Multiple vulnerabilities in IBM Cloud Automation Manager
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-15664 CVE-2019-5736 |
| CWE-ID | CWE-22 CWE-264 |
| Exploitation vector | Local |
| Public exploit | Public exploit code for vulnerability #2 is available. |
| Vulnerable software Subscribe |
IBM Cloud Automation Manager Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Path traversal
EUVDB-ID: #VU20501
Risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-15664
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to perform directory traversal attacks.
The vulnerability exists due to the API endpoints behind the 'docker cp' command are vulnerable to a symlink-exchange attack. A local authenticated attacker can gain read-write access to the host filesystem with root privileges, because "daemon/archive.go" does not do archive operations on a frozen filesystem (or from within a chroot).
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Cloud Automation Manager: All versions
External linkshttp://www.ibm.com/support/pages/node/960227
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Privilege escalation
EUVDB-ID: #VU17474
Risk: Medium
CVSSv3.1: 7.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2019-5736
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain elevated privileges.
The weakness exists in the runc container runtime due to file-descriptor mishandling, related to /proc/self/exe. A remote attacker can leverage the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec, overwrite the host runc binary with minimal user interaction and execute arbitrary code with root privileges.
Successful exploitation of the vulnerability may result in system compromise.
Install update from vendor's website.
Vulnerable software versionsIBM Cloud Automation Manager: All versions
External linkshttp://www.ibm.com/support/pages/node/960227
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
