A vulnerability has been found in IBM Security Guardium Data Encryption 3.0.0.2 (Policy Management Software) and classified as problematic. Affected by this vulnerability is an unknown function of the component Password Policy. The manipulation with an unknown input leads to a missing encryption vulnerability. The CWE definition for the vulnerability is CWE-311. The product does not encrypt sensitive or critical information before storage or transmission. As an impact it is known to affect confidentiality. The summary by CVE is:

IBM Security Guardium Data Encryption (GDE) 3.0.0.2 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 171929.

The weakness was released 08/26/2020 (Website). The advisory is shared at ibm.com. This vulnerability is known as CVE-2019-4698 since 01/03/2019. The exploitation appears to be difficult. The attack can be launched remotely. The exploitation doesn't need any form of authentication. It demands that the victim is doing some kind of user interaction. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 08/27/2020). It is expected to see the exploit prices for this product increasing in the near future.MITRE ATT&CK project uses the attack technique T1600 for this issue.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Entries connected to this vulnerability are available at 160316, 160317, 160319 and 160323.

Productinfo

Type

• Policy Management Software

Vendor

• IBM

Name

• Security Guardium Data Encryption

Version

• 3.0.0.2

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion