In a recent security bulletin, IBM has disclosed a vulnerability in IBM Security Verify Access versions ranging from 10.0.0 to 10.0.8 that could potentially be exploited by remote attackers to redirect users to malicious websites. This vulnerability, classified as high severity by the National Institute of Standards and Technology (NIST) and medium severity by IBM, could allow attackers to gather sensitive information or launch further attacks against unsuspecting victims.
This vulnerability, identified as CVE-2024-35133, affects IBM Security Verify Access products, including IBM Security Verify Access Docker, and poses a significant risk to users utilizing the OAuth flow for authorization. By manipulating the “redirect_uri” parameter during an OAuth flow, attackers could spoof URLs to direct users to malicious websites that appear legitimate, tricking users into divulging sensitive information or falling victim to various cyber attacks.
During a penetration test of the OAuth flow, security researchers discovered an open redirect vulnerability that allowed attackers to bypass the parser’s logic responsible for verifying the validity of the “redirect_uri” parameter. By leveraging specific techniques outlined in RFC 3986, attackers could manipulate the Uniform Resource Identifier (URI) to redirect users to arbitrary domains under their control, posing a serious threat to user security.
The proof of concept provided in the security bulletin demonstrates how an attacker could exploit this vulnerability to redirect users to a malicious website by manipulating the OAuth flow. This could potentially result in the leakage of sensitive OAuth tokens, enabling attackers to carry out further malicious activities against unsuspecting victims.
IBM has taken steps to address this vulnerability by providing a patch or upgrade through Security Bulletin 7166712. Users are advised to refer to this bulletin for more information on how to mitigate the risk posed by this security flaw. Additional references provided in the bulletin offer further insight into the vulnerability and its impact on affected IBM Security Verify Access products.
The disclosure timeline outlined in the security bulletin highlights the proactive approach taken by security researchers, the client, and IBM to address this vulnerability. From the initial discovery of the flaw to the release of a pre-release fix and subsequent security bulletin, the coordinated efforts of all stakeholders involved in resolving this issue demonstrate a commitment to enhancing cybersecurity measures and protecting user data.
In conclusion, the open redirect vulnerability in IBM Security Verify Access versions 10.0.0 to 10.0.8 poses a significant risk to users and organizations reliant on this security solution. By following the recommended steps outlined in the security bulletin, users can mitigate the potential impact of this vulnerability and enhance the overall security posture of their systems. It is crucial for organizations to stay vigilant and implement necessary security measures to safeguard against similar security threats in the future.