CVE-2022-39887 An access control vulnerability in MiscPolicy prior to SMR Nov-2022 Release 1 allows a local attacker to configure EDM settings.

In case when there is a policy which disallows EDM for a specific device, then a user may still be able to configure EDM for their devices by using the clearAllGlobalProxy command. Improper access control vulnerability in clearAllGlobalProxy in MiscPolicy prior to SMR Nov-2022 Release 1 allows local attacker to configure EDM setting.In case when there is a policy which disallows EDM for a specific device, then a user may still be able to configure EDM for their devices by using the clearAllGlobalProxy command. Endpoint Device Management (EDM) is a policy-based management feature that allows users to manage endpoints by using a centralized management console.

Vulnerability Details

* An improper access control vulnerability in clearAllGlobalProxy in MiscPolicy prior to SMR Nov-2022 Release 1 allows local attacker to configure EDM setting.
* This attack is publicly disclosed and has been assigned a CVE identifier: CVE-2022-39887.
* If the attack succeeds, the user could be prevented from using their device as expected and may have additional impact on the affected devices functionality.
* The following versions are affected:


o MiscPolicy 2.0 before SMR Nov-2022 Release 1

Vulnerability overview

This vulnerability allows an attacker to configure EDM setting on a device by using the clearAllGlobalProxy command.Endpoint Device Management (EDM) is a policy-based management feature that allows users to manage endpoints by using a centralized management console. This vulnerability exists due to the improper access control of clearAllGlobalProxy in the MiscPolicy prior to SMR Nov-2022 Release 1 which allows users with sufficient privileges to configure EDM for their devices.

In case when there is a policy which disallows EDM for a specific device, then a user may still be able to configure EDM for their devices by using the clearAllGlobalProxy command. Improper access control vulnerability in clearAllGlobalProxy in MiscPolicy prior to SMR Nov-2022 Release 1 allows local attacker to configure EDM setting.

Affected Vendor Products

MiscPolicy prior to SMR Nov-2022 Release 1 on the following products are impacted: ** IBM Security Network Intrusion Prevention System (IPS) ** IBM Security Network and Access Control Server (NACS) ** IBM Flex System Hardware Management Module **
IBM Point-to-Point Encryption for Remote Office Services (POEROS)
** IBM Strategic Automation and Optimization Cloud (SAOCL) **
IBM Information Protection for Endpoint Protection
** IBM Enterprise Manager for Systems Integration and Analysis
**
IBM ServiceNow Endpoint Management Platform

Description of The technique

There is a policy which disallows EDM for a specific device and the user tries to configure EDM for their devices. This can be achieved by using the clearAllGlobalProxy command before the user has been granted access to it. But this can be done by an unauthorized person in case of improper access control vulnerability with clearAllGlobalProxy in MiscPolicy prior to SMR Nov-2022 Release 1.
The attacker manages to gain access to the console and attempts to clear all global proxy settings. If they have been granted administrator privileges then it would not be possible, but if they are only able to use non-administrator privileges, then they are able to do so.

Vulnerability Summary

EDM is vulnerable to improper access control vulnerability. An attacker may be able to configure EDM settings on an endpoint by using the clearAllGlobalProxy command which has improper access control vulnerability in MiscPolicy prior to SMR Nov-2022 Release 1.

Timeline

Published on: 11/09/2022 22:15:00 UTC
Last modified on: 11/10/2022 15:28:00 UTC

References