CVE-2020-4435 – This vulnerability in IBM Aspera applications a... (How to Fix)

Q: What is the severity of CVE-2020-4435?

CVE-2020-4435 has a CVSS score of 7.5 (HIGH). This vulnerability in IBM Aspera applications allows arbitrary memory corruption through the HTTP fallback service when configured in certain ways. An attacker with detailed system knowledge could execute arbitrary code or cause denial-of-service. Organizations using vulnerable IBM Aspera products are affected.

📋 TL;DR

This vulnerability in IBM Aspera applications allows arbitrary memory corruption through the HTTP fallback service when configured in certain ways. An attacker with detailed system knowledge could execute arbitrary code or cause denial-of-service. Organizations using vulnerable IBM Aspera products are affected.

💻 Affected Systems

Products:

IBM Aspera Faspex
IBM Aspera Shares
IBM Aspera Console
IBM Aspera High-Speed Transfer Endpoint

Versions: Multiple versions prior to fixes released in 2020

Operating Systems: Linux, Windows

Default Config Vulnerable: ✅ No

Notes: Requires HTTP fallback service to be enabled and configured in vulnerable manner

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Denial-of-service causing service disruption or application crashes.

🟢

If Mitigated

Limited impact with proper network segmentation and restricted access controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Requires intimate knowledge of system and specific configuration

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Various fixed versions per product (e.g., Aspera Faspex 4.4.2 Patch Level 1)

Vendor Advisory: https://www.ibm.com/support/pages/node/6221324

Restart Required: Yes

Instructions:

1. Identify affected IBM Aspera products. 2. Download appropriate patches from IBM Fix Central. 3. Apply patches following IBM documentation. 4. Restart affected services.

🔧 Temporary Workarounds

Disable HTTP Fallback Service

all

Disable the vulnerable HTTP fallback service if not required

# Configuration varies by product - refer to IBM Aspera documentation

Restrict Network Access

all

Limit network access to Aspera services to trusted sources only

# Use firewall rules to restrict access to Aspera ports

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules
Disable HTTP fallback service if not essential for operations

🔍 How to Verify

Check if Vulnerable:

Check IBM Aspera product versions against advisory and verify HTTP fallback service configuration

Check Version:

# Command varies by product - typically 'aspera' command line tools or checking package versions

Verify Fix Applied:

Verify installed version matches patched versions in IBM advisory and test service functionality

📡 Detection & Monitoring

Log Indicators:

Unusual memory access patterns
HTTP fallback service crashes
Unexpected process terminations

Network Indicators:

Abnormal traffic patterns to Aspera HTTP fallback ports
Multiple connection attempts to vulnerable endpoints

SIEM Query:

source="aspera*" AND (event_type="crash" OR memory_usage>threshold)

📊 Metadata

CVE ID: CVE-2020-4435

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: June 10, 2020

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/180901 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6221324 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/180901 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6221324 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-4435, you might also want to check these: