CVE-2021-29704 – IBM Security SOAR uses weak cryptographic algor... (How to Fix)

Q: What is the severity of CVE-2021-29704?

CVE-2021-29704 has a CVSS score of 7.5 (HIGH). IBM Security SOAR uses weak cryptographic algorithms that could allow attackers to decrypt sensitive information stored or transmitted by the system. This affects organizations using vulnerable versions of IBM Security SOAR, potentially exposing incident response data, credentials, and other confidential information.

📋 TL;DR

IBM Security SOAR uses weak cryptographic algorithms that could allow attackers to decrypt sensitive information stored or transmitted by the system. This affects organizations using vulnerable versions of IBM Security SOAR, potentially exposing incident response data, credentials, and other confidential information.

💻 Affected Systems

Products:

IBM Security SOAR

Versions: Versions prior to 43.1.59

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using default cryptographic settings are vulnerable.

📦 What is this software?

Resilient Security Orchestration Automation And Response by Ibm

View all CVEs affecting Resilient Security Orchestration Automation And Response →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all encrypted sensitive data including credentials, incident details, and forensic evidence, leading to data breach and operational disruption.

🟠

Likely Case

Targeted decryption of specific sensitive information like credentials or incident data, enabling further attacks within the environment.

🟢

If Mitigated

Limited impact if strong network segmentation and access controls prevent attackers from accessing encrypted data streams.

🌐 Internet-Facing: MEDIUM - Exploitation requires access to encrypted data, which may be exposed through APIs or web interfaces.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts could exploit this to access sensitive incident response data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to encrypted data and cryptographic analysis capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 43.1.59 and later

Vendor Advisory: https://www.ibm.com/support/pages/node/6482585

Restart Required: Yes

Instructions:

1. Backup SOAR configuration and data. 2. Download and install IBM Security SOAR version 43.1.59 or later from IBM Fix Central. 3. Restart all SOAR services. 4. Verify cryptographic settings are using strong algorithms.

🔧 Temporary Workarounds

Enable Strong Cryptographic Algorithms

all

Configure SOAR to use only strong cryptographic algorithms (AES-256, SHA-256+) if supported in current version

Refer to IBM Security SOAR administration guide for cryptographic configuration

🧯 If You Can't Patch

Isolate SOAR system from untrusted networks and implement strict access controls
Monitor for unusual access patterns to encrypted data and implement data encryption at rest using external strong encryption

🔍 How to Verify

Check if Vulnerable:

Check IBM Security SOAR version via admin console or command: 'soar --version'

Check Version:

soar --version

Verify Fix Applied:

Verify version is 43.1.59 or later and check cryptographic configuration uses strong algorithms

📡 Detection & Monitoring

Log Indicators:

Unusual cryptographic operations
Multiple failed decryption attempts
Configuration changes to cryptographic settings

Network Indicators:

Unusual patterns in encrypted traffic analysis
Traffic to/from SOAR system showing cryptographic anomalies

SIEM Query:

source="soar" AND (event_type="crypto_error" OR config_change="cryptographic")

📊 Metadata

CVE ID: CVE-2021-29704

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-327

Published: August 23, 2021

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/200660 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6482585 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/200660 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6482585 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29704, you might also want to check these: