IBM Maximo is an enterprise asset management software solution. The software offers services including purchasing, inventory, management of locations, service desk, and work planning. The solution allows users to create, modify, print and track work orders, and build work order hierarchies.
The vulnerability is termed CVE-2020-4529 and it has been found in versions 7.6.0 and 7.6.1 of IBM Maximo Asset Management software. According to Positive Technologies, the vulnerability is highly dangerous, gaining a CVSS score of 7.3. A CVSS score refers to the Common Vulnerability Scoring System, which is a framework for rating the severity of security vulnerabilities in software. A base score of 7.0-10.0 is classed as a “High” severity. There are four vulnerabilities upon which the score is based: Physical, Social, Economic, and Attitudinal.
The key vulnerability involved server-side request forgery (SSRF). With it, a logged-in attacker with low privileges could have sent an illegitimate request from the system in order to scan the network or develop other attacks.
The types of industries that were threatened included pharmaceuticals, oil and gas, auto manufacturing, aerospace, railways, airports, utilities, and nuclear power plants. Maximo product is used by 10 of the top 13 pharmaceutical companies, 16 of the top 24 automotive companies and 14 of the top 20 power generation companies.
In terms of the impact, co-discoverer of the vulnerability Arseny Sharoglazov Of Positive Technologies) explains: “IBM Maximo Asset Management software is used at major critical facilities. Any vulnerabilities in it could attract APT groups interested in access to the internal network. One example of a low-privileged attacker is a warehouse worker, who remotely connects to the system and enters items into a database. A threat could also come from the warehouse worker’s workstation itself, if infected by a virus.”
IBM has corrected the error and has issued a patch to all users. The patch will prevent hackers from sending unauthorized requests from corporate systems to scan networks and launch other attacks.