IBM Datapower Exploit CVE-2020-5014

Posted on 21 October 2020

During some personal security research I discovered a SSRF vulnerability in IBM Datapower which could then be upgraded to RCE. The practical upshot of which is with an authenticated session to the Datapower management WebGUI it was possible to execute code on the underlying Linux host inside the appliance. In the case of docker, code would run as the drouter user however, on the virtual or physical edition of Datapower the user would be root. This could be leveraged to extract private keys from the device or be used as a network backdoor / foothold for further attacks.

• Reported CVSS Score = 8.8
• Published CVSS Score = 6.7
• Link to IBM Public Security Notice
• CVE Number: CVE-2020-5014

Technical Overview

The Datapower management WebGUI offers a function called “Send a Test Message” to any authenticated session with either a standard or administrator user. This tool is designed to debug connectivity between Datapower and other services. It was discovered however, that it could be used to contact services listening on localhost (127.0.0.1) inside the appliance. One of those services was Redis.

By misusing this tool a SSRF attack is possible where when combined with HTTP request smuggling it is possible to send commands to Redis. This would usually be prevented as Redis is password protected but further researched showed this password was hardcoded.

Finally by combining all of this together with a pre-existing Redis RCE vulnerability it is possible to execute arbitrary code inside the DataPower underlying Linux operating system.

Exploit Demo and Walkthrough Video

• Click to skip right to the demo

Code

• Full POC code available on Github

Timeline

• 21st October 2020 = Initial Report filed via Hackerone
• 22nd October 2020 = IBM Confirmed receipt of report
• 4th November 2020 = Asked for a Update
• 10th November 2020 = Initial Review complete -> Report moved to Triaged
• 7th December 2020 = Asked for a Update
• 9th December 2020 = IBM are still investigating
• 6th January 2021 = Asked for a Update
• 13th January 2021 = Confirmed valid vulnerability and are working with product teams to develop a fix
• 21st January 2021 = Asked for Acknowledgment
• 22nd January 2021 = Confirmed public acknowledgement with my name - “Thomas Cope”
• 25th January 2021 = Confirmed Acknowledgment and a CVE number would be issued
• 8th February 2021 = Asked for a Update
• 9th February 2021 = IBM are working on a Fix
• 5th March 2021 = Asked for a Update
• 8th March 2021 = IBM confirmed Fix and provided link to public security bulletin

Total time elapsed between initial report and resolution = 139 days (4 months, 16 days)