IBM has issued fixes for vulnerabilities in Spectrum Protect Plus, Big Blue’s security tool found under the umbrella of its Spectrum data storage software branding. The flaws can be exploited by remote attackers to execute code on vulnerable systems.
IBM Spectrum Protect Plus is a data-protection solution that provides near-instant recovery, replication, reuse and self-service for virtual machines. The vulnerabilities (CVE-2020-4703 and CVE-2020-4711) affect versions 10.1.0 through 10.1.6 of IBM Spectrum Protect Plus.
The more serious of the two flaws (CVE-2020-4703) exists in IBM Spectrum Protect Plus’ Administrative Console and could allow an authenticated attacker to upload arbitrary files – which could then be used to execute arbitrary code on the vulnerable server, according to researchers with Tenable, who discovered the flaws, in a Monday advisory. The bug ranks 8 out of 10 on the CVSS scale, making it high-severity.
This vulnerability is due to an incomplete fix for CVE-2020-4470, a high-severity flaw that was previously disclosed in June. An exploit for CVE-2020-4470 involves two operations, Tenable researchers said: “The first operation is to upload a malicious RPM package to a directory writable by the administrator account by sending an HTTP POST message to URL endpoint https://<spp_host>:8090/api/plugin,” they said. “The second operation is to install the malicious RPM by sending an HTTP POST message to URL endpoint http://<spp_host>:8090/emi/api/hotfix.”
But IBM’s ensuing fix for CVE-2020-4470 only addressed the second operation by enforcing authentication for the /emi/api/hotfix endpoint. Researchers found, it was still possible to upload unauthenticated arbitrary files to a directory writable by the administrator account, under which the endpoint handlers run – paving the way for code execution on vulnerable systems.
“The attacker can put malicious content (i.e., scriptlets) in the RPM and and issue a ‘sudo /bin/rpm -ivh /tmp/<uploaded_malicious_rpm>’ command to the webshell, achieving unauthenticated RCE as root,” said researchers.
The second flaw, CVE-2020-4711, exists in a script (/opt/ECX/tools/scripts/restore_wrapper.sh) within Spectrum Protect Plus. A directory path check within this function can be bypassed via path traversal. An unauthenticated, remote attacker can exploit this issue by sending a specially crafted HTTP request to a specially-crafted URL endpoint (https://<spp_host>:8090/catalogmanager/api/catalog), Tenable researchers said.
That endpoint doesn’t require any authentication (when the cmode parameter is the restorefromjob method). When the request has been sent, the endpoint handler instead calls a method (com.catalogic.ecx.catalogmanager.domain.CatalogManagerServiceImpl.restoreFromJob) without checking for user credentials. The restoreFromJob method then executes the /opt/ECX/tools/scripts/restore_wrapper.sh script as root – allowing the attacker to view arbitrary files on the system.
Tenable researchers discovered the flaws on July 31 and reported them to IBM on Aug. 18. IBM released the patches and an advisory disclosing the flaws on Monday. Threatpost has reached out to IBM for further comment.
In recent months, various IBM products have been found to have security vulnerabilities. In August, a shared-memory flaw was discovered in IBM’s next-gen data-management software that researchers said could lead to other threats — as demonstrated by a new proof-of-concept exploit for the bug.
And in April, four serious security vulnerabilities in the IBM Data Risk Manager (IDRM) were identified that can lead to unauthenticated remote code execution (RCE) as root in vulnerable versions, according to analysis – and a proof-of-concept exploit is available.
On Wed Sept. 16 @ 2 PM ET: Learn the secrets to running a successful Bug Bounty Program. Register today for this FREE Threatpost webinar “Five Essentials for Running a Successful Bug Bounty Program“. Hear from top Bug Bounty Program experts how to juggle public versus private programs and how to navigate the tricky terrain of managing Bug Hunters, disclosure policies and budgets. Join us Wednesday Sept. 16, 2-3 PM ET for this LIVE webinar.