CVE-2022-40234 IBM Spectrum Protect Plus prior to version 10.1.12 included private key information for a certificate in the generated .crt file.

The private key information can be used to decrypt and impersonate the legitimate user. For example, an attacker may maliciously send an email with the .crt file attached to the IBM Spectrum Protect Plus server. An unsuspecting user then opens the email and automatically downloads the .crt file to the computer. An attacker may then use the private key information to decrypt the email and impersonate the user. This issue was fixed in version 10.1.12. Older versions of IBM Spectrum Protect Plus do not have a way to remove the private key information from generated .crt files. Therefore, it is best to not share these generated .crt files.

IBM Spectrum Protect Plus - Asset Management

IBM Spectrum Protect Plus is a cloud-based endpoint management solution that helps enterprises secure their endpoints from advanced attacks by providing event monitoring, detection, and response. IBM Spectrum Protect Plus provides protection for desktops, laptops, servers, and mobile devices. IBM Spectrum Protect Plus includes the ability to help enterprises with asset management. The issue that needs to be addressed is how to delete private key information from generated .crt files in older versions of IBM Spectrum Protect Plus.

Deployment Recommendations

It is best to disable the email encryption feature and not to share .crt files generated by IBM Spectrum Protect Plus.

CVE-2023-40235

An attacker may use a malicious .crt file to impersonate the legitimate user's computer. For example, an attacker may send an email with a malicious .crt file attached and make the user download it. The legitimate user then installs the .crt file on their machine and uses their private key information to decrypt the email. However, the .crt file contains a malicious payload that then attacks the legitimate user's computer remotely. This issue was fixed in IBM Spectrum Protect Plus version 10.1.12 and later releases. Older versions of IBM Spectrum Protect Plus do not have a way to remove the private key information from generated .crt files which makes it best not to share these generated .crt files if you are concerned about this issue..

Public Key Information Disclosure

A man-in-the-middle attack will happen when an attacker intercepts a communication between two users and changes the data between the devices. This can happen in ordinary email conversations, as well as SSL communications.
The private key information can be used to decrypt and impersonate the legitimate user. For example, an attacker may maliciously send an email with the .crt file attached to the IBM Spectrum Protect Plus server. An unsuspecting user then opens the email and automatically downloads the .crt file to the computer. An attacker may then use the private key information to decrypt the email and impersonate the user.

IBM Spectrum Protect System Vulnerability

IBM Spectrum Protect System 10.1.12 was released on November 8th, 2016 and includes a fix for CVE-2022-40234. This vulnerability in IBM Spectrum Protect Plus could allow an attacker to impersonate the user and decrypt emails that are sent to the server. The vulnerability is located in the way IBM Spectrum Protect Plus generates .crt files on the system that have private key information associated with them. This vulnerability was discovered by researchers from Vulnerability Lab and Microsoft BlueHat security experts.

Timeline

Published on: 09/19/2022 18:15:00 UTC
Last modified on: 09/21/2022 17:42:00 UTC

References

• https://www.ibm.com/support/pages/node/6619947
• https://exchange.xforce.ibmcloud.com/vulnerabilities/235718
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-40234