CVE-2020-4699 - Observable Discrepancy

Severity

53%

Complexity

16%

Confidentiality

60%

IBM Security Access Manager 9.0.7 and IBM Security Verify Access 10.0.0 could allow an attacker to obtain sensitive using timing side channel attacks which could aid in further attacks against the system. IBM X-Force ID: 186947.

CVSS 3.1 Base Score 5.3. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: high. CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

CVSS 2.0 Base Score 2.9. CVSS Attack Vector: adjacent_network. CVSS Attack Complexity: medium. CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N).

Demo Examples

Observable Discrepancy

CWE-203

The following code checks validity of the supplied username and password and notifies the user of a successful or failed login.


               
}
}
print "Login Successful";
print "Login Failed - incorrect password";
print "Login Failed - unknown username";

In the above code, there are different messages for when an incorrect username is supplied, versus when the username is correct but the password is wrong. This difference enables a potential attacker to understand the state of the login function, and could allow an attacker to discover a valid username by trying different values until the incorrect password message is returned. In essence, this makes it easier for an attacker to obtain half of the necessary authentication credentials.

While this type of information may be helpful to a user, it is also useful to a potential attacker. In the above example, the message for both failed cases should be the same, such as:


               
"Login Failed - incorrect username or password"

Observable Discrepancy

CWE-203

Non-uniform processing time causes timing channel.

Suppose a hardware IP for implementing an encryption routine works fine per se, but the time taken to output the result of the encryption routine depends on a certain relationship between the input plaintext and the key (e.g., suppose, if the plaintext is similar to the key, it would run very fast).

In the example above, an attacker can vary the inputs and, depending on the seen differences between processing times (different plaintexts take different time), can infer certain information about the key.

If the actual processing time was different for different plaintexts, artificial delays can be introduced to ensured all plaintexts take equal time to execute, even though the timing was internally different.

Overview

First reported 4 years ago

2020-10-12 13:15:00

Last updated 4 years ago

2020-10-19 15:05:00

Affected Software

IBM Security Access Manager 9.0.7.0

9.0.7.0

References

ibm-sam-cve20204699-info-disc (186947)

https://www.ibm.com/support/pages/node/6346619

ibm-sam-cve20204699-info-disc (186947)

VDB Entry, Vendor Advisory

https://www.ibm.com/support/pages/node/6346619

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.