IBM has just released a host of fixes for vulnerabilities in its Spectrum Protect Plus. The vulnerabilities CVE-2020-4703 and CVE-2020-4711 affect versions 10.1.0 through 10.1.6 of IBM Spectrum Protect Plus.
The first one, CVE-2020-4703 is related to IBM’s Spectrum Protect Plus’ Administrative Console and is a full blown RCE vulnerability. If exploited could allow an authenticated attacker to upload arbitrary files, and then use them to execute arbitrary code on the vulnerable server.
The researchers at Tenable, who discovered the flaws, have promptly notified IBM and released a blog post on Monday.
The CVE has been ranked 8 out of 10 on the CVSS scale, making it high-severity.
This vulnerability is due to an incomplete fix for CVE-2020-4470, a high-severity flaw that was previously disclosed in June.
The exploit for CVE-2020-4470 involves two operations.
As Tenable researchers put it “The first operation is to upload a malicious RPM package to a directory writable by the administrator account by sending an HTTP POST message to URL endpoint https://<spp_host>:8090/api/plugin. The second operation is to install the malicious RPM by sending an HTTP POST message to URL endpoint http://<spp_host>:8090/emi/api/hotfix.”
But, as discussed on the blog post, The fix for CVE-2020-4470 only addressed the second operation by enforcing authentication for the /emi/api/hotfix endpoint; it still allows unauthenticated arbitrary file upload to a directory writable by the administrator account, under which the endpoint handlers run.
“The attacker can put malicious content (i.e., scriptlets) in the RPM and and issue a ‘sudo /bin/rpm -ivh /tmp/<uploaded_malicious_rpm>’ command to the webshell, achieving unauthenticated RCE as root,” said researchers.
The second flaw, CVE-2020-4711, exists in a script (/opt/ECX/tools/scripts/restore_wrapper.sh) within Spectrum Protect Plus. A directory path check within this function can be bypassed via path traversal. An unauthenticated, remote attacker can exploit this issue by sending a specially crafted HTTP request to a specially-crafted URL endpoint (https://<spp_host>:8090/catalogmanager/api/catalog), Tenable researchers said.
That endpoint doesn’t require any authentication (when the cmode parameter is the restorefromjob method). When the request has been sent, the endpoint handler instead calls a method (com.catalogic.ecx.catalogmanager.domain.CatalogManagerServiceImpl.restoreFromJob) without checking for user credentials. The restoreFromJob method then executes the /opt/ECX/tools/scripts/restore_wrapper.sh script as root – allowing the attacker to view arbitrary files on the system.
Tenable researchers discovered the flaws on July 31 and reported them to IBM on Aug. 18. IBM released the patches and an advisory disclosing the flaws on Monday.
Disclosure Timeline
07/31/2020 – Vulnerabilities discovered
8/18/2020 – Tenable discloses to IBM PSIRT. 90 days expires November 16. 7 days for prior incomplete patch expires August
25.8/18/2020 – IBM acknowledges, but disputes Tenable findings
8/18/2020 – Tenable marks issue for managerial review.
8/19/2020 – Tenable clarifies policy.
8/20/2020 – IBM reiterates dispute.
8/20/2020 – Tenable rejects dispute.
9/8/2020 – Tenable requests status update.
9/8/2020 – IBM states that fixes are in progress.
9/14/2020 – IBM releases patches and advisory