CVE-2022-47986 - IBM Aspera Faspex 4.4.2 Patch Level 1 YAML Deserialization Exploit Revealed

Today, we're going to dive into the details behind the recently disclosed vulnerability, CVE-2022-47986. This security issue affects IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier versions, and it could allow a remote attacker to execute arbitrary code on the targeted system. The root of the problem lies in a YAML deserialization flaw, and the vulnerability can be exploited by sending a specially crafted obsolete API call. IBM X-Force ID for this vulnerability is 243512.

Before we proceed, please note that this API call was removed in Faspex 4.4.2 PL2; thus, updating to the latest version of the software is highly recommended to address this security risk. Let's take a closer look at the vulnerability and how an attacker could exploit it.

Understanding the YAML Deserialization Flaw

Serialization is the process of converting an object's state to a byte stream, while deserialization is the opposite process of turning that byte stream back into an object. YAML (short for YAML Ain't Markup Language) is a human-readable data serialization format used, in this case, by IBM Aspera Faspex.

A deserialization flaw occurs when the process of converting the byte stream back into an object is insecure, thereby creating an opportunity for an attacker to inject malicious code or exploit the system. This is the case with IBM Aspera Faspex 4.4.2 PL1 and earlier versions.

Exploiting the Vulnerability

An attacker can exploit this vulnerability by sending a specially crafted API call to the affected system. This API call is obsolete and has been removed in later versions, but it was still present in earlier versions of IBM Aspera Faspex.

Here's a simple example of how an attacker could craft such an API call

POST /faspex_versioned_api_call HTTP/1.1
Host: TARGET_IP
Content-Type: application/x-www-form-urlencoded
Content-Length: XX

yaml_data=<<MALICIOUS_YAML_PAYLOAD>>

In this example, the attacker would replace TARGET_IP with the target system's IP address and <<MALICIOUS_YAML_PAYLOAD>> with a malicious YAML payload that has been crafted to execute arbitrary code on the target system.

Mitigating the Risk

To protect your system against this vulnerability, it's crucial to update IBM Aspera Faspex to version 4.4.2 PL2 or later. This update removes the obsolete API call that is responsible for the vulnerability, thus eliminating the risk of exploitation.

You can find the latest version of the software and the accompanying release notes by visiting the IBM Aspera Faspex product page:

IBM Aspera Faspex Download and Release Notes

Additionally, IBM has provided an official security advisory detailing this vulnerability, which can be found at the following link:

IBM Security Vulnerability Report - CVE-2022-47986

In summary, if you are running IBM Aspera Faspex 4.4.2 PL1 or earlier, it's crucial to update to the latest version to protect your system against potential exploitation via CVE-2022-47986. Additionally, always apply security best practices like keeping all software up-to-date and monitoring for any new vulnerabilities affecting the technology stack in your environment.

Timeline

Published on: 02/17/2023 16:15:00 UTC
Last modified on: 02/28/2023 14:37:00 UTC