Flaw in IBM Asset Management Product Facilitates Attacks on Corporate Networks
A high-severity vulnerability patched recently by IBM in its Maximo asset management solution makes it easier for hackers to move around in enterprise networks, cybersecurity firm Positive Technologies warned on Thursday.
The security hole, tracked as CVE-2020-4529, has been described as a server-side request forgery (SSRF) issue that allows an authenticated attacker to send unauthorized requests from a system, which IBM says can facilitate other attacks.
The flaw impacts Maximo Asset Management 7.6.0 and 7.6.1 and possibly older versions. IBM has released an update that should patch the vulnerability, and the company has also shared workarounds and mitigations.
Maximo Asset Management is designed to help organizations in asset-intensive industries manage physical assets. The solution is used in various sectors, including oil and gas, aerospace, car manufacturing, railway, pharmaceutical, utilities, and nuclear power plants.
IBM has pointed out that the vulnerability also affects industry-specific solutions if they use an impacted core version. This includes Maximo for Aviation, for Life Sciences, for Oil and Gas, for Nuclear Power, for Transportation, and for Utilities.
While exploitation of the vulnerability requires access to a system within the targeted organization, an attack can be launched from a warehouse worker’s workstation, which may be easier for a threat actor to hack.
“IBM Maximo web interfaces are usually accessible from all of a company’s warehouses, which could be located in multiple regions or countries. So if our ‘warehouse worker’ or equivalent connects through a properly configured VPN, that person’s access within the corporate network is restricted to what they need— from that particular system and email, for example,” explained Positive Technologies researcher Arseny Sharoglazov.
“But the vulnerability we found allows bypassing this restriction and interacting with other systems, on which an attacker could try for remote code execution (RCE) and potentially access all systems, blueprints, documents, accounting information, and ICS process networks. Sometimes employees connect to IBM Maximo directly over the Internet with weak passwords and no VPN, making an attack easier to perform,” Sharoglazov added.
Sharoglazov told SecurityWeek that they have seen some Maximo instances that are accessible from the internet and which can be discovered using the Shodan search engine.
In an attack scenario described by the expert, an attacker brute forces the password of the targeted system to gain access, and then they exploit the vulnerability to compromise another host that could be affected by a different vulnerability.
“For example, if a major bank’s network is compromised, there are risks of customer payment information leakage and unauthorized access to ATM management or money transfer systems,” Sharoglazov said via email.
“If a production or transportation company’s network is compromised, then cybercriminals can get into the technology segment and even stop the facility or provoke a system malfunction. Assuming that the discussed system is used by energy companies and airports, the consequences of a successful attack may be very serious,” he added.