F-Secure consultant discovers serious software flaws in IBM API Connect
An F-Secure security consultant has found a pair of severe zero-day exploits in software used by banks. Attackers able to successfully exploit the two vulnerabilities can gain root-level privileges to their targets and execute unauthorized commands, making it important for organizations to install the updates as soon as possible.
F-Secure Security Consultant William Söderberg discovered the vulnerabilities. Both flaws are in IBM API Connect, a product used by many financial institutions to support Open Banking Services mandated by PSD2 (a European law governing payment systems) regulations.
“It’s hard to describe the impact because the product can be used and implemented in many different ways. But the flaws could allow an attacker to gain unauthorized access to API credentials, which in turn are used to access the APIs. An attacker could also possibly cause service disruptions and establish an initial foothold on client’s internal networks,” explains William.
The first vulnerability (CVE-2019-4203) is classified as a Server-Side Request Forgery (SSRF) attack. If exploited successfully, an attacker could “trick” the portal to issue requests on their behalf. Attackers then receive the responses. Using this, an attacker can read sensitive files from the Developer Portal or attempt to move from the portal server to other systems in the same network.
The second vulnerability (CVE-2019-4202) is classified as a remote code execution (RCE) vulnerability. It’s located in the Developer Portal’s REST API. Organizations typically block the REST API from the open internet (for example, by using a firewall). But by exploiting the SSRF vulnerability mentioned earlier, an attacker can reach the vulnerable REST API from the internet. By successfully exploiting both vulnerabilities, an attacker could remotely execute commands with root privileges on the affected system.
Fortunately, there is one thing that can help mitigate the potential damage.
“However, there is one caveat for an attacker,” explains William. “Clients can configure their Development Portal to not permit insecure TLS connections. This would mitigate that the RCE would be exploitable from the Internet.”
IBM was quick to address the issues, and have already made a fix available. F-Secure recommends updating the software immediately due to the severity of the vulnerabilities, as well as the fact that an attacker can exploit the vulnerabilities.
IBM has published security bulletins for both vulnerabilities (CVE-2019-4202 and CVE-2019-4203) on their website.
Categories