CVE-2020-4430
published 2020-05-07CVE-2020-4430: IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send…
PriorityP278medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
68.54%
99.2th percentile
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, and 2.0.4 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | 2.0.1 – 2.0.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
|2e 2e|
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/eurekaservice/fetchLogFiles"; endswith; fast_pattern; http.request_body; content:"instanceId"; nocase; content:"logLevel"; nocase; content:"logFileNameList"; nocase; content:"|2e 2e|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; reference:cve,2020-4430; classtype:attempted-admin; sid:2034312; rev:1;)
- →Exploit traffic uses HTTP POST method to the specific endpoint /albatross/eurekaservice/fetchLogFiles with directory traversal sequences (|2e 2e| = '..') in the request body alongside the fields 'instanceId', 'logLevel', and 'logFileNameList'.
- →The attacker must be a remote authenticated user; monitor for authenticated sessions issuing POST requests to the fetchLogFiles endpoint with path traversal patterns.
- ·The Snort/ET rule targets both $HOME_NET and $HTTP_SERVERS on any port, meaning the IBM Data Risk Manager may be deployed on non-standard ports; ensure coverage is not limited to port 80/443 only.
- ·CVE-2020-4430 (directory traversal) is distinct from CVE-2020-4429 (hardcoded credentials / SSH default password 'idrm' for user 'a3user'); the template and sources conflate both — ensure detections are scoped to the correct CVE.
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv3.04.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
vulncheck4.3MEDIUM
cisa4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
IBM Data Risk Manager Directory Traversal Vulnerability
cisa·2021-11-03·CVSS 4.3
CVE-2020-4430 [MEDIUM] CWE-22 IBM Data Risk Manager Directory Traversal Vulnerability
Vulnerability: IBM Data Risk Manager Directory Traversal Vulnerability
Affected: IBM Data Risk Manager
IBM Data Risk Manager contains a directory traversal vulnerability that could allow a remote authenticated attacker to traverse directories and send a specially crafted URL request to download arbitrary files from the system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-4430
Remediation Due Date: 2022-05-03
GHSA
GHSA-86cc-wh6w-cw2h: IBM Data Risk Manager 2
ghsa_unreviewed·2022-05-24
CVE-2020-4430 [MEDIUM] CWE-22 GHSA-86cc-wh6w-cw2h: IBM Data Risk Manager 2
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system. IBM X-Force ID: 180535.
VulnCheck
IBM Data Risk Manager Directory Traversal Vulnerability
vulncheck·2020·CVSS 4.3
CVE-2020-4430 [MEDIUM] CWE-22 IBM Data Risk Manager Directory Traversal Vulnerability
IBM Data Risk Manager Directory Traversal Vulnerability
IBM Data Risk Manager contains a directory traversal vulnerability that could allow a remote authenticated attacker to traverse directories and send a specially crafted URL request to download arbitrary files from the system.
Affected: IBM Data Risk Manager
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
Suricata
ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)
suricata·2021-11-01·CVSS 4.3
CVE-2020-4430 [MEDIUM] ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)
ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT IBM Data Risk Manager Arbitrary File Download (CVE-2020-4430)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/albatross/eurekaservice/fetchLogFiles"; endswith; fast_pattern; http.request_body; content:"instanceId"; nocase; content:"logLevel"; nocase; content:"logFileNameList"; nocase; content:"|2e 2e|"; reference:url,github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md; reference:cve,2020-4430; classtype:attempted-admin; sid:2034312; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2020_4430, deployment Perimeter, deployment Internal, confidence High, signature_severity Majo
Nuclei
IBM Data Risk Manager - Hardcoded Credentials
nuclei·CVSS 9.8
CVE-2020-4429 [CRITICAL] IBM Data Risk Manager - Hardcoded Credentials
IBM Data Risk Manager - Hardcoded Credentials
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID- 180534.
Template:
id: CVE-2020-4429
info:
name: IBM Data Risk Manager - Hardcoded Credentials
author: Kazgangap
severity: critical
description: |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID- 180534.
impact: |
Remote attackers can gain root access and exec
No writeups or analysis indexed.
https://exchange.xforce.ibmcloud.com/vulnerabilities/180535https://www.ibm.com/support/pages/node/6206875http://seclists.org/fulldisclosure/2024/Nov/0http://seclists.org/fulldisclosure/2024/Nov/1https://exchange.xforce.ibmcloud.com/vulnerabilities/180535https://www.ibm.com/support/pages/node/6206875https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-4430
2020-05-07
Published
2021-11-03
Added to CISA KEV
Exploited in the wild