Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Flaw in IBM Asset Management Product Facilitates Attacks on Corporate Networks

A high-severity vulnerability patched recently by IBM in its Maximo asset management solution makes it easier for hackers to move around in enterprise networks, cybersecurity firm Positive Technologies warned on Thursday.

A high-severity vulnerability patched recently by IBM in its Maximo asset management solution makes it easier for hackers to move around in enterprise networks, cybersecurity firm Positive Technologies warned on Thursday.

The security hole, tracked as CVE-2020-4529, has been described as a server-side request forgery (SSRF) issue that allows an authenticated attacker to send unauthorized requests from a system, which IBM says can facilitate other attacks.

The flaw impacts Maximo Asset Management 7.6.0 and 7.6.1 and possibly older versions. IBM has released an update that should patch the vulnerability, and the company has also shared workarounds and mitigations.

Maximo Asset Management is designed to help organizations in asset-intensive industries manage physical assets. The solution is used in various sectors, including oil and gas, aerospace, car manufacturing, railway, pharmaceutical, utilities, and nuclear power plants.

IBM has pointed out that the vulnerability also affects industry-specific solutions if they use an impacted core version. This includes Maximo for Aviation, for Life Sciences, for Oil and Gas, for Nuclear Power, for Transportation, and for Utilities.

While exploitation of the vulnerability requires access to a system within the targeted organization, an attack can be launched from a warehouse worker’s workstation, which may be easier for a threat actor to hack.

“IBM Maximo web interfaces are usually accessible from all of a company’s warehouses, which could be located in multiple regions or countries. So if our ‘warehouse worker’ or equivalent connects through a properly configured VPN, that person’s access within the corporate network is restricted to what they need— from that particular system and email, for example,” explained Positive Technologies researcher Arseny Sharoglazov.

Advertisement. Scroll to continue reading.

“But the vulnerability we found allows bypassing this restriction and interacting with other systems, on which an attacker could try for remote code execution (RCE) and potentially access all systems, blueprints, documents, accounting information, and ICS process networks. Sometimes employees connect to IBM Maximo directly over the Internet with weak passwords and no VPN, making an attack easier to perform,” Sharoglazov added.

Learn More About Enterprise Threats at SecurityWeek’s Security Summits Virtual Event Series

Sharoglazov told SecurityWeek that they have seen some Maximo instances that are accessible from the internet and which can be discovered using the Shodan search engine.

In an attack scenario described by the expert, an attacker brute forces the password of the targeted system to gain access, and then they exploit the vulnerability to compromise another host that could be affected by a different vulnerability.

“For example, if a major bank’s network is compromised, there are risks of customer payment information leakage and unauthorized access to ATM management or money transfer systems,” Sharoglazov said via email.

“If a production or transportation company’s network is compromised, then cybercriminals can get into the technology segment and even stop the facility or provoke a system malfunction. Assuming that the discussed system is used by energy companies and airports, the consequences of a successful attack may be very serious,” he added.

Related: Microsoft Teams Vulnerability Exposed Organizations to Attacks

Related: Design Weaknesses Expose Industrial Systems to Damaging Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...