CVE-2024-49823
📋 TL;DR
This vulnerability in IBM Common Cryptographic Architecture allows authenticated users to send specially crafted valid requests that can cause a denial of service in the Hardware Security Module (HSM). Organizations using IBM CCA versions 7.0.0 through 7.5.51 for cryptographic operations are affected.
💻 Affected Systems
- IBM Common Cryptographic Architecture
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete HSM unavailability, disrupting all cryptographic operations including encryption, decryption, key management, and digital signatures across dependent systems.
Likely Case
Temporary HSM service disruption requiring manual intervention to restore functionality, impacting cryptographic operations until service is restored.
If Mitigated
Limited impact with proper authentication controls and request monitoring, potentially causing only brief service interruptions.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the specific request sequence that triggers the DoS condition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.5.52 and later
Vendor Advisory: https://www.ibm.com/support/pages/node/7185282
Restart Required: Yes
Instructions:
1. Download IBM CCA version 7.5.52 or later from IBM Fix Central. 2. Stop all cryptographic services using CCA. 3. Apply the update following IBM's installation guide. 4. Restart cryptographic services and verify functionality.
🔧 Temporary Workarounds
Restrict authenticated access
allLimit which users and applications have authenticated access to the CCA cryptographic services to reduce attack surface.
Implement request rate limiting
allConfigure rate limiting on cryptographic service requests to prevent rapid sequence attacks.
🧯 If You Can't Patch
- Implement strict access controls to limit which users can access cryptographic services
- Monitor HSM performance metrics and set alerts for unusual request patterns or service degradation
🔍 How to Verify
Check if Vulnerable:
Check IBM CCA version using 'cca_version' command or by examining installed packages. Versions 7.0.0 through 7.5.51 are vulnerable.Check Version:
cca_versionVerify Fix Applied:
After patching, verify version is 7.5.52 or later using 'cca_version' command and test cryptographic operations.📡 Detection & Monitoring
Log Indicators:
- Unusual sequence of cryptographic requests from single user
- HSM service restart events
- Cryptographic operation failures
Network Indicators:
- Abnormal pattern of cryptographic API calls
- Increased request rate to cryptographic services
SIEM Query:
source="cca_logs" AND (event="service_restart" OR event="request_error") | stats count by user, src_ip