IBM has fixed a serious vulnerability in its Endpoint Manager product that could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
The vulnerability lies in the Endpoint Manager for Mobile Devices component of the product and the researchers who discovered it said the bug could be used to compromise not just a target system, but also all of the devices that are managed by the product. The system is designed to help manage and secure a variety of devices, including laptops, phones and point-of-sale devices. Researchers at RedTeam Pentesting in Germany discovered the vulnerability while doing an assessment on a customer’s network.
“During a penetration test, RedTeam Pentesting discovered that several IBM Endpoint Manager Components are based on Ruby on Rails and use static secret_token values. With these values, attackers can create valid session cookies containing marshalled objects of their choosing. This can be leveraged to execute arbitrary code when the Ruby on Rails application unmarshals the cookie,” the advisory says.
An attacker who is able to exploit the vulnerability would have free rein on the vulnerable system. The bug affects all versions of the IBM Endpoint Manager for Mobile Devices prior to 9.0.60100.
“The vulnerability allows unauthenticated remote attackers to execute arbitrary code with administrative privileges on the affected systems. It is highly likely that a successful attack on the application server can also be leveraged into a full compromise of all devices managed through the product. This constitutes a high risk,” the advisory warns.
IBM released a patched version of the software on Monday, and the RedTeam researchers said there may also be a workaround, though they haven’t tested it.
“It might be possible to binary patch the Java class files to use a different secret_token value and redeploy the application. This is untested, however,” they say in the advisory.
IBM said in its own advisory to customers that it didn’t know of any workarounds or mitigations.
“IBM Tivoli Endpoint Manager Mobile Device Management (MDM) is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting web site, after the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials and execute arbitrary code,” IBM’s advisory says.