cbcvebase.
CVE-2019-4716
published 2019-12-18

CVE-2019-4716: IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute…

PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
86.44%
99.7th percentile
IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.

Affected

3 ranges
VendorProductVersion rangeFixed in
ibmplanning_analytics
ibmplanning_analytics
ibmplanning_analytics2.0 – 2.0.8

Detection & IOCsextracted from sources · hover to see the quote

port5498
port5495
filenametm1s_delta.cfg
otherIntegratedSecurityMode=CAM
  • Detect exploitation attempts by monitoring for unauthenticated writes to 'tm1s_delta.cfg' on TM1/Planning Analytics servers, which is the configuration file overwritten to change the authentication method to CAM.
  • Monitor TM1 admin server ports 5498 (SSL) and 5495 (non-SSL) for unauthenticated connections querying available applications, which is the first step of the exploit chain.
  • Detect fake CAM authentication by monitoring for inbound SOAP requests containing the SOAPAction header value 'http://developer.cognos.com/schemas/contentManagerService/1' originating from the TM1 server itself (callback to attacker-controlled CAM endpoint).
  • Use the Shodan query 'title:"Arc for TM1"' to identify exposed IBM Planning Analytics instances potentially vulnerable to CVE-2019-4716.
  • Detect vulnerable versions by extracting the version string from the web UI body using the pattern 'var appVersion = "([0-9.]+)";' and flagging versions >= 2.0.0 and <= 2.0.8.
  • Alert on TM1 binary protocol messages of type 0x01AE (upd_central / MSG_TYPES[:upd_central]) sent unauthenticated, as this is the packet type used to overwrite the server configuration.
  • ·The exploit requires SRVHOST to be a routable IP reachable by the target TM1 server, as the server must call back to the attacker's fake CAM HTTP endpoint. Exploitation will fail if SRVHOST is 0.0.0.0.
  • ·The exploit disables CAM SSL (CAMUseSSL=F) in the injected configuration to avoid needing to import a certificate, meaning the fake CAM server communicates over plain HTTP.
  • ·The module sets WfsDelay to 30 seconds to give the target sufficient time to download the payload; shorter delays may cause the exploit to fail.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.