IBM Security Verify Access Let Attacker conduct phishing attacks

An Open-redirect vulnerability was discovered by IBM, which could allow threat actors to spoof the original URL of IBM Security Verify Access to lure victims into a malicious website and steal sensitive information.

IBM Security Verify Access offers a comprehensive solution for managing network security policies and authorization. It ensures complete protection of resources across intranets and extranets, even when they are geographically dispersed.

With IBM Security Verify Access, you gain access to a range of features, including authentication, authorization, data security, and centralized resource management.

This vulnerability is present due to the default configuration of the AAC (Advanced Access Control) module. IBM mentioned that the patch to fix this vulnerability already exists which can be used by users to prevent it from getting exploited.

CVE-2023-30433: IBM Security Verify Access HTTP open redirect

This vulnerability exists in the IBM Security Verify Access 10.0 versions which an attacker can use to conduct phishing attacks with a specially crafted URL.

Successful exploitation of this vulnerability can let an attacker obtain highly sensitive information from the victims. The CVSS score for this vulnerability is given as 5.4 (Medium).

Affected Products

Affected Product(s)Version(s)
IBM Security Verify Access Appliance10.0.X
IBM Security Verify Access Docker10.0.X

Remediation

To fix this vulnerability, the sps.targetURLWhitelist property in the IBM Security Verify Access products must be modified with a list of comma-separated whitelisting URLs. This prevents the redirection from happening.

Users of these products are recommended to apply the necessary fixes for patching this vulnerability.

Keep yourself informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Eswar is a Cyber security reporter with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is reporting data breach, Privacy and APT Threats.