IBM ServeRAID Manager version 9.30-17006 and prior exposes a Java RMI that allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
IBM ServeRAID Manager includes an embedded instance of Java version 1.4.2. Both ServeRAID Manager and Java 1.4.2 are no longer supported. ServeRAID Manager uses a Java Remote Method Invocation (RMI) on port 34571/tcp that listens on all interfaces by default. ServeRAID Manager runs with SYSTEM privileges on Microsoft Windows systems. An unauthenticated attacker with network access can exploit the vulnerable RMI interface to launch a remote class loader attack. This appears to be an instance of CVE-2011-3556.
The ServeRAID product name is used for hardware and software components variously owned and maintained by IBM, Lenovo, and other vendors. This vulnerability applies to IBM ServeRAID Manager software and no products or components from Lenovo or any other vendor.
An unauthenticated remote attacker can execute arbitrary code on a vulnerable system, with SYSTEM privileges on Microsoft Windows.
ServeRAID Manager is no longer supported and we do not expect IBM to release fixes.
Configure ServeRAID Manager to listen on specific network interfaces (like localhost) or use a host-based firewall to restrict network access to 34571/tcp.
Thanks to Brendan Saulsbury, Ariel Montano Cardenas, Lavelle Perry, and Swagat Das for reporting this vulnerability.
This document was written by Laurie Tyzenhaus.
|Date First Published:||2020-02-12|
|Date Last Updated:||2020-02-13 12:33 UTC|