IBM has released a security advisory to address ten vulnerabilities affecting its transfer solution Aspera Faspex. CVE-2022-47986 is the only critically rated vulnerability among the ten flaws that IBM addressed. Multiple remote code execution, cross-site scripting (XSS), denial of service (DoS), and other security vulnerabilities have been patched by IBM in this security update.
CVE-2022-47986 has a CVSS score of 9.8. On successful exploitation, this vulnerability could allow an attacker to execute arbitrary code on the target system.
CISA has added CVE-2022-47986 to its Known Exploited Vulnerabilities Catalog and urged users to patch it before 14th March 2023.
Faspex is a centralized transfer solution that allows users to exchange files using an email-like workflow. Faspex enables high-speed transfer with the help of IBM Aspera’s proprietary FASP protocol. Faspex fully utilizes network bandwidth to maximize speed while preserving control and security. Aspera transfer servers receive, store, and allow downloads of user-uploaded files and folders.
Description
The vulnerability arises from a YAML deserialization issue in IBM Aspera Faspex versions prior to 4.4.2. A remote attacker can exploit this vulnerability to run arbitrary code on the system by sending a specially crafted obsolete API call. The obsolete API call has been removed in the patched version of IBM Aspera Faspex.
Vulnerability Analysis
By providing encryption options for the files uploaded through its application, IBM Aspera Faspex protects the security of end users. The pre-authentication RCE flaw can compromise this security model, allowing an attacker access to the Aspera Faspex server to run arbitrary commands.
Note: Use of an unsafe YAML.load inside default configurations of Ruby is not recommended. Otherwise, it may allow an attacker to achieve command execution if this sink is processing user-controlled data using deserialization gadgets.
The security researcher found that the vulnerable YAML.load exists on route /package_relay/relay_package that can be accessed without authentication.
The MultiServer::RelayDescriptor.new inside the file lib/multi_server/relay_descriptor.rb enables the parameters to pass from the package relay controller in the file app/controllers/package_relay_controller.rb.
That will ultimately reach the YAML.load sink with a user-controlled parameter external_emails. An attacker may further exploit this flaw to gain remote code execution using deserialization gadgets.
Affected Versions
The vulnerability affects IBM Aspera Faspex versions before 4.4.2 Patch Level 2.
Mitigation
Vendor has released updated versions to fix the vulnerability. For more information, please refer to IBM Aspera Faspex Security Advisory (6952319).
Qualys Detection
Qualys customers can scan their devices with QID 730739 to detect vulnerable assets. Detection tries to execute a command using vulnerable endpoint /aspera/faspex/package_relay/relay_package and check for the response with 500 Internal Server Error status.
Please follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://www.ibm.com/support/pages/node/6952319
https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/