Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

IBM Fixes Remote Code Execution Vulnerability in Endpoint Manager

IBM has released a software update for the company’s Endpoint Manager solution to address a vulnerability that can be leveraged by a remote, unauthenticated attacker to execute arbitrary code.

IBM has released a software update for the company’s Endpoint Manager solution to address a vulnerability that can be leveraged by a remote, unauthenticated attacker to execute arbitrary code.

According to IBM, the vulnerability (CVE-2014-6140) affects the Self-Service Portal, Trusted Service Provider, iOS Management Extender, and Admin Portal components of IBM Endpoint Manager for Mobile Devices.

“IBM Tivoli Endpoint Manager Mobile Device Management (MDM) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input,” IBM said in its advisory. “A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting web site, after the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials and execute arbitrary code.”

CVE-2014-6140The security hole has been addressed with the release of version 9.0.60100. All previous versions are affected.

The flaw was reported to IBM by researchers of the Germany-based company RedTeam Pentesting in mid-August. IBM initially planned on releasing a fix in the last week of November, but the update was delayed due to some issues uncovered during quality control testing.

“During a penetration test, RedTeam Pentesting discovered that several IBM Endpoint Manager Components are based on Ruby on Rails and use static secret_token values. With these values, attackers can create valid session cookies containing marshalled objects of their choosing. This can be leveraged to execute arbitrary code when the Ruby on Rails application unmarshals the cookie,” RedTeam Pentesting said in its own advisory, which contains technical details and a proof-of-concept.

“The vulnerability allows unauthenticated remote attackers to execute arbitrary code with administrative privileges on the affected systems. It is highly likely that a successful attack on the application server can also be leveraged into a full compromise of all devices managed through the product. This constitutes a high risk,” the penetration testing firm noted.

IBM says there are no known workarounds or mitigations for this vulnerability. The researchers believe there might be a workaround, but they haven’t tested it.

IBM Endpoint Manager is not affected by the recently disclosed GNU Bash vulnerability known as ShellShock, but many other IBM products are. The company has published tens of advisories for the impacted solutions since September 27.

Advertisement. Scroll to continue reading.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.