CVE-2021-20414

Vulnerability

IBM Guardium Data Encryption (GDE) version 3.0.0.2 fails to enforce a limit on the number of authentication attempts, enabling an attacker to brute-force sensitive information such as passwords or encryption keys [1]. The vulnerability resides in the authentication mechanism and is reachable over the network without user interaction.

Exploitation

An attacker with network access and high-privilege credentials (CVSS:PR:H) can exploit this flaw by repeatedly sending authentication requests to the GDE service [1]. The attack complexity is high (AC:H), but no user interaction is required. The lack of rate limiting allows the attacker to perform a brute-force attack until successful.

Impact

Successful exploitation results in the disclosure of sensitive information (confidentiality impact: high) [1]. An attacker with existing high privileges can obtain additional protected data, such as encryption keys or other secrets, compromising the confidentiality of the system.

Mitigation

IBM has fixed this vulnerability in Guardium Tokenization Server version 2.6.0.205 [1]. Users should upgrade to this version or later. No workarounds are provided, and the vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.