BREAKING IBM WEBSPHERE AUTHENTICATION BY ABUSING CRYPTO FLAWS IN LTPA TOKENS

Secura's Tom Tervoort discovered two common vulnerabilities and exposures (CVE's) in IBMs WebSphere Authentication. The vulnerabilities are related to the LTPA2 token, a popular type of token in use in IBM Websphere Liberty. He recommends to install IBM's patches right away, and if possible, avoid LTPA tokens for new applications. Download the whitepaper here:

Download the whitepaper here >

Tokens are a modern way of sharing authentication credentials between web services. Cryptographic protocols are meant to protect such tokens, but as we know, cryptography is hard. During his research Tom discovered two CVE's regarding authentication bypasses and privilege escalations.

INSTALL THE PATCHES RIGHT AWAY

The vulnerabilities have been responsibly disclosed to IBM, which have resulted in patches. If you have an application that uses WebSphere Liberty or Open Liberty and (might) use LTPA authentication, we recommend you install these patches right away.

In general, Tom would recommend against using LTPA tokens for new applications: the underlying cryptography does not follow best practices and these attacks have shown that the complexity of the protocol is sensitive to implementation errors. In this white paper, he presents the technical details.