CVE-2019-4061
published 2019-02-27CVE-2019-4061: IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remotely and gather information about the updates and fixlets deployed to the…
PriorityP179medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.55%
97.4th percentile
IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remotely and gather information about the updates and fixlets deployed to the associated sites due to not enabling authenticated access. IBM X-Force ID: 156869.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | bigfix_platform | — | — |
| ibm | bigfix_platform | — | — |
| ibm | bigfix_platform | 9.2 – 9.2.16 | — |
| ibm | bigfix_platform | 9.5 – 9.5.11 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated GET requests to the IBM BigFix relay masthead endpoint; a 200 response containing both 'Organization: ' and '-URL: ' in the body indicates a vulnerable, unauthenticated relay. ↗
- →Detect unauthenticated GET requests to the BigFix clientregister.exe FetchCommands endpoint; a 200 response containing 'x-bes-command-hasiteversion:' in the body confirms exploitation of the information disclosure vulnerability. ↗
- →Use Shodan query 'port:52311 "BigFixHTTPServer"' to identify exposed IBM BigFix Relay Servers on the internet that may be vulnerable to unauthenticated enumeration. ↗
- ·The vulnerability requires no authentication; the exploit targets IBM BigFix Platform versions 9.2 and 9.5 where authenticated access is not enabled on the relay. ↗
- ·The module retrieves masthead, site, and available package information — detection should account for both the /masthead/masthead.axfm and /cgi-bin/bfenterprise/clientregister.exe endpoints being queried in sequence. ↗
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wr9c-mhm3-3p93: IBM BigFix Platform 9
ghsa_unreviewed·2022-05-13
CVE-2019-4061 [MEDIUM] CWE-200 GHSA-wr9c-mhm3-3p93: IBM BigFix Platform 9
IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remotely and gather information about the updates and fixlets deployed to the associated sites due to not enabling authenticated access. IBM X-Force ID: 156869.
VulnCheck
IBM bigfix_platform Exposure of Sensitive Information to an Unauthorized Actor
vulncheck·2019·CVSS 5.3
CVE-2019-4061 [MEDIUM] IBM bigfix_platform Exposure of Sensitive Information to an Unauthorized Actor
IBM bigfix_platform Exposure of Sensitive Information to an Unauthorized Actor
IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remotely and gather information about the updates and fixlets deployed to the associated sites due to not enabling authenticated access. IBM X-Force ID: 156869.
Affected: IBM bigfix_platform
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-08&host_type=src&vulnerability=cve-2019-4061; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-04-15&host_type=src&vulnerability=cve-2019-4061; https:
No detection rules found.
Metasploit
IBM BigFix Relay Server Sites and Package Enum
metasploit
IBM BigFix Relay Server Sites and Package Enum
IBM BigFix Relay Server Sites and Package Enum
This module retrieves masthead, site, and available package information from IBM BigFix Relay Servers.
Nuclei
IBM BigFix Platform - Information Disclosure
nuclei·CVSS 5.3
CVE-2019-4061 [MEDIUM] IBM BigFix Platform - Information Disclosure
IBM BigFix Platform - Information Disclosure
IBM BigFix Platform 9.2 and 9.5 contains an information disclosure vulnerability caused by not enabling authenticated access in relay, letting remote attackers query and gather update and fixlet information, exploit requires no authentication.
Template:
id: CVE-2019-4061
info:
name: IBM BigFix Platform - Information Disclosure
author: daffainfo
severity: medium
description: |
IBM BigFix Platform 9.2 and 9.5 contains an information disclosure vulnerability caused by not enabling authenticated access in relay, letting remote attackers query and gather update and fixlet information, exploit requires no authentication.
impact: |
Attackers can remotely gather sensitive update and fixlet deployment information, potentially aiding targeted attacks.
No writeups or analysis indexed.
http://www.ibm.com/support/docview.wss?uid=ibm10870242http://www.rapid7.com/db/modules/auxiliary/gather/ibm_bigfix_sites_packages_enumhttp://www.securityfocus.com/bid/107189https://exchange.xforce.ibmcloud.com/vulnerabilities/156869http://www.ibm.com/support/docview.wss?uid=ibm10870242http://www.rapid7.com/db/modules/auxiliary/gather/ibm_bigfix_sites_packages_enumhttp://www.securityfocus.com/bid/107189https://exchange.xforce.ibmcloud.com/vulnerabilities/156869
2019-02-27
Published
Exploited in the wild