A high-severity flaw recently fixed by IBM in its Maximo asset management system makes it easier for hackers to travel around in corporate networks, warned on Thursday by cybersecurity company Positive Technologies.
The security hole, tracked as CVE-2020-4529, has been described as a server-side request forgery (SSRF) issue that allows an authenticated attacker to send out unauthorized requests from a system, which IBM says may facilitate other attacks.
The bug affects Maximo Asset Management versions 7.6.0 and 7.6.1, and probably earlier. IBM released an update to fix the bug, and the company provided workarounds and mitigations as well.
Maximo Asset Management is designed to help companies handle physical assets in asset-intensive industries. The solution is used in different sectors including oil and gas, aerospace , automotive, rail, pharmaceutical, utilities and nuclear power plants.
IBM has pointed out that the bug often affects industry-specific solutions by using a key product that has been affected. That includes Maximo for Aviation, Life Sciences, Oil and Gas, Nuclear Power , Transport, and Utilities.
Although exploitation of the vulnerability involves access to a system within the targeted organization, an attack may be conducted from the workstation of a warehouse worker, which may make hacking easier for a threat actor.
“In general, IBM Maximo web interfaces are accessible from all the warehouses of a organization that may be located in different regions or countries. So if our ‘warehouse worker’ or equivalent connects with a properly configured VPN, that person’s access to the corporate network is limited to what they need, such as that specific device and email,” explained Positive Technologies re.
“But the vulnerability we found allows us to bypass this restriction and interact with other systems that could be tried by an attacker for remote code execution (RCE) and potentially access all systems, blueprints, documents, accounting information and ICS process networks. Sometimes employees connect to IBM Maximo directly over the Internet with weak passwords and no VPN, making it easier to attack.
Sharoglazov told SecurityWeek that they saw several Maximo instances that can be found using the Shodan search engine, which are accessible from the internet.
An attacker brutes the password of the targeted network to gain access in an attack scenario defined by the expert, and then exploits the vulnerability to compromise another host that could be affected by another vulnerability.
“For example, if the network of a major bank is compromised, there are risks of leakage of information about customer payments and unauthorized access to ATM management or money transfer systems,” Sharoglazov said via email.
“If the network of a manufacturing or transport company is compromised, then cyber criminals can enter the technology segment and even stop the facility or cause system malfunction. Assuming energy companies and airports use the system discussed, the consequences of a successful assault can be very serious, “he added.
