IBM patches "highly dangerous" Maximo Asset Management flaw

Companies in aerospace, nuclear power and pharmaceutics are vulnerable to server-side request forgery attacks

IBM has patched a dangerous flaw found in its Maximo Asset Management software that could allow hackers to send unauthorised requests from corporate systems to scan networks and launch other attacks.

Dubbed vulnerability CVE-2020-4529, the flaw also affects industry-specific versions of IBM Maximo, for sectors including pharmaceuticals, oil and gas, auto manufacturing, aerospace, railways, airports, utilities, and nuclear power plants. It also affects SmartCloud Control Desk, IBM Control Desk and Tivoli Integration Composer.

Found in versions 7.6.0 and 7.6.1 of IBM Maximum Asset Management, the attack involves server-side request forgery (SSRF), according to Positive Technologies experts Arseny Sharoglazov and Andrey Medov, who discovered the flaw. With a CSS score of 7.3, it’s deemed “highly dangerous”.

Advertisement - Article continues below

SSRF is a web security flaw that allows an attacker to induce a server-side application to make HTTP requests to an arbitrary domain the attacker chooses. A typical attack may cause the server to make a connection back to itself, or to external third-party systems.

IBM Maximo is usually accessible from all of a company’s warehouses, located in multiple regions and countries, with users’ access restricted to only what they need. Large companies use IBM’s computerised maintenance management system (CMMS) to run maintenance and repairs in industries that rely heavily on assets.

Advertisement - Article continues below

The vulnerability, however, allows bypassing of this restriction and could, therefore, be exploited by hackers to potentially access all systems, blueprints, documents and accounting information.

“IBM Maximo Asset Management software is used at major critical facilities,” said Sharoglazov. “Any vulnerabilities in it could attract APT groups interested in access to the internal network.

“One example of a low-privileged attacker is a warehouse worker, who remotely connects to the system and enters items into a database. A threat could also come from the warehouse worker's workstation itself, if infected by a virus.”

Advertisement - Article continues below

Employees may sometimes connect to IBM Maximo directly over the internet with weak passwords and no VPN, Sharoglazov added, making an attack easier to perform.

This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network reconnaissance or facilitating other attacks.

Customers are urged to immediately update IBM Maximo Asset Management, as well as associated solutions and products, to the latest versions.

The researchers who discovered the flaw have also urged users to deploy a web application firewall to prevent exploitation of web vulnerabilities in general. This is alongside regular penetration testing, and the mandatory use of certificates or a VPN for access to internal systems.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

Is it time to put Intel Outside?

10 Jul 2020