Flaw in IBM Asset Management Product Facilitates Attacks on Corporate Networks

A high-severity vulnerability patched recently by IBM in its Maximo asset management solution makes it easier for hackers to move around in enterprise networks, cybersecurity firm Positive Technologies warned on Thursday.


The security hole, tracked as CVE-2020-4529, has been described as a server-side request forgery (SSRF) issue that allows an authenticated attacker to send unauthorized requests from a system, which IBM says can facilitate other attacks.


The flaw impacts Maximo Asset Management 7.6.0 and 7.6.1 and possibly older versions. IBM has released an update that should patch the vulnerability, and the company has also shared workarounds and mitigations.


Maximo Asset Management is designed to help organizations in asset-intensive industries manage physical assets. The solution is used in various sectors, including oil and gas, aerospace, car manufacturing, railway, pharmaceutical, utilities, and nuclear power plants.


IBM has pointed out that the vulnerability also affects industry-specific solutions if they use an impacted core version. This includes Maximo for Aviation, for Life Sciences, for Oil and Gas, for Nuclear Power, for Transportation, and for Utilities.


While exploitation of the vulnerability requires access to a system within the targeted organization, an attack can be launched from a warehouse worker’s workstation, which may be easier for a threat actor to hack.


"IBM Maximo web interfaces are usually accessible from all of a company's warehouses, which could be located in multiple regions or countries. So if our 'warehouse worker' or equivalent connects through a properly configured VPN, that person's access within the corporate network is restricted to what they need— from that particular system and email, for example,” explained Positive Technologies researcher Arseny Sharoglazov.


“But the vulnerability we found allows bypassin ..

Support the originator by clicking the read the rest link below.