Issue 80: API vulnerabilities IBM DRM and Cisco USC ☎️

Pedro Ribeiro found a bunch of security vulnerabilities in IBM Data Risk Manager (IDRM). This is a control center that helps to locate, analyze, and visualize data-related business risks, so something you would like to be risk-free in itself.

For some internal process reason, IBM refused to accept Ribeiro’s report so the information got published online and the exploit details are now publicly available. To IBM’s credit, they did release a patch within hours. of this happening.

Ribeiro found several critical vulnerabilities in IDRM:

• Authentication bypass:
  • Lack of input validation and a logic flaw allowed  GET /albatross/saml/idpSelection?id=SOMETHING&userName=admin to associate arbitrary session ID with any existing user without any authentication checks.
  • POST /albatross/user/login accepted username and session ID as parameters, and if the user existed and the session ID was associated with the record, the API returned a newly generated random password for that username.
  • Combined, these flaws allowed attackers to take over any existing account, including administrator accounts.
• Command Injection:
  • /albatross/restAPI/v2/nmap/run/scan allowed to execute nmap scans, including executing script files.
  • POST /albatross/upload/patch allowed arbitrary file uploads.
  • Both of these required authentication as an administrator, but combined with the authentication bypass vulnerability, that was not a problem.
• Insecure default password:
  • This one is not REST API-related, but the virtual appliance had hardcoded SSH credentials. However, combined with the two previous API vulnerabilities, this allowed remote code execution as root.
• Arbitrary file download:
  • POST /albatross/eurekaservice/fetchLogFiles did not properly validate the parameter logFileNameList, so by moving up the directory with ..\ attackers could download any file from the server.

All in all, pretty serious stuff.

Cisco has patched a lot of REST API vulnerabilities in their Unified Computing System (UCS) products UCS Director and UCS Director Express for Big Data.

Most issues were caused by insufficient validation of user-supplied input. As result, the patched vulnerabilities included, to list but a few:

• Unauthorized administrative access
• Directory traversal
• Remote code execution
• Authentication bypass
• Denial-of-service (DoS) attacks

To make matters worse, Cisco UCS architecture is integrated in the Epic EHR. There might be potential breaches lurking in the healthcare sector if the institutions don’t patch their systems quickly enough.

APIs need to be designed with zero trust approach in mind. All inputs need to be thoroughly defined and validated.

We have covered previous API security issues in Cisco products in our newsletters 30, 42, 43, 46, 47, 51, 55, 65, and 69.

Learning from others’ mistakes is the best way to learn about security.

On April 30, Isabelle Mauny is hosting a webinar that covers four recent high-profile API security breaches in detail. She will dissect each vulnerability, how and why it happened, and what you can do to prevent similar exploits on your APIs.

If you ever wanted real-life examples on API security dos and don’ts, now is your chance.

Conferences are all going virtual (at least the ones not getting indefinitely rescheduled or canceled).

Industrial IoT World 2020 will be taking place online June 30—July 1, and includes a variety of IoT topics, including security.

You can find the conference agenda here. Registration is free until June 8.