IBM recently addressed a high-severity issue, tracked as CVE-2020-4529, in its Maximo asset management solution that could facilitate attacks on making lateral movements within corporate networks.
Maximo is designed to assist an organisation in managing its assets
The vulnerability is a server side request forgery (SSRF) issue that has been reported to IBM by Andrey Medov and Arseniy Sharoglazov of Positive Technologies.
The CVE-2020-4529 could allow an authenticated attacker to send unauthorized requests from a system, potentially leading to other attacks, such as network enumeration,
“IBM Maximo Asset Management is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.” reads the security advisory.
The vulnerability impacts Maximo Asset Management 7.6.0 and 7.6.1., the IT giant already released an update to address the issue along with workarounds and mitigations.
The flaw also affects solutions developed for specific industries, including Aviation, Life Sciences, Oil and Gas, Nuclear Power, Transportation, and for Utilities.
Researchers who discovered the issue explained that an attack can be launched from a warehouse worker’s workstation, which may easy tohack for a threat actor.
“IBM Maximo Asset Management software is used at major critical facilities. Any vulnerabilities in it could attract APT groups interested in access to the internal network. One example of a low-privileged attacker is a warehouse worker, who remotely connects to the system and enters items into a database. A threat could also come from the warehouse worker’s workstation itself, if infected by a virus.” Arseny Sharoglazov explained.
“IBM Maximo web interfaces are usually accessible from all of a company’s warehouses, which could be located in multiple regions or countries. So if our ‘warehouse worker’ or equivalent connects through a properly configured VPN, that person’s access within the corporate network is restricted to what they need— from that particular system and email, for example. But the vulnerability we found allows bypassing this restriction and interacting with other systems, on which an attacker could try for remote code execution (RCE) and potentially access all systems, blueprints, documents, accounting information, and ICS process networks. Sometimes employees connect to IBM Maximo directly over the Internet with weak passwords and no VPN, making an attack easier to perform.”
(SecurityAffairs – hacking, Maximo)