CVE-2024-45077
📋 TL;DR
This vulnerability allows authenticated low-privileged users to upload restricted file types to IBM Maximo Asset Management by appending a dot to the filename. The exploit specifically affects Windows installations, potentially enabling attackers to upload malicious files that could lead to further system compromise. Organizations running IBM Maximo Asset Management 7.6.1.3 on Windows are affected.
💻 Affected Systems
- IBM Maximo Asset Management
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could upload malicious executable files, gain remote code execution, compromise the Maximo server, and potentially pivot to other systems in the network.
Likely Case
Attackers upload web shells or malicious scripts to establish persistence, exfiltrate data, or use the compromised system as a foothold for lateral movement.
If Mitigated
With proper file validation and access controls, the impact is limited to unsuccessful upload attempts that generate audit logs.
🎯 Exploit Status
Requires authenticated access but with low privileges. Exploitation is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply interim fix or upgrade as specified in IBM advisory
Vendor Advisory: https://www.ibm.com/support/pages/node/7174819
Restart Required: Yes
Instructions:
1. Review IBM advisory at provided URL
2. Apply the recommended interim fix or security patch
3. Restart Maximo services
4. Verify the fix by testing file upload functionality
🔧 Temporary Workarounds
Implement strict file upload validation
allAdd server-side validation to reject filenames with trailing dots and restrict allowed file extensions
Restrict upload directory permissions
windowsSet strict file system permissions on upload directories to prevent execution of uploaded files
🧯 If You Can't Patch
- Implement web application firewall rules to block file uploads with suspicious filename patterns
- Monitor file upload activity and audit logs for unusual patterns or unauthorized file types
🔍 How to Verify
Check if Vulnerable:
Test if authenticated users can upload files with trailing dots in filenames (e.g., 'malicious.php.') and if those files are accepted by the MXAPIASSET APICheck Version:
Check Maximo version through administrative interface or consult system documentationVerify Fix Applied:
Attempt the same file upload test after applying patches - trailing dot filenames should be rejected📡 Detection & Monitoring
Log Indicators:
- File upload attempts with trailing dots in filenames
- Unusual file types being uploaded to MXAPIASSET endpoints
- Multiple failed upload attempts followed by successful upload
Network Indicators:
- POST requests to MXAPIASSET upload endpoints with unusual filenames
- Traffic patterns indicating file uploads from unexpected sources
SIEM Query:
source="maximo_logs" AND (filename="*." OR file_upload="success" AND file_type NOT IN ("allowed_types"))