Threat Advisory

Critical Vulnerabilities Discovered in Security Verify Access Appliance

Threat: Vulnerability
Criticality: High

EXECUTIVE SUMMARY:

Multiple critical vulnerabilities were disclosed in the Security Verify Access Appliance, affecting versions 10.0.0 through 10.0.8 IF1. These vulnerabilities include the ability for attackers to execute arbitrary commands, exploit hard-coded credentials, and escalate privileges. One flaw allows remote command execution through improper handling of OS commands, while two others involve hard-coded credentials, increasing the risk of unauthorized access. A fourth vulnerability enables local privilege escalation due to excessive permissions.

 

  • CVE-2024-49803: A critical flaw with a CVSS score of 9.8, allowing remote authenticated attackers to execute arbitrary commands through specially crafted requests.

 

  • CVE-2024-49805: Scored 9.4, this vulnerability involves the use of hard-coded credentials, leading to unauthorized access risks.

 

  • CVE-2024-49806: Another critical issue with a CVSS score of 9.4, also involving hard-coded credentials, increasing data breach potential.

 

  • CVE-2024-49804: A high-severity flaw with a CVSS score of 7.8, enabling local privilege escalation due to unnecessary permissions.

 

Applying the released patch is crucial to mitigate the risks associated with these vulnerabilities. Users are strongly advised to update their systems promptly to protect against potential exploitation.

RECOMMENDATION:

  • We strongly recommend you update IBM Security Verify Appliance to version 10.0.8-ISS-ISVA-FP0002.

REFERENCES:

The following reports contain further technical details:
https://cybersecuritynews.com/ibm-security-verify-vulnerabilities/

crossmenu