Security researchers from Positive Technologies discovered a critical vulnerability in IBM Maximo software. According to the researchers Arseny Sharoglazov and Andrey Medov, the vulnerability “CVE-2020-4529” allows threat actors to compromise internal enterprise networks. It was found that the severity of the vulnerability is high with a 7.3 CVSS (Common Vulnerability Scoring System) score and also involves server-side request forgery (SSRF).
“IBM Maximo Asset Management vulnerability may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks,” IBM said in a statement.
The vulnerability affects two versions of the IBM Maximo Asset Management core products:
|IBM Maximo Asset Management||7.6.0|
|IBM Maximo Asset Management||7.6.1|
However, IBM fixed the vulnerability by releasing the latest version with a patch and has requested the users to update the Maximo software immediately. IBM Maximo is an enterprise asset management software used by large businesses to run maintenance and repairs in their asset-intensive industries like pharmaceuticals, auto manufacturing, oil and gas, utilities, aerospace, railways, airports, and nuclear power plants.
Explaining about how an attacker can abuse the vulnerability, security expert Arseny Sharoglazov, said, “IBM Maximo Asset Management software is used at major critical facilities. Any vulnerabilities in it could attract APT groups interested in access to the internal network. One example of a low-privileged attacker is a warehouse worker, who remotely connects to the system and enters items into a database. A threat could also come from the warehouse worker’s workstation itself, if infected by a virus.”
“IBM Maximo web interfaces are usually accessible from all of a company’s warehouses, which could be located in multiple regions or countries. So, if our warehouse worker or equivalent connects through a properly configured VPN, that person’s access within the corporate network is restricted to what they need— from that particular system and email, for example. But the vulnerability we found allows bypassing this restriction and interacting with other systems, on which an attacker could try for remote code execution (RCE) and potentially access all systems, blueprints, documents, accounting information, and ICS process networks. Sometimes employees connect to IBM Maximo directly over the Internet with weak passwords and no VPN, making an attack easier to perform,” Sharoglazov added.