A new vulnerability, identified as CVE-2024-35114, has been discovered which affects IBM Control Center versions 6.2.1 and 6.3.1. This vulnerability could allow a remote attacker to enumerate usernames due to an observable discrepancy between login attempts. In this post, we'll take a deeper look at this vulnerability, provide a code snippet to demonstrate the issue, and discuss the potential impact and suggested remediations.

Code Snippet

import requests

url = 'https://TARGET-IBM-CONTROL-CENTER/login-page';
username_list = ['admin', 'user1', 'user2', 'user_not_exists']
password = 'dummy_password'

for username in username_list:
    data = {'username': username, 'password': password}
    response = requests.post(url, data=data)
    if response.status_code == 200:
        print(f"The username {username} exists.")
    else:
        print(f"The username {username} does not exist.")

This snippet is using Python requests module to simulate login attempts to IBM Control Center with a list of potential usernames, and a dummy password. Given that the application behaves differently when a valid and invalid user tries to log in, even with incorrect passwords, attackers can observe those differences and enumerate usernames in the system.

Original References

1. IBM Security Bulletin: https://www.ibm.com/support/pages/node/6354418
2. NVD - CVE-2024-35114: https://nvd.nist.gov/vuln/detail/CVE-2024-35114
3. CVE Details: https://www.cvedetails.com/cve/CVE-2024-35114/

Exploit Details

The vulnerability exists due to the application providing different responses whena user attempts to log in with an existing username and an incorrect password, compared to a non-existent username and an incorrect password. An attacker can exploit this observation to enumerate valid usernames.

For example, when an attacker submits login credentials with a non-existent username and an incorrect password, the application may return a specific error message or status code which indicates the username doesn't exist. Conversely, if the username exists, the error message or status code indicates that it's the password which is incorrect. By observing these differences, the attacker can create a list of valid usernames for further attacks.

Potential Impact

Username enumeration creates a security risk for companies using IBM Control Center, as it allows attackers to identify valid usernames. With this information, attackers can perform targeted attacks, such as spear-phishing or brute-force password attacks, on those specific usernames, increasing the odds of a successful security breach.

Remediation

IBM has released a patch to address this vulnerability, and affected users should apply the patch as soon as possible. The patch can be found in the IBM Security Bulletin: https://www.ibm.com/support/pages/node/6354418

In addition to applying the patch, organizations can take further precautionary measures, such as implementing a strong password policy and employing multi-factor authentication, to protect their users.

Conclusion

CVE-2024-35114 is an important vulnerability that should be taken seriously by companies running IBM Control Center 6.2.1 and 6.3.1. Attackers can take advantage of this vulnerability to enumerate usernames, increasing the likelihood of a successful security breach. We strongly advise administrators to update their systems with the released patch and implement additional security best practices, such as strong password policies and multi-factor authentication.

Timeline

Published on: 01/25/2025 14:15:29 UTC