Vigil@nce - IBM GSKit: denial of service via CBC/AEAD
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can inject a malicious packet in a TLS session, in
order to stop applications linked to IBM GSKit.
– Impacted products: Tivoli Directory Server, WebSphere AS
– Severity: 2/4
– Creation date: 08/10/2012
DESCRIPTION OF THE VULNERABILITY
The IBM Global Security Kit product implements SSL/TLS for several
IBM products.
However, a TLS message using the CBC or AEAD (Authenticated
Encryption with Associated Data) algorithms generates an error in
GSKit. Technical details are unknown.
An attacker can therefore inject a malicious packet in a TLS
session, in order to stop applications linked to IBM GSKit.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/IBM-GSKit-denial-of-service-via-CBC-AEAD-12037