CVE-2016-4560 DLL planting vulnerability

CVE-2016-4560 DLL planting vulnerability information below as posted in IBM Integration Bus v9 support link. Below text is taken from IBM Support portal and link posted for reference. Please check the security bulletin posted in IBM Integration Bus v9 section.

I have upgraded IIB v9 product from v9.0.0.2 to v9.0.0.6 for my customer recently due to concerns raised by security team around vulnerability in IIB product.

Issue details: The Windows graphical user interface installer (setup.exe) used by WebSphere Message Broker, IBM Integration Bus, IBM Integration Bus Healthcare Pack, IBM Integration Bus Manufacturing Pack, and IBM Integration Bus Retail Pack, is susceptible to a DLL-planting vulnerability, where a malicious DLL that is present in the Windows search path could be loaded by the operating system in place of the genuine file.

Security Bulletin: IBM WebSphere Installer used by WebSphere Message Broker, IBM Integration Bus, IBM Integration Bus Healthcare Pack, Manufacturing Pack and Retail Pack is susceptible to DLL-planting vulnerability (CVE-2016-4560)

Link: https://www-01.ibm.com/support/docview.wss?uid=swg21979292

As mentioned in IBM Technote, complete these steps to work around the InstallAnywhere vulnerability. To avoid the untrusted search path vulnerability, where users could gain increased privileges, complete the following steps:
1) Create a new, empty, secure directory in a temporary location.
The directory must not exist previously and only the administrator should have write access to it.
2) Either copy or move the installer executable, or unpack the installation zip file into the new, empty folder created in Step 1.
3) Ensure that there are no DLL files in this directory.
4) Launch the installer executable from its new location.

The vulnerability affects the executable (.exe file extension) installers and fix packs for below products,

  • IBM Integration Bus V9 for Windows (V9.0.0.0 -> V9.0.0.5)
  • WebSphere Message Broker V8 for Windows (V8.0.0.0 -> V8.0.0.7)
  • IBM Integration Bus Healthcare Pack V3 for Windows (V3.0.0.0 -> V3.0.0.1)
  • WebSphere Message Broker Connectivity Pack for Healthcare V8 for Windows (V8.0.0.0)
  • WebSphere Message Broker Connectivity Pack for Healthcare V7 for Windows (V7.0.0.0 -> V7.0.0.2)
  • IBM Integration Bus Manufacturing Pack V1 for Windows (V1.0.0.0 -> V1.0.0.1)
  • IBM Integration Bus Retail Pack V1 for Windows (V1.0.0.0)

CVE Details

CVEID: CVE-2016-4560
DESCRIPTION: Flexera InstallAnywhere could allow a local attacker to gain elevated privileges on the system, caused by an untrusted search path. An attacker could exploit this vulnerability, by using a Trojan horse DLL in the current working directory of a setup-launcher executable file, to gain elevated privileges on the system.

Tags: , , , ,

Archives

Categories