Written by: Venu Vissamsetty, VP Security Research, Founding Engineer Attivo Networks – Security Researcher Pedro Ribeiro from the Agile Information Security firm revealed that IBM Data Risk Manager contains four critical severity vulnerabilities, which an unauthenticated attacker can exploit over the network. Attackers can chain these vulnerabilities together to compromise an entire system.
The four vulnerabilities listed are:
- Authentication Bypass
- Command Injection
- Insecure Default Password
- Arbitrary File Download
This GitHub post contains details of the vulnerabilities that exist in the IBM Data Risk Manager.
Depending on where the organization deploys the IBM Data Risk Manager systems, an attacker can carry out attacks from the public Internet or a compromised workstation in the enterprise. The attacker can chain the vulnerabilities, extract credentials, and move laterally within the enterprise network.
The IBM Data Risk Manager exposes the API /albatross/restAPI/v2/nmap/run/scan that allows an authenticated user to perform Nmap scans.
According to the security researcher, “Having access to Nmap allows running arbitrary commands, if we can upload a script file and then pass that as an argument to Nmap with –script=<FILE>. Since we cannot inject commands in a parameter, our best chance is to write the commands to a file and pass that in the –script argument to Nmap.
However, to achieve code execution in this way, we still need to upload a file. Luckily, there is a method that processes patch files and accepts arbitrary file data, saving it to /home/a3user/agile3/patches/<FILE>.”
However, Ribeiro demonstrated that an attacker using a combination of chained exploits could bypass authentication and execute arbitrary commands or compromise the system.
Key takeaways from the attack demonstrate that knowledgeable attackers can mimic security researches and chain a series of vulnerabilities to compromise systems. Attackers can modify Web Shells to avoid detection by network and host-based intrusion detection systems.
Web server compromise is often the first stage of an attack cycle as specified in a Threat research paper from FireEye. Attackers perform additional phases of the attack cycle to establish a foothold and move inside the network.
Organizations should deploy solutions such as deception technology to cover this tactic. Deception detects intruders trying to exploit 0-days, known vulnerabilities, or misconfigurations in enterprise network applications and moving laterally in the network.
Deploying deception provides early visibility and detection of threats inside the network.
Organizations using the Attivo ThreatDefend® deception platform will see various types of alerts depending on the network activity performed by attackers from a compromised system.
Example of reconnaissance events detected
Example of lateral movement for various services
Attackers trying to move laterally to target SMB network shares
The attack demonstrates how attackers can chain a series of exploits to compromise web-based systems and execute arbitrary commands or deploy Web Shells. By using web shells, cyber attackers can gain persistent access to compromised networks without detection. Organizations can deploy the ThreatDefend deception platform to detect attackers performing lateral movement activities from successful code injection and web shell attacks, increasing their resilience, and enhancing their security.