Multiple vulnerabilities in IBM VM Recovery Manager DR

1) Symlink following

EUVDB-ID: #VU23888

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16775

CWE-ID: CWE-61 - UNIX Symbolic Link (Symlink) Following

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

Versions of the npm CLI prior to 6.13.3 are vulnerable to a symlink reference outside of node_modules. It is possible for packages to create symlinks to files outside of the node_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files on a user’s system when the package is installed. Only files accessible by the user running the npm install are affected.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM VM Recovery Manager DR: before 1.5.0.1

CPE2.3

External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affects-ibm-vm-recovery-manager-dr/
http://www.ibm.com/support/pages/node/6477092

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU25078

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16776

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the JavaScript (Node.js) component in Oracle GraalVM Enterprise Edition. A remote authenticated user can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM VM Recovery Manager DR: before 1.5.0.1

CPE2.3

External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affects-ibm-vm-recovery-manager-dr/
http://www.ibm.com/support/pages/node/6477092

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Path traversal

EUVDB-ID: #VU23880

Risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-16777

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. The software fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin

A remote attacker can overwrite arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM VM Recovery Manager DR: before 1.5.0.1

CPE2.3

External links

http://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-npm-affects-ibm-vm-recovery-manager-dr/
http://www.ibm.com/support/pages/node/6477092

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.