BREAKING IBM WEBSPHERE AUTHENTICATION BY ABUSING CRYPTO FLAWS IN LTPA TOKENS
Secura's Tom Tervoort discovered two common vulnerabilities and exposures (CVE's) in IBMs WebSphere Authentication. The vulnerabilities are related to the LTPA2 token, a popular type of token in use in IBM Websphere Liberty. He recommends to install IBM's patches right away, and if possible, avoid LTPA tokens for new applications. Download the whitepaper here:
Download the whitepaper here >
Tokens are a modern way of sharing authentication credentials between web services. Cryptographic protocols are meant to protect such tokens, but as we know, cryptography is hard. During his research Tom discovered two CVE's regarding authentication bypasses and privilege escalations.
INSTALL THE PATCHES RIGHT AWAY
The vulnerabilities have been responsibly disclosed to IBM, which have resulted in patches. If you have an application that uses WebSphere Liberty or Open Liberty and (might) use LTPA authentication, we recommend you install these patches right away.
In general, Tom would recommend against using LTPA tokens for new applications: the underlying cryptography does not follow best practices and these attacks have shown that the complexity of the protocol is sensitive to implementation errors. In this white paper, he presents the technical details.
Download Whitepaper
Download whitepaper with technical details two common vulnerabilities and exposures (CVE's) in IBMs WebSphere Authentication.
DownloadABOUT THE AUTHOR
Tom Tervoort, Principal Security Specialist at Secura
Tom Tervoort, Principal Security Specialist at Secura, has been working at the company since 2016. He is experienced in a variety of types of technical security assesments, and performs vulnerability research with a focus on cryptographic systems. He has won the 2020 Pwnie Award for best cryptographic attack for his discovery of the Zerologon vulnerability.
Discover VULNERABILITIES IN YOUR SYSTEMS
To discover vulnerabilities in your systems, Secura offers a range of services. To learn more, fill out the form below, and an expert will contact you within one business day.