cbcvebase.
CVE-2019-4061
published 2019-02-27

CVE-2019-4061: IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remotely and gather information about the updates and fixlets deployed to the…

PriorityP179medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.55%
97.4th percentile
IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remotely and gather information about the updates and fixlets deployed to the associated sites due to not enabling authenticated access. IBM X-Force ID: 156869.

Affected

4 ranges
VendorProductVersion rangeFixed in
ibmbigfix_platform
ibmbigfix_platform
ibmbigfix_platform9.2 – 9.2.16
ibmbigfix_platform9.5 – 9.5.11

Detection & IOCsextracted from sources · hover to see the quote

url/masthead/masthead.axfm
url/cgi-bin/bfenterprise/clientregister.exe?RequestType=FetchCommands
port52311
  • Detect unauthenticated GET requests to the IBM BigFix relay masthead endpoint; a 200 response containing both 'Organization: ' and '-URL: ' in the body indicates a vulnerable, unauthenticated relay.
  • Detect unauthenticated GET requests to the BigFix clientregister.exe FetchCommands endpoint; a 200 response containing 'x-bes-command-hasiteversion:' in the body confirms exploitation of the information disclosure vulnerability.
  • Use Shodan query 'port:52311 "BigFixHTTPServer"' to identify exposed IBM BigFix Relay Servers on the internet that may be vulnerable to unauthenticated enumeration.
  • ·The vulnerability requires no authentication; the exploit targets IBM BigFix Platform versions 9.2 and 9.5 where authenticated access is not enabled on the relay.
  • ·The module retrieves masthead, site, and available package information — detection should account for both the /masthead/masthead.axfm and /cgi-bin/bfenterprise/clientregister.exe endpoints being queried in sequence.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.