CVE-2021-38890
📋 TL;DR
IBM Sterling Connect:Direct Web Services has an inadequate account lockout mechanism that allows remote attackers to perform brute-force attacks against user credentials. This affects versions 1.0 and 6.0 of the software, potentially exposing organizations using these versions to unauthorized access.
💻 Affected Systems
- IBM Sterling Connect:Direct Web Services
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to the system, leading to complete compromise of sensitive data, unauthorized file transfers, and potential lateral movement within the network.
Likely Case
Attackers gain access to user accounts with limited privileges, enabling unauthorized file access and potential data exfiltration.
If Mitigated
With proper account lockout policies and monitoring, attackers are blocked after limited attempts, preventing credential compromise.
🎯 Exploit Status
Exploitation requires only standard brute-force tools and knowledge of valid usernames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply security patch from IBM
Vendor Advisory: https://www.ibm.com/support/pages/node/6518586
Restart Required: Yes
Instructions:
1. Download the security patch from IBM Support. 2. Apply the patch according to IBM's installation instructions. 3. Restart the Connect:Direct Web Services application. 4. Verify the patch is applied successfully.
🔧 Temporary Workarounds
Implement Strong Account Lockout Policy
allConfigure the system to lock accounts after a small number of failed login attempts (e.g., 5 attempts) for a significant duration (e.g., 30 minutes).
Enable Multi-Factor Authentication
allImplement MFA for all user accounts to add an additional layer of security beyond passwords.
🧯 If You Can't Patch
- Implement network-level controls to limit authentication attempts per IP address
- Monitor authentication logs for brute-force patterns and alert on suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if your IBM Sterling Connect:Direct Web Services version is 1.0 or 6.0 and review account lockout configuration settings.Check Version:
Check the application's administrative interface or configuration files for version information.Verify Fix Applied:
Verify that the security patch has been applied by checking the version information in the application and testing that account lockout occurs after configured failed attempts.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts from single IP address
- Account lockout events
- Unusual authentication patterns outside business hours
Network Indicators:
- High volume of authentication requests to the Connect:Direct Web Services port
- Traffic patterns consistent with brute-force tools
SIEM Query:
source="connect_direct_web_services" AND (event_type="failed_login" AND count > 5 within 5 minutes)