February 17, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Rewterz Threat Alert – APT41 (PIGFISH) Global Campaign Continues
April 21, 2020Rewterz Threat Advisory – CVE-2020-10641 – ICS: Inductive Automation Ignition Denial of Service Vulnerability
April 22, 2020Rewterz Threat Alert – APT41 (PIGFISH) Global Campaign Continues
April 21, 2020Rewterz Threat Advisory – CVE-2020-10641 – ICS: Inductive Automation Ignition Denial of Service Vulnerability
April 22, 2020
Severity
High
Analysis Summary
#1 Authentication Bypass
Details:
IDRM has an API endpoint at /albatross/saml/idpSelection that associates an ID provided by the attacker with a valid user on the system. The method that handles this endpoint is shown below:
This method accepts an arbitrary sessionId and username parameters from the HTTP request, and if username exists on the application’s user database, it then associates that sessionId to the username.
#2 Command Injection
Details:
IDRM exposes an API at /albatross/restAPI/v2/nmap/run/scan that allows an authenticated user to perform nmap scans. The call stack and relevant code is pasted below:
Having access to nmap allows running arbitrary commands if we upload a script file and then pass that as an argument to nmap with “–script=<FILE>”. However, to achieve code execution in this way it still need to upload a file. Luckily, there is a method that processes patch files and accepts arbitrary file data, saving it to “/home/a3user/agile3/patches/<FILE>”.
#3 Arbitrary File Download
Details:
IDRM exposes an API at /albatross/eurekaservice/fetchLogFiles that allows an authenticated user to download log files from the system. However, the logFileNameList parameter contains a basic directory traversal flaw that allows an attacker to download any file off the system.
#4 Insecure Default Password
Details:
The administrative user in the IDRM virtual appliance is “a3user”. This user is allowed to login via SSH and run sudo commands, and it is set up with a default password of “idrm”.
When combined with vulnerabilities #1 and #2, this allows an unauthenticated attacker to achieve remote code execution as root on the IDRM virtual appliance, leading to complete system compromise.
While IDRM forces the administrative user of the web interface (“admin”) to change its password upon first login, it does not require the same of “a3user”.
Impact
- Authentication Bypass
- Command Injection
- Insecure Default Password
- Arbitrary File Download
Affected Vendors
IBM
Affected Products
IBM Data Risk Manager 2.0.2 and 2.0.3
Remediation
Vendor has not fixed the issue yet.