CVE-2024-38320

CVE-2024-38320 is a cryptographic weakness (CWE-327) in IBM Storage Protect for Virtual Environments: Data Protection for VMware and Storage Protect Backup-Archive Client, affecting versions 8.1.0.0 through 8.1.23.0. These components use weaker than expected cryptographic algorithms, potentially enabling an attacker to decrypt highly sensitive information. The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.

An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Exploitation yields high confidentiality impact (C:H), allowing decryption of sensitive data, with no effects on integrity, availability, or scope change.

IBM has published security bulletins detailing mitigations and patches at https://www.ibm.com/support/pages/node/7173462 and https://www.ibm.com/support/pages/node/7173465. Security practitioners should review these for upgrade instructions to address the weak algorithms.