CVE-2020-4917: IBM Cloud Pak (CSRF)
Virsec Security Research Lab Vulnerability Analysis
The Virsec Security Research Lab provides timely, relevant analysis about recent and notable security vulnerabilities.
1.1 Vulnerability Summary
IBM Cloud Pak System is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
Watch the video to learn more about this and other important vulnerabilities.
1.2 CVSS Score
The CVSS Base score of this vulnerability is 8.8 High. CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1.3 Affected Version
IBM Cloud Pak System 2.3
1.4 Vulnerability Attribution
This vulnerability has not been attributed which may mean it is being exploited in the wild.
1.5 Risk Impact
IBM Cloud® Paks are AI-powered software for hybrid cloud that can help you fully implement intelligent workflows in your business to accelerate digital transformation. IBM Cloud Paks tap into the power of IBM Watson® to apply AI to your business to predict and shape future outcomes, automate complex processes, optimize your employees’ time, and create more meaningful and secure customer experiences. Built on Red Hat® OpenShift®, you can develop applications once and deploy them anywhere on any cloud. In addition, you can integrate security across the breadth of your IT estate and automate your operations with management visibility. IBM Cloud Paks have a common foundation of enterprise components that accelerate development, deliver seamless integration, and help enhance collaboration and efficiency.
In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user's account. If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application's data and functionality.
A publicly disclosed vulnerability is not available currently.
1.6 Virsec Security Platform (VSP) Support:
VSP-Web can protect against CSRF attacks. VSP-Host monitors processes that are spawned which are not part of a set of whitelisted process. Any attempt to execute new command or unknown binary would be denied by VSP-Host’s Process Monitoring capability.
1.7 Reference Links:
Download the full vulnerability report to learn more about this and other important vulnerabilities.
Do you have a request for a vulnerability Virsec Security Research Lab to explore? Let us know!