CVE-2024-45653
📋 TL;DR
IBM Sterling Connect:Direct Web Services versions 6.0-6.3 expose sensitive IP address information to authenticated users in API responses. This information disclosure vulnerability could enable attackers to gather intelligence for further attacks against the system. Only authenticated users can trigger this vulnerability.
💻 Affected Systems
- IBM Sterling Connect:Direct Web Services
📦 What is this software?
Sterling Connect Direct Web Services by Ibm
View all CVEs affecting Sterling Connect Direct Web Services →
Sterling Connect Direct Web Services by Ibm
View all CVEs affecting Sterling Connect Direct Web Services →
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain internal IP addresses and network topology information, enabling targeted attacks against backend systems, lateral movement, or reconnaissance for more severe exploits.
Likely Case
Authenticated attackers gather internal IP addresses to map network architecture and identify additional targets for exploitation within the environment.
If Mitigated
With proper network segmentation and access controls, the exposed information provides limited value to attackers who cannot reach the disclosed systems.
🎯 Exploit Status
Exploitation requires authenticated access to the web services interface. The vulnerability involves analyzing API responses for leaked IP information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply interim fix or upgrade to version 6.3.0.2 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7174104
Restart Required: Yes
Instructions:
1. Download the interim fix from IBM Fix Central. 2. Stop the Connect:Direct Web Services application. 3. Apply the fix according to IBM documentation. 4. Restart the application. 5. Verify the fix by checking version and testing API responses.
🔧 Temporary Workarounds
Restrict API Access
allLimit which authenticated users can access the vulnerable API endpoints to reduce exposure.
Configure application-level access controls to restrict API endpoint access to only necessary users
Network Segmentation
allImplement network controls to limit what systems can be reached from the disclosed IP addresses.
Configure firewall rules to restrict access to backend systems from unauthorized networks
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Connect:Direct Web Services from sensitive backend systems
- Enhance monitoring of API access logs for unusual patterns of authenticated users accessing multiple endpoints
🔍 How to Verify
Check if Vulnerable:
As an authenticated user, access Connect:Direct Web Services API endpoints and check responses for internal IP addresses that should not be exposed.Check Version:
Check the application version through the administrative interface or by examining installation directories and configuration files.Verify Fix Applied:
After applying the fix, test the same API endpoints as an authenticated user and verify that internal IP addresses are no longer disclosed in responses.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of API requests from authenticated users, particularly sequential requests to multiple endpoints
Network Indicators:
- Increased API traffic from single authenticated users scanning multiple endpoints
SIEM Query:
source="connect_direct_ws" AND (event_type="api_request" AND user="*" AND endpoint_count > threshold)