on CNNVD or vendor announcements. The following products and versions are affected: IBM IVG RADIUS version 1.0.0, PAM version 1.0.0, PAM version 1.0.1, WinLogin version 1.0.0, WinLogin version 1.0.1

Trust: 1.71

sources: NVD: CVE-2020-4385 // JVNDB: JVNDB-2020-008196 // VULHUB: VHN-182510

AFFECTED PRODUCTS

vendor:ibmmodel:verify gatewayscope:eqversion:1.0.0

Trust: 1.8

vendor:ibmmodel:verify gatewayscope:eqversion:1.0.1

Trust: 1.8

sources: JVNDB: JVNDB-2020-008196 // NVD: CVE-2020-4385

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-4385
value: CRITICAL

Trust: 1.0

psirt@us.ibm.com: CVE-2020-4385
value: MEDIUM

Trust: 1.0

NVD: JVNDB-2020-008196
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202007-1350
value: CRITICAL

Trust: 0.6

VULHUB: VHN-182510
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2020-4385
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

NVD: JVNDB-2020-008196
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-182510
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-4385
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

psirt@us.ibm.com: CVE-2020-4385
baseSeverity: MEDIUM
baseScore: 6.8
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 4.0
version: 3.0

Trust: 1.0

NVD: JVNDB-2020-008196
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-182510 // JVNDB: JVNDB-2020-008196 // CNNVD: CNNVD-202007-1350 // NVD: CVE-2020-4385 // NVD: CVE-2020-4385

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.9

sources: VULHUB: VHN-182510 // JVNDB: JVNDB-2020-008196 // NVD: CVE-2020-4385

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202007-1350

TYPE

trust management problem

Trust: 0.6

sources: CNNVD: CNNVD-202007-1350

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-008196

PATCH
title:6251291url:https://www.ibm.com/support/pages/node/6251291
Trust: 0.8
title:ibm-ivg-cve20204385-info-disc (179266)url:https://exchange.xforce.ibmcloud.com/vulnerabilities/179266
Trust: 0.8
title:IBM Verify Gateway Repair measures for trust management problem vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=125002
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2020-008196 // 
            
            
            
            CNNVD: CNNVD-202007-1350

EXTERNAL IDS
db:NVDid:CVE-2020-4385
Trust: 2.5
db:JVNDBid:JVNDB-2020-008196
Trust: 0.8
db:CNNVDid:CNNVD-202007-1350
Trust: 0.7
db:CNVDid:CNVD-2020-44076
Trust: 0.1
db:VULHUBid:VHN-182510
Trust: 0.1
sources:
            
            
            VULHUB: VHN-182510 // 
            
            
            
            JVNDB: JVNDB-2020-008196 // 
            
            
            
            CNNVD: CNNVD-202007-1350 // 
            
            
            
            NVD: CVE-2020-4385

REFERENCES
url:https://www.ibm.com/support/pages/node/6251291
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/179266
Trust: 1.7
url:https://nvd.nist.gov/vuln/detail/cve-2020-4385
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-4385
Trust: 0.8
url:https://www.ibm.com/blogs/psirt/security-bulletin-ibm-verify-gateway-does-not-hide-a-cryptographic-key-in-one-of-its-binary-files-cve-2020-4385/
Trust: 0.6
sources:
            
            
            VULHUB: VHN-182510 // 
            
            
            
            JVNDB: JVNDB-2020-008196 // 
            
            
            
            CNNVD: CNNVD-202007-1350 // 
            
            
            
            NVD: CVE-2020-4385

SOURCES
db:VULHUBid:VHN-182510
db:JVNDBid:JVNDB-2020-008196
db:CNNVDid:CNNVD-202007-1350
db:NVDid:CVE-2020-4385

LAST UPDATE DATE
2024-11-23T22:21:04.598000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-182510date:2020-07-24T00:00:00
db:JVNDBid:JVNDB-2020-008196date:2020-09-04T00:00:00
db:CNNVDid:CNNVD-202007-1350date:2020-07-27T00:00:00
db:NVDid:CVE-2020-4385date:2024-11-21T05:32:40.937

SOURCES RELEASE DATE
db:VULHUBid:VHN-182510date:2020-07-22T00:00:00
db:JVNDBid:JVNDB-2020-008196date:2020-09-04T00:00:00
db:CNNVDid:CNNVD-202007-1350date:2020-07-21T00:00:00
db:NVDid:CVE-2020-4385date:2020-07-22T21:15:12.373