IBM has released a software update for the company’s Endpoint Manager solution to address a vulnerability that can be leveraged by a remote, unauthenticated attacker to execute arbitrary code.
According to IBM, the vulnerability (CVE-2014-6140) affects the Self-Service Portal, Trusted Service Provider, iOS Management Extender, and Admin Portal components of IBM Endpoint Manager for Mobile Devices.
“IBM Tivoli Endpoint Manager Mobile Device Management (MDM) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input,” IBM said in its advisory. “A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting web site, after the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials and execute arbitrary code.”
The security hole has been addressed with the release of version 9.0.60100. All previous versions are affected.
The flaw was reported to IBM by researchers of the Germany-based company RedTeam Pentesting in mid-August. IBM initially planned on releasing a fix in the last week of November, but the update was delayed due to some issues uncovered during quality control testing.
“During a penetration test, RedTeam Pentesting discovered that several IBM Endpoint Manager Components are based on Ruby on Rails and use static secret_token values. With these values, attackers can create valid session cookies containing marshalled objects of their choosing. This can be leveraged to execute arbitrary code when the Ruby on Rails application unmarshals the cookie,” RedTeam Pentesting said in its own advisory, which contains technical details and a proof-of-concept.
“The vulnerability allows unauthenticated remote attackers to execute arbitrary code with administrative privileges on the affected systems. It is highly likely that a successful attack on the application server can also be leveraged into a full compromise of all devices managed through the product. This constitutes a high risk,” the penetration testing firm noted.
IBM says there are no known workarounds or mitigations for this vulnerability. The researchers believe there might be a workaround, but they haven’t tested it.
IBM Endpoint Manager is not affected by the recently disclosed GNU Bash vulnerability known as ShellShock, but many other IBM products are. The company has published tens of advisories for the impacted solutions since September 27.