CVE-2024-55904: Remote Privileged Authenticated Arbitrary Command Execution Vulnerability in IBM DevOps & UrbanCode Deploy

A critical remote code execution (RCE) vulnerability has been discovered in IBM DevOps Deploy version 8. through 8..1.4, 8.1 through 8.1.. and IBM UrbanCode Deploy version 7. through 7..5.25, 7.1 through 7.1.2.21, 7.2 through 7.2.3.14, 7.3 and 7.3.2.9. This vulnerability, identified as CVE-2024-55904, allows a privileged authenticated attacker to execute arbitrary commands on the targeted system with specially crafted input containing special elements.

Exploit Details

A remote privileged authenticated attacker could exploit this vulnerability by sending specially crafted input containing special elements to the vulnerable application server. Once exploited, the vulnerability allows the attacker to execute arbitrary commands on the system with the privileges of the application.

This vulnerability exists due to improper validation of user-supplied input when processing specially crafted requests. By sending specially crafted input, an attacker can inject arbitrary commands into the application, which can then be executed on the targeted system with the privileges of the vulnerable application.

To better understand how this vulnerability can be exploited, let's take a look at the following code snippet:

# Vulnerable code example
def execute_command(input_data):
    command = 'app_command ' + input_data
    os.system(command)
 
# Attacker controlled input
malicious_input = 'example_data;malicious_command'

execute_command(malicious_input)

In this code snippet, the execute_command function is vulnerable to command injection due to the improper handling of user-supplied input. The attacker controlled input malicious_input is concatenated with the app_command, and then passed to the os.system() function which executes the command on the system.

When this vulnerable code is executed with the attacker controlled input, the malicious_command will be executed on the system with the privileges of the application.

Original References

- IBM Security Bulletin
- CVE-2024-55904

Recommendations

IBM has released software updates to address this vulnerability. It is strongly recommended to upgrade to the latest versions to remediate this security risk in your IBM DevOps Deploy and IBM UrbanCode Deploy environments.

You can find the updated software and patch information on the following IBM support pages

- IBM DevOps Deploy: 8..1.5
- IBM UrbanCode Deploy: 7..5.26

In addition to applying the software updates, it is also recommended to follow best practices for securing your IBM DevOps Deploy and UrbanCode Deploy installations, including:

Ensuring that user accounts have the minimum required privileges for their role

- Regularly auditing your application environment for security vulnerabilities and applying relevant patches and updates

Conclusion

The CVE-2024-55904 vulnerability poses a significant risk to the affected IBM DevOps Deploy and UrbanCode Deploy environments, as it could allow a remote privileged authenticated attacker to execute arbitrary commands on the system. To stay protected, be sure to regularly update your software and follow best practices for securing your application environments.

Timeline

Published on: 02/14/2025 04:15:08 UTC