CVE-2024-39745 Overview
CVE-2024-39745 affects IBM Sterling Connect:Direct Web Services versions 6.0, 6.1, 6.2, and 6.3. The product uses weaker than expected cryptographic algorithms, which allows a network-positioned attacker to decrypt sensitive information transiting the service. The weakness is classified under [CWE-327: Use of a Broken or Risky Cryptographic Algorithm].
IBM Sterling Connect:Direct Web Services brokers managed file transfers across IBM AIX, Linux, and Microsoft Windows environments. Compromise of its cryptographic protections undermines the confidentiality of every payload, credential, and metadata flow handled by the service.
Critical Impact
An unauthenticated attacker with network access to the Web Services interface can decrypt highly sensitive data exchanged through IBM Sterling Connect:Direct, exposing managed file transfer content and associated credentials.
Affected Products
- IBM Sterling Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3
- IBM AIX deployments running the affected Sterling component
- Linux and Microsoft Windows deployments running the affected Sterling component
Discovery Timeline
- 2024-08-22 - CVE-2024-39745 published to NVD
- 2024-08-23 - Last updated in NVD database
Technical Details for CVE-2024-39745
Vulnerability Analysis
The vulnerability stems from IBM Sterling Connect:Direct Web Services negotiating or relying on cryptographic algorithms that no longer meet modern strength requirements. Algorithms with insufficient key length, deprecated cipher modes, or known mathematical weaknesses can be broken offline or through targeted cryptanalysis. The result is loss of confidentiality for data secured by these algorithms.
Managed file transfer products such as Sterling Connect:Direct routinely move regulated data including financial transactions, healthcare records, and authentication artifacts. Because Web Services exposes this functionality over the network, the cryptographic posture of the interface directly determines the strength of protection applied to that data in transit.
The issue is network-reachable and requires no authentication or user interaction. An attacker capable of capturing ciphertext, whether through a man-in-the-middle position or passive collection on a shared segment, can attempt offline decryption against the weak algorithm.
Root Cause
The product accepts or defaults to cryptographic primitives that do not provide the confidentiality strength expected for sensitive data. Examples of weaknesses in this category include short symmetric keys, deprecated hash functions used for key derivation, and cipher modes vulnerable to known plaintext or padding-based attacks. IBM has not published the specific algorithm at fault, but the CWE-327 classification identifies the root cause as algorithm selection rather than implementation error.
Attack Vector
Exploitation is performed remotely over the network. The attacker captures encrypted traffic between Connect:Direct Web Services and a client, then performs cryptanalysis against the weak algorithm to recover plaintext. Because integrity and availability are not impacted, this vulnerability is purely a confidentiality exposure. No code execution or service disruption occurs. Refer to the IBM Support Document #7166195 and IBM X-Force Vulnerability #297312 for vendor technical detail.
Detection Methods for CVE-2024-39745
Indicators of Compromise
- Successful TLS or application-layer sessions to Connect:Direct Web Services negotiated with deprecated ciphers, short keys, or legacy hash algorithms.
- Unexpected packet capture activity on network segments carrying Sterling Connect:Direct traffic, including SPAN port use or ARP anomalies indicating man-in-the-middle positioning.
- Sterling Connect:Direct Web Services instances running versions 6.0, 6.1, 6.2, or 6.3 without the IBM-published fix applied.
Detection Strategies
- Inventory all Connect:Direct Web Services hosts and compare versions against the IBM advisory to identify unpatched instances.
- Use network protocol analyzers to enumerate cipher suites and key sizes negotiated by Connect:Direct Web Services endpoints.
- Correlate authentication and file transfer logs with network capture metadata to identify sessions that fell back to weak algorithms.
Monitoring Recommendations
- Continuously monitor the Connect:Direct Web Services listener for client connections that negotiate non-approved cipher suites.
- Alert on configuration drift in cryptographic policy files on AIX, Linux, and Windows hosts running the product.
- Track outbound flows from Connect:Direct servers to validate that downstream peers also enforce strong algorithms end-to-end.
How to Mitigate CVE-2024-39745
Immediate Actions Required
- Apply the IBM-issued fix referenced in IBM Support Document #7166195 to every Connect:Direct Web Services 6.0, 6.1, 6.2, and 6.3 host.
- Restrict network exposure of the Web Services interface to known administrative and integration hosts using firewall rules.
- Rotate any credentials, API tokens, or keys that may have transited the service while weak algorithms were in use.
Patch Information
IBM has published the remediation through the Sterling Connect:Direct security bulletin. Administrators should consult the IBM Support Document #7166195 for fix pack numbers corresponding to each affected 6.x release and apply the update across AIX, Linux, and Windows installations. The IBM X-Force entry #297312 provides additional vendor context.
Workarounds
- Configure the underlying TLS stack and Connect:Direct cryptographic policy to disable deprecated ciphers, short keys, and legacy hash algorithms until patching is complete.
- Enforce strict client allow-listing on the Web Services endpoint so only trusted partners can negotiate sessions.
- Tunnel Connect:Direct Web Services traffic through an IPsec or modern TLS-terminating reverse proxy that enforces approved cipher suites.
# Configuration example: restrict cipher policy on the host operating system
# Linux (system-wide crypto policy)
sudo update-crypto-policies --set FUTURE
# Restrict inbound access to Connect:Direct Web Services port to trusted networks
sudo firewall-cmd --permanent --add-rich-rule=\
'rule family="ipv4" source address="10.10.0.0/24" port port="1363" protocol="tcp" accept'
sudo firewall-cmd --permanent --add-rich-rule=\
'rule family="ipv4" port port="1363" protocol="tcp" drop'
sudo firewall-cmd --reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
