IBM Verify Gateway (IVG) vulnerability allowed remote attackers to brute-force their way in

guest · Jul 23, 2020

IBM Verify Gateway vulnerability allowed remote attackers to brute-force their way in
July 23, 2020
https://www.zdnet.com/article/ibm-v...lowed-remote-attackers-to-force-their-way-in/

IBM has patched a vulnerability in Verify Gateway (IVG) that allows attackers to brute-force their way into systems remotely.
IVG is software designed to protect enterprise systems through multi-factor authentication features and pre-built credential provider services.

This week, the tech giant issued a set of security advisories relating to versions 1.0.0 and 1.0.1 of the software, the most serious being the disclosure of CVE-2020-4400.
Issued a CVSS severity score of 7.5, the vulnerability has been caused by an account lockout mechanism deemed "inadequate" which does not prevent multiple access attempts.
Click to expand...

IBM has also released a security advisory for CVE-2020-4369, a vulnerability in the privileged access management (PAM) components of the authentication gateway.

In addition, IBM has also tackled CVE-2020-4372, another information disclosure issue present in IVG for RADIUS, AIX PAM, Linux PAM, and Windows Login.
The vulnerability occurs when IVG components are running with debug tracing. When active, client secrets are exposed in cleartext via the debug log, including client usernames, passwords, and client IDs.
Click to expand...

Log in or Sign up

IBM Verify Gateway (IVG) vulnerability allowed remote attackers to brute-force their way in

guest Guest

Log in or Sign up

IBM Verify Gateway (IVG) vulnerability allowed remote attackers to brute-force their way in

guest Guest

Useful Searches