The vulnerability in IBM Maximo Asset Management software was discovered by Positive Technologies experts Andrey Medov and Arseny Sharoglazov. The system is used to run maintenance and repairs in asset-intensive industries including pharmaceuticals, oil and gas, auto manufacturing, aerospace, railways, airports, sea ports, nuclear power plants, and other areas.
The vulnerability CVE-2020-4521, found in versions 7.6.0 and 7.6.1 of the software, is highly dangerous (CVSS score 8.8) and involves insecure deserialization¹ in Java. Remote attackers can use the flaw to execute arbitrary code on the system. To exploit the vulnerability, an authenticated attacker with minimum privileges needs to send a specially crafted illegitimate request.
Co-discoverer Andrey Medov at Positive Technologies explained: "Just like CVE-2020-4529, another fixed IBM Maximo vulnerability, exploitation of CVE-2020-4521 requires low privileges and the access level of a regular operator, such as a warehouse worker who remotely connects to the system and enters items into a database. An attacker sends a specially prepared serialized Java object to the server and because of insecure deserialization mechanism, this object can be recreated on the server from the byte stream and used in an attack. If successful, an attacker can remotely execute code and obtain full control over IBM Maximo and then access corporate and technological networks of the company. Further attack development depends on a specific system configuration and presence of other vulnerabilities.
The vulnerability also affects industry-specific solutions based on versions 7.6.0 and 7.6.1: Maximo for Aviation, Maximo for Life Sciences, Maximo for Nuclear Power, Maximo for Oil and Gas, Maximo for Transportation, Maximo for Utilities, and products: SmartCloud Control Desk, IBM Control Desk, and Tivoli Integration Composer.
Eliminating the vulnerability requires an update of IBM Maximo Asset Management software as well as related solutions and products to the latest versions, in accordance with the manufacturer's recommendations.
- Deserialization is the process of restoring the byte stream to the original object.