Product Support

Vulnerability Report - Key Material Inadvertently Logged

 
Unisys ID: UIS-2019-2
Status: Published
CVE-ID: CVE-2019-18193
Affected Product: Stealth Solution
Affected Version: 3.4.108.0, 3.4.209.x, 4.0.027.x and 4.0.114
Impact: HIGH
CVSS v3.1 Base Score: 7.5
CVSS v3.1 Vector: AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C  v3 Calculator
CVSS v2.0 Base Score: 6.6
CVSS v2.0 Vector: (AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)  v2 Calculator
CVSS Temporal Score: 6.5
Common Weakness Enumeration (CWE):  532
Common Platform Enumeration (CPE): 
Source: Internal Reported
Keyword(s): Logging
Vulnerability Description:
Key Material Inadvertently Logged
System Configuration:
Issue is present in Stealth(core) levels 3.4.108.0, 3.4.209.x, 4.0.027.x and 4.0.114 under certain conditions. 
 
Impact of Exploiting Vulnerability:
Key material is visible, allowing potential misuse.
Remediation Description:
Fix included in Stealth levels 4.0.131 and 5.0.024.2 (and higher)
Workaround Information:
References:
PLEs 19269086 and 19269094
Additional Vendor Comment:

CVSS base score increased from 5.3 to 7.5 due to reanalysis of security impact if attacker was to gain access to protected resources. See the explanation below for details:  

"Exploitability:

Attack vector would be Local since local access to specialized logs is required.

Attack complexity would be High since the attacker would need to work backwards to create their own version of the Unisys negotiation protocol.

Privileges Required would be High since the attacker would need administrator privileges to access internal log files

User Interaction would be None since no user interaction (other than an attacker) is required.

Scope would be Changed since the exploited vulnerability can affect resources beyond the privileges intended by the vulnerable component.

Impact metrics:

Confidentiality loss would be High since resources normally inaccessible would be exposed to the attacker.

Integrity Impact would be High because there’d be a loss of integrity via illegitimate access.

Availability Impact would be High since a successful attack could result in loss of access to resources.


 
 
 

Disclaimer:

Unisys Corporation provides the information in this Security Vulnerability Report “AS IS.” No warranties of any nature are extended by or for the information. Unisys disclaims any financial or other responsibility that may result from your use of the information, including direct, indirect, special, or consequential damages.


Paper copies are not controlled and may be out of date; reference the Product Support Web site for current data.