Details are blurry, but the general story is clear: if you're using IBM's Maximo Asset Management, make sure you're patched.
As you can imagine, an asset management tool called Maximo is not aimed at small businesses like local bike shops or church organizations like community councils.
These organizations definitely have assets like tools and spare parts, but Maximo's goal is much bigger.
As the IBM-owned website proudly proclaims, the Maximo product is used by 10 of the 13 largest pharmaceutical companies, 16 of the 24 largest automotive companies and 14 of the 20 largest energy generation companies.
Researchers at positive technologies, the cyber security and penetration testing company, have found and responsibly identified the bug that was fixed two weeks ago, but was announced by Positive Technologies only yesterday.
Falsification of server-side requirements
The vulnerability was a type of SSRF, short for Server Side Request Forgery, a jargon name that only says a lot to you if you already know what it means.
To explain it: SSRF is a way someone with potentially very restricted access to your network can send a legitimate looking request to one of your servers.
… But this way, this server can be tempted to create its own follow-up query, which it shouldn't.
As an analogy, imagine that you want to tempt an employee to reveal their sales figures for the previous quarter.
You can't call them and say, "Hey, it's Cecilia from the tax department. Can you tell me the sales figures?" Because they're smart about your social engineering treachery and tell you to get lost.
But what if you call her and say, "The tax team needs the sales figures. I know you can't give them to me, but can you send them to Cecilia?" If you don't have her email address, you can get it from her at [REDACTED TELEPHONE NUMBER]. "
As a result, the person you just left the message with willingly calls the number you specified hears a fake recorded message that reads "Sorry, I'm out, try emailing me …" and blindly sends the exact data you want.
But even if they don't fall for the fake recorded message, you will still learn something if they call your wrong number – in particular, you can conclude that they are likely to have access to sales figures and that Cecilia is probably the right person to contact in the Tax department.
At least you know that the work phone is not prevented from making calls to the area code or network that you used for the fake number – and if you are lucky, you will probably be able to get their direct dial number using their caller ID .
In other words, if you find an internal company resource that can instruct you to access servers or data that you can't get yourself, you can still do so even if you ultimately don't get the data you want. With the answers, you can do a lot experienced about the network.
For example, a simple message such as the error message that you receive from a server prone to SSRF can help you compile a list of valid internal network names and IP numbers.
Imagine asking the vulnerable server, for example, to get inventory of 10,000 different internal server names that you guessed. Now imagine that you get a 403 Forbidden back for server names that actually exist and are in the same part of the network, 503 Service Not available for server names that do not exist anywhere in the network, and 502 Bad Gateway if this server but is in another part of the internal network.
If you can tempt the vulnerable server to call outside of their own network by sending them an otherwise legitimate request, you may be able to collect server information such as secret authentication tokens or special HTTP headers that are normally only visible when you are inside are the network.
These leaked headers can help you compromise other servers on the network by only revealing internal network secrets.
IBM's own security bulletin states:
This can allow an authenticated attacker to send unauthorized requests from the system, which may result in a network enumeration or facilitate other attacks.
As you can imagine, in a huge company with a huge asset database, most users on the network are likely to have some asset-related queries that they are allowed to ask – looking for inventory, delivery times, service plans, etc. – and so on be authenticated users, albeit with very little data they can legitimately see.
Such a mistake in information disclosure almost certainly won't cause crooks to directly implant malware or steal trophy data right away, but it could be just what a determined attacker might need to get there.
What should I do?
If you use the vulnerable versions, patch as soon as possible.
Maximo versions that start with 7.6.0 and 7.6.1 are affected.
If you have an affected version but don't currently have a change window to apply the update, IBM has a server configuration workaround that prevents the error from being raised, even though it disables some of the printing options provided by the system.