This can lead to the disclosure of sensitive information such as a user’s personal data, or the takeover of the device with elevated privileges. End users are encouraged to enable the anti-CSRF protection and enable strict origin checking when interacting with the device via its web interface. An attacker can leverage this vulnerability to execute arbitrary Axon queries on an affected device. An attacker can send a specially crafted Axon query to the “Operation” web application of an affected device and launch it by convincing a victim to click on a malicious link or visit a specifically crafted webpage. An attacker can exploit this vulnerability to obtain access to potentially sensitive data stored on the device. An attacker can exploit this vulnerability to obtain elevated privileges on the device.
END USERS are encouraged to update to the latest version of the PXM endpoints as soon as possible.
CVE has assigned this advisory the identifier CVE-2019-1802. About Red Hat Red Hat helps companies transform data into revenues by selling high-quality, capacity-enabled software. Red Hat provides both physical and virtual installation options for software and provides subscription-based and on-demand physical infrastructure options for deployment. Red Hat software is being used in data centers, in private clouds, on public clouds, and in hybrid clouds.
Affected PXM Product Versions
Axon Controller Software 2.1
Axon Processor 2.0
Axon Processor 2.1
Axon Processors 3.x and later
Affected PXM Endpoints
PXM endpoints with Web Interface enabled are vulnerable.
Technical Details
Axon is a RESTful web service that allows for low-level control of the PXM. Axon allows access to all of the PXM’s capabilities and can be used to programmatically invoke actions, such as querying device values or running commands. These services are implemented as RESTful JSON Web Services (JWS) over HTTP.
The vulnerability occurs when an attacker sends a specially crafted Axon command to an affected device. This command can be sent in a number of ways; the most likely scenario would be through an attacker convincing a user to interact with the device through the web interface by visiting a specially crafted webpage or clicking on a link containing malicious content. The vulnerable function is invoked when the application processes requests from clients and invokes a function that checks if there is any input data which matches the request data for that particular JWS operation, specifically “Operation” web application. When this occurs, if it finds that there is no input data provided, then it continues on with processing by invoking another function in order to handle client requests like routing them to another JWS operation. An attacker can leverage this vulnerability to execute arbitrary Axon queries on an affected device and launch it by convincing a victim to click on a malicious link or visit a specifically crafted webpage.
Vulnerability Details
X2.PXM-3.3.1.x86_64-aix-5.3: Remote Code Execution
A vulnerability in the PXM endpoints of the IBM Security Access Manager (PMG) could allow an attacker to execute arbitrary code on a vulnerable machine, if exploited successfully. This vulnerability affects both AIX and Linux operating systems running as a service. The vulnerability is due to insufficient validation of input from an untrusted source by the affected application, which may lead to remote code execution on the machine of the attacker who exploited it. An attacker could exploit this vulnerability by crafting a specially crafted authentication request that causes an authenticated user on an affected system to send back data intended for another authenticated user on the same system, potentially leading to information disclosure or unauthorized access.
Vulnerability overview
A vulnerability was found in the Axon Web application of the PXM platform (CVE-2019-1802). The vulnerability can lead to the disclosure of sensitive information such as a user’s personal data or the takeover of the device with elevated privileges. An attacker can leverage this vulnerability to execute arbitrary Axon queries on an affected device. An attacker can send a specially crafted Axon query to the “Operation” web application of an affected device and launch it by convincing a victim to click on a malicious link or visit a specifically crafted webpage. The attacker could also exploit this vulnerability to obtain access to potentially sensitive data stored on the device.
The CVE has assigned this advisory the identifier CVE-2019-1802.
Timeline
Published on: 10/11/2022 11:15:00 UTC
Last modified on: 10/12/2022 17:16:00 UTC