IBM Security Verify Access Appliance 10.0.0 through 10.0.8 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.
An attacker sends a specially crafted network request to the IBM Security Verify Access Appliance device. The application does not properly sanitize input data passed to the system command interpreter (CWE-78), which allows injection and execution of arbitrary commands in the context of the device's operating system. The attack does not require user interaction or special privileges beyond having a valid account.
An attacker can gain full control over the device, including stealing sensitive data, modifying identity system configuration, or completely disabling the authentication service, which may affect access to all resources protected by IBM Security Verify Access.
Patches available from the vendor should be applied according to the references (https://www.ibm.com/support/pages/node/7177447). Until the update is applied, it is recommended to restrict network access to the device management interface to trusted hosts only and monitor logs for unexpected requests.
IBM Security Verify Access Appliance in versions 10.0.0 through 10.0.8 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HIBM Security Verify Access
APPIbm10.0.0 – 10.0.8
Related vulnerabilities
Privilege escalation do root w IBM Security Verify Access i Verify Identity Access
IBM Security Verify Access — privilege escalation do root przez nadmiarowe uprawnienia
IBM Security Verify Access — zakodowane na stałe poświadczenia (hard-coded credentials)
IBM Security Verify Access — zakodowane na stałe poświadczenia (hard-coded credentials)
IBM Security Verify Access 10.0.0.0, 10.0.1.0 and 10.0.2.0 with the advanced access control authentication ser...