Software: IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize products
Affected versions: 8.3
Vendor page: https://www.ibm.com/support/pages/node/7064976
CVE Reference: CVE-2023-43042
Published: 08/12/2023
CVSS 3.0 Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector: Network
Credit: Max Corbridge
Summary
JUMPSEC’s Head of Adversarial Simulation (@CorbridgeMax) discovered that an unauthenticated user can determine whether the default superuser password has been changed on IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize products. These products were found to be a single point of failure for backup and disaster recovery processes within client environments, and as such are highly critical systems.
This only affects the 8.3.1 release as it is impossible for the default password to still be configured on an active system running later releases, since the user must change this either as part of first time setup or prior to upgrading from 8.3.1 or earlier. However, IBM has removed the ability to query this status from all releases listed in the Mitigation section of this advisory.
Technical details
IBM web servers related to backup/storage products respond to unauthenticated GET requests to the /login page with the name of the superuser account and if the default password has been changed or not. This could allow unauthenticated attackers on the network with the necessary information to compromise what is often a business-critical asset, with superuser permissions.
HTTP/1.1 200 Cache-Control: no-cache, no-store, must-revalidate Strict-Transport-Security: max-age=778000; includeSubDomains X-FRAME-OPTIONS: SAMEORIGIN X-XSS-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade Pragma: no-cache X-Content-Type-Options: nosniff SET-COOKIE: JSESSIONID=[REDACTED];Path=/;Secure;SameSite=Lax SET-COOKIE: _sync=[REDACTED];Path=/;Secure;SameSite=Strict SET-COOKIE: _redirect=[REDACTED];Path=/;Secure;SameSite=Strict SET-COOKIE: _sync=[REDACTED]; HttpOnly; Secure X-FRAME-OPTIONS: DENY Cache-Control: post-check=0, pre-check=0 vary: accept-encoding Content-Type: text/html;charset=UTF-8 Content-Language: en-US Date: Fri, 08 Sep 2023 12:28:27 GMT Connection: close Content-Length: 70858 <!DOCTYPE html> <html> [SNIPPED_FOR_BREVITY] "superuserPasswordChanged":true,"hasEnvironmentals":true, [SNIPPED_FOR_BREVITY] </body> </html>
Figure 1: HTTP Response from IBM FlashSystem Webserver
Mitigation
As a priority, change the superuser password if it is still set to the default.
IBM also recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000 and V5100, IBM Storwize V5000E, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud, IBM FlashSystem V9000, IBM FlashSystem 9500, IBM FlashSystem 9100 Family, IBM FlashSystem 9200, IBM FlashSystem 7300, IBM FlashSystem 7200, IBM FlashSystem 5200 and IBM FlashSystem 5000 to the following code levels or higher:
8.6.2.0
8.6.0.2
8.5.0.10
8.4.0.12
8.3.1.10
Please note that it is necessary to change the superuser password before upgrading from 8.3.1 to 8.4.0 or later, which is the reason why this upgrade remediates the vulnerability.
Timeline
08/09/2023: Vulnerability submitted through IBM’s Vulnerability Disclosure Program
13/12/2023: Vulnerability remediated and public notice created by IBM.