CVE-2021-38979 – IBM Tivoli Key Lifecycle Manager versions 3.0 t... (How to Fix)

Q: What is the severity of CVE-2021-38979?

CVE-2021-38979 has a CVSS score of 7.5 (HIGH). IBM Tivoli Key Lifecycle Manager versions 3.0 through 4.1 store passwords using unsalted cryptographic hashes, making them vulnerable to rainbow table and brute-force attacks. This affects organizations using these versions for cryptographic key management. Attackers could potentially recover passwords from stored hash values.

📋 TL;DR

IBM Tivoli Key Lifecycle Manager versions 3.0 through 4.1 store passwords using unsalted cryptographic hashes, making them vulnerable to rainbow table and brute-force attacks. This affects organizations using these versions for cryptographic key management. Attackers could potentially recover passwords from stored hash values.

💻 Affected Systems

Products:

IBM Tivoli Key Lifecycle Manager

Versions: 3.0, 3.0.1, 4.0, 4.1

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers recover administrative passwords, gain full control of the key management system, and compromise all managed cryptographic keys, leading to data decryption and system compromise.

🟠

Likely Case

Attackers with access to password hashes recover weaker passwords, gaining unauthorized access to the key management interface and potentially extracting some cryptographic keys.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the specific Tivoli Key Lifecycle Manager instance, though password recovery remains possible.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to password hash storage, which typically requires some level of system access. Password cracking tools can be used against obtained hashes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply interim fix or upgrade to version 4.1.0.2 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/6516034

Restart Required: Yes

Instructions:

1. Download the interim fix from IBM Fix Central. 2. Stop all Tivoli Key Lifecycle Manager services. 3. Apply the fix according to IBM instructions. 4. Restart all services. 5. Force password resets for all accounts.

🔧 Temporary Workarounds

Enforce strong password policies

all

Require complex, long passwords to make hash cracking more difficult

Restrict access to hash storage

all

Implement strict file permissions and access controls on password hash files

🧯 If You Can't Patch

Implement network segmentation to isolate Tivoli Key Lifecycle Manager from untrusted networks
Enable multi-factor authentication if supported and monitor for unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check installed version via administrative console or version command. Versions 3.0, 3.0.1, 4.0, and 4.1 are vulnerable.

Check Version:

Check product documentation for version command specific to your installation method

Verify Fix Applied:

Verify version is 4.1.0.2 or later, or confirm interim fix is applied via patch management system.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts
Unusual access patterns to password files
Administrative password changes

Network Indicators:

Unusual connections to Tivoli Key Lifecycle Manager ports
Traffic patterns suggesting hash extraction

SIEM Query:

source="tivoli_klm" AND (event_type="authentication_failure" OR file_access="*password*")

📊 Metadata

CVE ID: CVE-2021-38979

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-916

Published: November 15, 2021

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/212785 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6516034 Patch,Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/212785 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6516034 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38979, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Security Guardium Key Lifecycle Manager by Ibm

Security Guardium Key Lifecycle Manager by Ibm

Security Guardium Key Lifecycle Manager by Ibm

Security Key Lifecycle Manager by Ibm

Security Key Lifecycle Manager by Ibm

Security Key Lifecycle Manager by Ibm

Security Key Lifecycle Manager by Ibm

Security Key Lifecycle Manager by Ibm

Security Key Lifecycle Manager by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Enforce strong password policies

Restrict access to hash storage

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities