cbcvebase.
CVE-2020-4469
published 2020-06-15

CVE-2020-4469: IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
13.39%
95.9th percentile
IBM Spectrum Protect Plus 10.1.0 through 10.1.5 could allow a remote attacker to execute arbitrary code on the system. By using a specially crafted HTTP command, an attacker could exploit this vulnerability to execute arbitrary command on the system. This vulnerability is due to an incomplete fix for CVE-2020-4211. IBM X-Force ID: 181724.

Affected

1 ranges
VendorProductVersion rangeFixed in
ibmspectrum_protect_plus10.1.0 – 10.1.5

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://<target>:8090/emi/api/hostname
port8090
path/emi/api/hostname
path/emi/api/netconfig
filenameattacker-rpm-1.0-0.noarch.rpm
path/tmp/attacker-rpm-1.0-0.noarch.rpm
filenameibm_spp_file_upload_rce_CVE-2020-4470.py
port8080
cookiex-ac-sessionid: abcd
commandcurl -ki --tlsv1.2 -H 'x-ac-sessionid: abcd' -d "hostname=';id >/tmp/cmd_injection;echo '" 'https://<target>:8090/emi/api/hostname'
  • Alert on any HTTP request to /emi/api/hostname or /emi/api/netconfig on port 8090 that does not carry a valid authenticated session — the endpoints lack authentication and accept arbitrary input.
  • Monitor for the static fake session header 'x-ac-sessionid: abcd' in HTTP requests to the SPP appliance, used in PoC exploitation to bypass session checks.
  • Detect creation of files /tmp/cmd_injection or /tmp/hacked on the SPP appliance filesystem, which are written by the published PoC exploits.
  • Watch for inbound HTTP GET requests from the SPP appliance to external hosts on port 8080 fetching .rpm files, indicating the CVE-2020-4470 RPM-download attack chain is in progress.
  • Flag installation of RPM packages named attacker-rpm-1.0-0.noarch.rpm or sourced from /tmp on the SPP appliance, as this is the PoC malicious package used for RCE via scriptlets.
  • ·CVE-2020-4469 is an incomplete fix for CVE-2020-4211. IBM SPP 10.1.5-2181 and later attempted to mitigate the original injection by single-quoting the hostname parameter, but this is insufficient — the injection payload wraps around the single-quote sanitization.
  • ·The exploit requires no authentication; any arbitrary value for the x-ac-sessionid header (e.g., 'abcd') is accepted by the vulnerable endpoints, so session-based controls are not an effective mitigation.
  • ·Successful exploitation results in command execution with root privileges, meaning any detection or response must assume full system compromise.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.