A vulnerability in IBM Maximo asset management system, discovered by Positive Technologies, was fixed

FRAMINGHAM, MA, UNITED STATES - Oct 1, 2020 - Framingham, MA (October 1, 2020) -- A vulnerability in IBM Maximo Asset Management software was discovered by Positive Technologies experts Andrey Medov and Arseny Sharoglazov. The system is used to run maintenance and repairs in asset-intensive industries including pharmaceuticals, oil and gas, auto manufacturing, aerospace, railways, airports, sea ports, nuclear power plants, and other areas.

The vulnerability CVE-2020-4521, found in versions 7.6.0 and 7.6.1 of the software, is highly dangerous (CVSS score 8.8) and involves insecure deserialization in Java[1]. Remote attackers can use the flaw to execute arbitrary code on the system. To exploit the vulnerability, an authenticated attacker with minimum privileges needs to send a specially crafted illegitimate request.

Co-discoverer Andrey Medov at Positive Technologies explained: “Just like CVE-2020-4529, another fixed IBM Maximo vulnerability, exploitation of CVE-2020-4521 requires low privileges and the access level of a regular operator, such as a warehouse worker who remotely connects to the system and enters items into a database. An attacker sends a specially prepared serialized Java object to the server and because of insecure deserialization mechanism, this object can be recreated on the server from the byte stream and used in an attack. If successful, an attacker can remotely execute code and obtain full control over IBM Maximo and then access corporate and technological networks of the company. Further attack development depends on a specific system configuration and presence of other vulnerabilities.”

The vulnerability also affects industry-specific solutions based on versions 7.6.0 and 7.6.1: Maximo for Aviation, Maximo for Life Sciences, Maximo for Nuclear Power, Maximo for Oil and Gas, Maximo for Transportation, Maximo for Utilities, and products: SmartCloud Control Desk, IBM Control Desk, and Tivoli Integration Composer.

Eliminating the vulnerability requires an update of IBM Maximo Asset Management software as well as related solutions and products to the latest versions, in accordance with the manufacturer's recommendations.

ENDS

About Positive Technologies

For 18 years, Positive Technologies has created innovative solutions for information security. We develop products and services to detect, verify, and neutralize the real-world business risks associated with corporate IT infrastructure. Our technologies are backed by years of research experience and the expertise of world-class cybersecurity experts. Over 2,000 companies in 30 countries trust us to keep them safe. Follow us on social media (LinkedIn, Twitter) and the News section at ptsecurity.com.

[1]Deserialization is the process of restoring the byte stream to the original object.