CVE-2024-47119
📋 TL;DR
IBM Storage Defender - Resiliency Service versions 2.0.0 through 2.0.9 fail to properly validate SSL/TLS certificates, allowing attackers to perform man-in-the-middle attacks by spoofing trusted entities. This affects organizations using these specific versions of IBM's data protection software for communication between hosts and clients.
💻 Affected Systems
- IBM Storage Defender - Resiliency Service
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept and manipulate all communication between Storage Defender components, potentially gaining administrative access to backup systems, exfiltrating sensitive data, or injecting malicious commands.
Likely Case
Attackers with network access could intercept backup metadata, configuration data, or authentication credentials, compromising backup integrity and potentially gaining access to protected systems.
If Mitigated
With proper network segmentation and certificate pinning, impact is limited to denial of service or limited data exposure within isolated network segments.
🎯 Exploit Status
Requires attacker to be positioned in the network path between communicating components. No authentication bypass, but network positioning enables exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.10 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7178587
Restart Required: Yes
Instructions:
1. Download IBM Storage Defender - Resiliency Service version 2.0.10 or later from IBM Fix Central. 2. Backup current configuration. 3. Apply the update following IBM's installation guide. 4. Restart all Resiliency Service components. 5. Verify certificate validation is functioning correctly.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Storage Defender components in a dedicated VLAN with strict access controls to prevent man-in-the-middle positioning.
Certificate Pinning
allImplement certificate pinning at the application or network level to enforce specific trusted certificates.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Storage Defender traffic from untrusted networks
- Deploy network monitoring and IDS/IPS to detect SSL/TLS interception attempts
🔍 How to Verify
Check if Vulnerable:
Check the installed version via IBM Storage Defender administration console or by running 'ibm_storage_defender --version' on the Resiliency Service host.Check Version:
ibm_storage_defender --versionVerify Fix Applied:
After patching, test SSL/TLS connections between components with invalid certificates to ensure proper rejection occurs.📡 Detection & Monitoring
Log Indicators:
- SSL/TLS handshake failures with invalid certificates
- Unexpected certificate changes in communication logs
- Authentication failures following network changes
Network Indicators:
- SSL/TLS interception tools like mitmproxy in network traffic
- Unexpected certificates in TLS handshakes between Storage Defender components
SIEM Query:
source="storage_defender" AND (event_type="ssl_error" OR certificate_validation="failed")