Email
Password
Remember meForgot password?
    Log in with Twitter

article imageVulnerability discovered in IBM Maximo software

By Tim Sandle     Jun 24, 2020 in Technology
Positive Technologies experts have discovered a vulnerability in IBM’s Maximo Asset Management software. The weakness could have had serious implications for a range of different businesses, including major corporations.
IBM Maximo is an enterprise asset management software solution. The software offers services including purchasing, inventory, management of locations, service desk, and work planning. The solution allows users to create, modify, print and track work orders, and build work order hierarchies.
The vulnerability is termed CVE-2020-4529 and it has been found in versions 7.6.0 and 7.6.1 of IBM Maximo Asset Management software. According to Positive Technologies, the vulnerability is highly dangerous, gaining a CVSS score of 7.3. A CVSS score refers to the Common Vulnerability Scoring System, which is a framework for rating the severity of security vulnerabilities in software. A base score of 7.0-10.0 is classed as a "High" severity. There are four vulnerabilities upon which the score is based: Physical, Social, Economic, and Attitudinal.
The key vulnerability involved server-side request forgery (SSRF). With it, a logged-in attacker with low privileges could have sent an illegitimate request from the system in order to scan the network or develop other attacks.
The types of industries that were threatened included pharmaceuticals, oil and gas, auto manufacturing, aerospace, railways, airports, utilities, and nuclear power plants. Maximo product is used by 10 of the top 13 pharmaceutical companies, 16 of the top 24 automotive companies and 14 of the top 20 power generation companies.
In terms of the impact, co-discoverer of the vulnerability Arseny Sharoglazov Of Positive Technologies) explains: "IBM Maximo Asset Management software is used at major critical facilities. Any vulnerabilities in it could attract APT groups interested in access to the internal network. One example of a low-privileged attacker is a warehouse worker, who remotely connects to the system and enters items into a database. A threat could also come from the warehouse worker's workstation itself, if infected by a virus."
IBM has corrected the error and has issued a patch to all users. The patch will prevent hackers from sending unauthorized requests from corporate systems to scan networks and launch other attacks.
More about IBM Maximo, Software, Ibm, Cybersecurity, Positive Technologies
 
Latest News
Top News