A security researcher has uncovered 36 vulnerabilities in IBM Security Verify Access (ISVA), a widely used solution for authentication and network security policy management. These flaws could have been exploited by attackers to compromise the entire authentication infrastructure, making it a significant concern for organizations relying on ISVA to manage user access. Among the vulnerabilities, seven allow remote code execution, one enables authentication bypass, and several privilege escalation issues were discovered. These vulnerabilities, if exploited, could lead to a full compromise of an organization’s authentication system, putting sensitive data and internal systems at risk.
The most critical flaw found by the researcher, Pierre Barre, involves a vulnerability in the ISVA runtime Docker instance. If this component is accessible over the network, an attacker could bypass authentication and interact with the back-end instance as any user, potentially gaining complete control without needing to authenticate. This could lead to unauthorized access to sensitive systems and the ability to enroll malicious multi-factor authentication tokens, effectively locking out legitimate administrators and taking control of the entire system.
While IBM has patched some vulnerabilities in versions 10.0.7 and 10.0.8 of ISVA, others remain unaddressed. IBM has yet to release patches for many of the flaws and has pointed to network restrictions and security best practices as potential mitigations. However, the researcher notes that even with network restrictions, an attacker with low-level access to a trusted machine could exploit these vulnerabilities and compromise the authentication system. Furthermore, IBM’s Docker images were found to contain hardcoded encryption keys, outdated OpenSSL packages, and other weaknesses that could make systems even more vulnerable to attack.
This discovery highlights the ongoing challenges faced by organizations in securing their authentication infrastructure. Although IBM has taken some steps to address the vulnerabilities, the delayed patching and unaddressed flaws raise concerns about the company’s response to security issues. It also underscores the importance of continuous monitoring, applying patches promptly, and implementing robust security measures, including network segmentation and enhanced authentication protocols, to protect against potential attacks on critical authentication systems.
Reference: