CVE-2024-55897
📋 TL;DR
IBM PowerHA SystemMirror for i fails to set the secure attribute on authorization tokens and session cookies, allowing attackers to steal these cookies via HTTP links. This affects IBM PowerHA SystemMirror for i versions 7.4 and 7.5. Attackers can intercept cookie values by tricking users into visiting HTTP links or planting malicious links.
💻 Affected Systems
- IBM PowerHA SystemMirror for i
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal session cookies and gain unauthorized access to PowerHA management interfaces, potentially compromising high-availability configurations and sensitive system data.
Likely Case
Session hijacking leading to unauthorized access to PowerHA management functions, though limited to users who click malicious HTTP links.
If Mitigated
Minimal impact if HTTPS-only enforcement and network segmentation prevent HTTP cookie transmission.
🎯 Exploit Status
Exploitation requires user interaction (clicking HTTP link) and network interception capability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply IBM fix as per advisory
Vendor Advisory: https://www.ibm.com/support/pages/node/7180036
Restart Required: Yes
Instructions:
1. Review IBM advisory. 2. Apply recommended fix from IBM. 3. Restart affected services. 4. Verify secure attribute is set on cookies.
🔧 Temporary Workarounds
Enforce HTTPS Only
allConfigure PowerHA to use HTTPS exclusively and disable HTTP access.
Configure HTTP to HTTPS redirection in PowerHA settings
Disable HTTP protocol in PowerHA configuration
Network Segmentation
allRestrict access to PowerHA management interfaces to trusted networks only.
Configure firewall rules to limit PowerHA access
Implement VLAN segmentation for management traffic
🧯 If You Can't Patch
- Enforce HTTPS-only access and disable HTTP completely.
- Implement strict network controls to prevent unauthorized access to PowerHA interfaces.
🔍 How to Verify
Check if Vulnerable:
Check if PowerHA session cookies lack the 'Secure' attribute when accessed via HTTP.Check Version:
DSPPTF LICPGM(5770SS1) for IBM i version checkVerify Fix Applied:
Verify cookies have 'Secure' attribute set and HTTP access is disabled or redirected to HTTPS.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP access to PowerHA interfaces
- Multiple failed authentication attempts
Network Indicators:
- HTTP traffic to PowerHA ports containing session cookies
- Unencrypted cookie transmission
SIEM Query:
source="PowerHA" AND (protocol="HTTP" AND uri CONTAINS "session")