OS Command Injection in IBM Spectrum Scale and IBM Spectrum Protect Plus

#VU26556 OS Command Injection in IBM Spectrum Scale and IBM Spectrum Protect Plus

Published: 2020-04-03

Vulnerability identifier: #VU26556

Vulnerability risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-4242

CWE-ID: CWE-78

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM Spectrum Scale
Client/Desktop applications / File managers, FTP clients
IBM Spectrum Protect Plus
Server applications / Other server solutions

Vendor: IBM Corporation

Description

The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The vulnerability exists within the Administrative Console Framework service due to the "uploadLdapCertificate" method does not properly validate a user-supplied string before using it to execute a system call when parsing the "filename" parameter. A remote authenticated attacker can send a specially crafted request and execute arbitrary commands on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

IBM Spectrum Scale: All versions

IBM Spectrum Protect Plus: 10.1.0.0 - 10.1.5.0

External links
http://exchange.xforce.ibmcloud.com/vulnerabilities/175419
http://www.ibm.com/support/pages/node/6114130
http://www.zerodayinitiative.com/advisories/ZDI-20-347/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Spectrum Protect Plus and IBM Spectrum Scale