CVE-2023-37398 – IBM Aspera Faspex versions 5.0.0 through 5.0.10... (How to Fix)

Q: What is the severity of CVE-2023-37398?

CVE-2023-37398 has a CVSS score of 5.9 (MEDIUM). IBM Aspera Faspex versions 5.0.0 through 5.0.10 do not enforce strong password policies by default, allowing attackers to more easily compromise user accounts through brute-force or credential guessing attacks. This affects all organizations using these vulnerable versions of the file transfer acceleration software.

📋 TL;DR

IBM Aspera Faspex versions 5.0.0 through 5.0.10 do not enforce strong password policies by default, allowing attackers to more easily compromise user accounts through brute-force or credential guessing attacks. This affects all organizations using these vulnerable versions of the file transfer acceleration software.

💻 Affected Systems

Products:

IBM Aspera Faspex

Versions: 5.0.0 through 5.0.10

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable unless password policies have been manually configured.

📦 What is this software?

Aspera Faspex by Ibm

View all CVEs affecting Aspera Faspex →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to sensitive files and data transferred through the system, potentially leading to data breaches, intellectual property theft, or compliance violations.

🟠

Likely Case

Attackers compromise user accounts with weak passwords to access transferred files, potentially leading to data exposure or unauthorized file access.

🟢

If Mitigated

With strong password policies enforced, risk is significantly reduced to only sophisticated attacks targeting other vulnerabilities.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid user accounts with weak passwords; attackers can use standard password guessing/brute-force tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.11 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/7181814

Restart Required: Yes

Instructions:

1. Download IBM Aspera Faspex 5.0.11 or later from IBM Fix Central. 2. Backup current configuration and data. 3. Install the updated version following IBM's installation guide. 4. Restart the Aspera Faspex service.

🔧 Temporary Workarounds

Enforce Strong Password Policy

all

Manually configure Aspera Faspex to require strong passwords (minimum length, complexity, expiration)

Configure via Aspera Faspex Admin Console: Security Settings > Password Policy

🧯 If You Can't Patch

Implement network segmentation to restrict access to Aspera Faspex to authorized users only
Enable multi-factor authentication if supported, or implement compensating controls like account lockout policies

🔍 How to Verify

Check if Vulnerable:

Check Aspera Faspex version in Admin Console or via 'aspera_faspex -v' command; versions 5.0.0-5.0.10 are vulnerable

Check Version:

aspera_faspex -v

Verify Fix Applied:

Verify version is 5.0.11 or later and check that password policy settings enforce strong passwords

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts for same user account
Successful logins from unusual IP addresses or locations

Network Indicators:

Unusual data transfer patterns or volumes
Authentication requests from unexpected sources

SIEM Query:

source="aspera_faspex" AND (event_type="authentication_failure" count>5 within 5min OR event_type="authentication_success" from new_ip)

📊 Metadata

CVE ID: CVE-2023-37398

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-521

EPSS Score: 0.06% exploit probability (18.3th percentile)

Published: January 29, 2025

Last Updated: March 5, 2025

🔗 References

https://www.ibm.com/support/pages/node/7181814 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37398, you might also want to check these: