CVE-2024-45647
📋 TL;DR
This vulnerability in IBM Security Verify Access allows unauthenticated attackers to reset passwords for expired user accounts without knowing the current password. It affects IBM Security Verify Access versions 10.0.0 through 10.0.8 and the Docker container versions. This enables unauthorized account takeover of expired user accounts.
💻 Affected Systems
- IBM Security Verify Access
- IBM Security Verify Access Docker
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could take over administrative accounts with expired passwords, gaining full control over the identity management system and potentially accessing all managed resources.
Likely Case
Attackers reset passwords for expired user accounts they've identified, gaining unauthorized access to those accounts and any resources they can access.
If Mitigated
With proper monitoring and account lifecycle management, impact is limited to temporary unauthorized access until detected and remediated.
🎯 Exploit Status
The vulnerability is in the password reset functionality for expired accounts. Attackers need to identify expired user accounts to target.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.0.9 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7176212
Restart Required: Yes
Instructions:
1. Download IBM Security Verify Access 10.0.9 or later from IBM Fix Central. 2. Apply the update following IBM's installation guide. 3. Restart all affected services. 4. Verify the fix is applied by checking version.
🔧 Temporary Workarounds
Disable password expiration
allTemporarily disable password expiration policies to prevent accounts from becoming expired and vulnerable.
Configure password policy to set maximum password age to 0 (never expire)
Restrict password reset endpoint
allApply network controls to restrict access to password reset functionality.
Configure firewall/load balancer rules to restrict access to /mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:reset_password
🧯 If You Can't Patch
- Implement strict monitoring for password reset attempts on expired accounts
- Enable multi-factor authentication for all accounts to provide additional protection
🔍 How to Verify
Check if Vulnerable:
Check if running IBM Security Verify Access version 10.0.0 through 10.0.8. Test if unauthenticated password reset works for expired test accounts.Check Version:
Check the product version in the administrative console or run: docker inspect <container_name> | grep -i versionVerify Fix Applied:
Verify version is 10.0.9 or later. Test that unauthenticated password reset for expired accounts now requires proper authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual password reset attempts for expired accounts
- Multiple failed authentication attempts followed by password resets
- Password reset requests from unexpected IP addresses
Network Indicators:
- HTTP POST requests to password reset endpoint without authentication headers
- Unusual traffic patterns to /mga/sps/authsvc endpoint
SIEM Query:
source="ibm_verify_access" AND (event_type="password_reset" AND user_status="expired") AND src_ip NOT IN (allowed_ips)