A vulnerability in IBM Maximo discovered by Positive Technologies was fixed

A vulnerability in IBM Maximo Asset Management software¹ discovered by Positive Technologies experts Arseny Sharoglazov and Andrey Medov enables attackers to breach internal enterprise networks more easily. Large companies use IBM's computerized maintenance management system (CMMS) to run maintenance and repairs in asset-intensive industries including pharmaceuticals, oil and gas, auto manufacturing, aerospace, railways, airports, utilities, and nuclear power plants.

The vulnerability CVE-2020-4529, found in versions 7.6.0 and 7.6.1 of IBM Maximo Asset Management software, is highly dangerous (CVSS score 7.3) and involves server-side request forgery (SSRF). With it, a logged-in attacker with low privileges can send an illegitimate request from the system in order to scan the network or develop other attacks.

Co-discoverer Arseny Sharoglazov explained: "IBM Maximo Asset Management software is used at major critical facilities. Any vulnerabilities in it could attract APT groups interested in access to the internal network. One example of a low-privileged attacker is a warehouse worker, who remotely connects to the system and enters items into a database. A threat could also come from the warehouse worker's workstation itself, if infected by a virus.

"IBM Maximo web interfaces are usually accessible from all of a company's warehouses, which could be located in multiple regions or countries. So if our 'warehouse worker' or equivalent connects through a properly configured VPN, that person's access within the corporate network is restricted to what they need— from that particular system and email, for example. But the vulnerability we found allows bypassing this restriction and interacting with other systems, on which an attacker could try for remote code execution (RCE) and potentially access all systems, blueprints, documents, accounting information, and ICS process networks. Sometimes employees connect to IBM Maximo directly over the Internet with weak passwords and no VPN, making an attack easier to perform."

The vulnerability also affects industry-specific solutions: Maximo for Aviation, Maximo for Life Sciences, Maximo for Nuclear Power, Maximo for Oil and Gas, Maximo for Transportation, and Maximo for Utilities, plus SmartCloud Control Desk, IBM Control Desk, and Tivoli Integration Composer.

Eliminating the vulnerability requires an update of IBM Maximo Asset Management software as well as related solutions and products to the latest versions. Positive Technologies experts urge deployment of a web application firewall (such as PT Application Firewall) to prevent exploitation of web vulnerabilities, combined with regular penetration testing and mandatory use of certificates or a VPN for access to internal systems. Automated vulnerability and compliance management solutions such as MaxPatrol 8 allow finding web vulnerabilities in infrastructure.

  1. Enterprise Asset Management (EAM) enables companies in diverse industries to view, manage, and analyze their physical assets. The main purpose of this class of software is to monitor and measure asset productivity for optimization of processes and maintenance expenses. IDC MarketScape and Gartner Magic Quadrant rate IBM as the world leader on the EAM market.