A vulnerability was found in IBM Algorithmics (version unknown). It has been rated as problematic. Affected by this issue is the function this. The manipulation of the argument string with an unknown input leads to a cryptographic issues vulnerability. Using CWE to declare the problem leads to CWE-310. Impacted is confidentiality. CVE summarizes:

The decrypt function in RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics does not require a key, which makes it easier for remote attackers to obtain cleartext passwords by sniffing the network and then providing a string argument to this function.

The weakness was published 07/07/2014 (Website). The advisory is shared for download at sec-consult.com. This vulnerability is handled as CVE-2014-0869 since 01/06/2014. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a public exploit are known. The MITRE ATT&CK project declares the attack technique as T1600.

The exploit is available at exploit-db.com. It is declared as proof-of-concept.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the databases at X-Force (90943) and Exploit-DB (33942). Similar entries are available at 70284, 70282, 70281 and 70279.

Productinfo

Vendor

• IBM

Name

• Algorithmics

License

• commercial

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion