CVE-2019-4688

Vulnerability

IBM Security Guardium Data Encryption (GDE) version 3.0.0.2 does not set the secure attribute on authorization tokens or session cookies [1]. This misconfiguration means that cookies are transmitted over unencrypted HTTP connections when the application is accessed via http:// links, rather than being restricted to HTTPS. The affected component is the web session management of GDE [1].

Exploitation

An attacker can exploit this vulnerability by crafting a http:// link pointing to the GDE application or by planting such a link on a site the victim visits. When the victim clicks that link, the browser sends the session cookie in plaintext over the network to the insecure HTTP endpoint. The attacker, positioned to sniff network traffic (e.g., on the same LAN or an untrusted network), can intercept and obtain the cookie value [1]. No authentication or prior access is required except the ability to deliver the malicious link and eavesdrop on the traffic.

Impact

Successful exploitation allows the attacker to capture the victim's session cookie. With this cookie, the attacker can impersonate the authenticated user and gain unauthorized access to the GDE web interface and its data at the same privilege level as the victim. The CIA impact is primarily confidentiality, as the attacker can view sensitive information, and potentially integrity/availability if additional actions are performed while impersonating the user [1].

Mitigation

IBM has not released a dedicated patch for this specific cookie configuration issue in the available references [1]. The recommended mitigation is to ensure that the GDE web application is only accessed over HTTPS and that administrators configure the secure flag on cookies manually or verify their web server settings. As of the last reference, no fixed version is explicitly stated; organizations should monitor IBM's advisory for updates [1].