CVE-2019-4716
published 2019-12-18CVE-2019-4716: IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute…
PriorityP195critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
86.44%
99.7th percentile
IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | planning_analytics | — | — |
| ibm | planning_analytics | — | — |
| ibm | planning_analytics | 2.0 – 2.0.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for unauthenticated writes to 'tm1s_delta.cfg' on TM1/Planning Analytics servers, which is the configuration file overwritten to change the authentication method to CAM. ↗
- →Monitor TM1 admin server ports 5498 (SSL) and 5495 (non-SSL) for unauthenticated connections querying available applications, which is the first step of the exploit chain. ↗
- →Detect fake CAM authentication by monitoring for inbound SOAP requests containing the SOAPAction header value 'http://developer.cognos.com/schemas/contentManagerService/1' originating from the TM1 server itself (callback to attacker-controlled CAM endpoint). ↗
- →Use the Shodan query 'title:"Arc for TM1"' to identify exposed IBM Planning Analytics instances potentially vulnerable to CVE-2019-4716. ↗
- →Detect vulnerable versions by extracting the version string from the web UI body using the pattern 'var appVersion = "([0-9.]+)";' and flagging versions >= 2.0.0 and <= 2.0.8. ↗
- →Alert on TM1 binary protocol messages of type 0x01AE (upd_central / MSG_TYPES[:upd_central]) sent unauthenticated, as this is the packet type used to overwrite the server configuration. ↗
- ·The exploit requires SRVHOST to be a routable IP reachable by the target TM1 server, as the server must call back to the attacker's fake CAM HTTP endpoint. Exploitation will fail if SRVHOST is 0.0.0.0. ↗
- ·The exploit disables CAM SSL (CAMUseSSL=F) in the injected configuration to avoid needing to import a certificate, meaning the fake CAM server communicates over plain HTTP. ↗
- ·The module sets WfsDelay to 30 seconds to give the target sufficient time to download the payload; shorter delays may cause the exploit to fail. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
IBM Planning Analytics Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2019-4716 [CRITICAL] CWE-94 IBM Planning Analytics Remote Code Execution Vulnerability
Vulnerability: IBM Planning Analytics Remote Code Execution Vulnerability
Affected: IBM Planning Analytics
IBM Planning Analytics is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-4716
Remediation Due Date: 2022-05-03
GHSA
GHSA-qrpq-c83f-75r2: IBM Planning Analytics 2
ghsa_unreviewed·2022-05-24
CVE-2019-4716 [HIGH] CWE-94 GHSA-qrpq-c83f-75r2: IBM Planning Analytics 2
IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.
VulnCheck
IBM Planning Analytics Remote Code Execution Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-4716 [CRITICAL] CWE-94 IBM Planning Analytics Remote Code Execution Vulnerability
IBM Planning Analytics Remote Code Execution Vulnerability
IBM Planning Analytics is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting.
Affected: IBM Planning Analytics
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
No detection rules found.
Exploit-DB
IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)
exploitdb·2020-03-31
CVE-2019-4716 IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)
IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'openssl'
class MetasploitModule "IBM TM1 / Planning Analytics Unauthenticated Remote Code Execution",
'Description' => %q{
This module exploits a vulnerability in IBM TM1 / Planning Analytics that allows
an unauthenticated attacker to perform a configuration overwrite.
It starts by querying the Admin server for the available applications, picks one,
and then exploits it. You can also provide an application name to bypass this step,
and exploit the application directly.
The configuration overwrite is used to change an application server authentication
method
Metasploit
IBM TM1 / Planning Analytics Unauthenticated Remote Code Execution
metasploit
IBM TM1 / Planning Analytics Unauthenticated Remote Code Execution
IBM TM1 / Planning Analytics Unauthenticated Remote Code Execution
This module exploits a vulnerability in IBM TM1 / Planning Analytics that allows an unauthenticated attacker to perform a configuration overwrite. It starts by querying the Admin server for the available applications, picks one, and then exploits it. You can also provide an application name to bypass this step, and exploit the application directly. The configuration overwrite is used to change an application server authentication method to "CAM", a proprietary IBM auth method, which is simulated by the exploit. The exploit then performs a fake authentication as admin, and finally abuses TM1 scripting to perform a command injection as root or SYSTEM. Testing was done on IBM PA 2.0.6 and IBM TM1 10.2.2 on Windows and Linux.
Nuclei
IBM Planning Analytics - Authentication Bypass & Remote Code Execution Version Detection
nuclei·CVSS 9.8
CVE-2019-4716 [CRITICAL] IBM Planning Analytics - Authentication Bypass & Remote Code Execution Version Detection
IBM Planning Analytics - Authentication Bypass & Remote Code Execution Version Detection
IBM Planning Analytics versions 2.0.0 through 2.0.8 are vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting.
Template:
id: CVE-2019-4716
info:
name: IBM Planning Analytics - Authentication Bypass & Remote Code Execution Version Detection
author: 0x_Akoko
severity: critical
description: |
IBM Planning Analytics versions 2.0.0 through 2.0.8 are vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting.
impact: |
Attackers can gain admin access and execute arbitrary code with SYSTEM privileges, leading to
No writeups or analysis indexed.
http://packetstormsecurity.com/files/156953/IBM-Cognos-TM1-IBM-Planning-Analytics-Server-Configuration-Overwrite-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2020/Mar/44https://exchange.xforce.ibmcloud.com/vulnerabilities/172094https://www.ibm.com/support/pages/node/1127781http://packetstormsecurity.com/files/156953/IBM-Cognos-TM1-IBM-Planning-Analytics-Server-Configuration-Overwrite-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2020/Mar/44https://exchange.xforce.ibmcloud.com/vulnerabilities/172094https://www.ibm.com/support/pages/node/1127781https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-4716
2019-12-18
Published
2021-11-03
Added to CISA KEV
Exploited in the wild