Advisory CVE-2023-43042 – IBM Backup Products Superuser Information Disclosure

by | Dec 21, 2023 | Exploitation, Jumpsec, Research, Security Bug, Vulnerability

Software: IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize products

Affected versions: 8.3

Vendor page: https://www.ibm.com/support/pages/node/7064976

CVE Reference: CVE-2023-43042

Published: 08/12/2023

CVSS 3.0 Score: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector: Network

Credit: Max Corbridge

Summary

JUMPSEC’s Head of Adversarial Simulation (@CorbridgeMax) discovered that an unauthenticated user can determine whether the default superuser password has been changed on IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize products. These products were found to be a single point of failure for backup and disaster recovery processes within client environments, and as such are highly critical systems. 

This only affects the 8.3.1 release as it is impossible for the default password to still be configured on an active system running later releases, since the user must change this either as part of first time setup or prior to upgrading from 8.3.1 or earlier. However, IBM has removed the ability to query this status from all releases listed in the Mitigation section of this advisory.

Technical details

IBM web servers related to backup/storage products respond to unauthenticated GET requests to the /login page with the name of the superuser account and if the default password has been changed or not. This could allow unauthenticated attackers on the network with the necessary information to compromise what is often a business-critical asset, with superuser permissions. 

HTTP/1.1 200 
Cache-Control: no-cache, no-store, must-revalidate
Strict-Transport-Security: max-age=778000; includeSubDomains
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Referrer-Policy: no-referrer-when-downgrade
Pragma: no-cache
X-Content-Type-Options: nosniff
SET-COOKIE: JSESSIONID=[REDACTED];Path=/;Secure;SameSite=Lax
SET-COOKIE: _sync=[REDACTED];Path=/;Secure;SameSite=Strict
SET-COOKIE: _redirect=[REDACTED];Path=/;Secure;SameSite=Strict
SET-COOKIE: _sync=[REDACTED]; HttpOnly; Secure
X-FRAME-OPTIONS: DENY
Cache-Control: post-check=0, pre-check=0
vary: accept-encoding
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Date: Fri, 08 Sep 2023 12:28:27 GMT
Connection: close
Content-Length: 70858



<!DOCTYPE html>

<html>
[SNIPPED_FOR_BREVITY]
"superuserPasswordChanged":true,"hasEnvironmentals":true,
[SNIPPED_FOR_BREVITY]
</body>
</html>

Figure 1: HTTP Response from IBM FlashSystem Webserver

Mitigation

As a priority, change the superuser password if it is still set to the default.

IBM also recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, IBM Storwize V5000 and V5100, IBM Storwize V5000E, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud, IBM FlashSystem V9000, IBM FlashSystem 9500, IBM FlashSystem 9100 Family, IBM FlashSystem 9200, IBM FlashSystem 7300, IBM FlashSystem 7200, IBM FlashSystem 5200 and IBM FlashSystem 5000 to the following code levels or higher:

8.6.2.0

8.6.0.2

8.5.0.10

8.4.0.12

8.3.1.10

Please note that it is necessary to change the superuser password before upgrading from 8.3.1 to 8.4.0 or later, which is the reason why this upgrade remediates the vulnerability.

Timeline

08/09/2023: Vulnerability submitted through IBM’s Vulnerability Disclosure Program

13/12/2023: Vulnerability remediated and public notice created by IBM.

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

GitHub Activity

@JumpsecLabs JumpsecLabs made JumpsecLabs/CloudflareRedirector public · June 28, 2024 09:56

Putting the C2 in C2loudflare

JavaScript 7 Updated Jun 28

@JumpsecLabs JumpsecLabs made JumpsecLabs/WALK_WebAssembly_Lure_Krafter public · May 31, 2024 02:24

A web assembly (WASM) phishing lure generator based on pre-built templates and written in Rust with some GenAI assistance. W.A.L.K. aims at aiding …

Rust 50 Updated May 31

 

Follow JUMPSECLabs

Disclaimer

The information provided on this website is to be used for educational purposes only. The author is in no way responsible for any misuse of the information provided. Any actions and or activities related to the material contained within this website is solely your responsibility.

You may also like…

Share This