Source: psirt@us.ibm.com
IBM Security AppScan Enterprise before 8.6.0.2 and Rational Policy Tester before 8.5.0.3 do not validate X.509 certificates during use of the Manual Explore Proxy feature, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary certificate.
IBM Security AppScan Enterprise and Rational Policy Tester are vulnerable to a man-in-the-middle (MITM) attack due to improper X.509 certificate validation within their Manual Explore Proxy feature. This allows attackers to intercept and potentially modify sensitive data transmitted over SSL/TLS, leading to data breaches and compromise of application security testing results.
Step 1: Setup MITM: The attacker establishes a man-in-the-middle position, typically by controlling a network segment or compromising a router. This can be achieved through ARP poisoning, DNS spoofing, or other network-based attacks.
Step 2: Proxy Configuration: The victim user configures AppScan Enterprise or Rational Policy Tester to use the attacker's proxy server, leveraging the Manual Explore Proxy feature.
Step 3: SSL Interception: When the victim's application attempts to connect to an SSL/TLS secured server, the traffic is routed through the attacker's proxy.
Step 4: Certificate Spoofing: The attacker's proxy presents a forged or self-signed X.509 certificate to the victim's application, impersonating the legitimate server. Because the software doesn't validate the certificate, the connection proceeds without warning.
Step 5: Data Interception/Modification: The attacker can now decrypt, view, and potentially modify the SSL/TLS-encrypted traffic passing between the victim's application and the targeted server. This allows for the theft of sensitive data, such as credentials, or the injection of malicious payloads.
The vulnerability stems from a failure to properly validate X.509 certificates presented by SSL/TLS servers when the Manual Explore Proxy feature is enabled. Specifically, the software does not verify the certificate's chain of trust, subject, or revocation status. This allows an attacker to present a self-signed or maliciously crafted certificate, effectively impersonating the legitimate server. The root cause is a missing or insufficient implementation of certificate validation routines within the proxy's handling of SSL/TLS connections. The software trusts any certificate presented, regardless of its authenticity, leading to a trust boundary violation.
While no specific APT groups are directly linked to this vulnerability, the ease of exploitation makes it attractive to a wide range of attackers, including those seeking to steal credentials or compromise application security testing results. This vulnerability is not listed on the CISA KEV list, but the impact could be significant if exploited.
Network traffic analysis: Look for unusual SSL/TLS certificates presented by the proxy server. Examine certificate details (issuer, subject, validity period) for discrepancies.
Proxy logs: Monitor proxy server logs for suspicious activity, such as connections to unexpected domains or the use of self-signed certificates.
Endpoint detection and response (EDR): Monitor for the use of proxy configuration tools or suspicious network connections from the affected applications.
SIEM alerts: Configure SIEM rules to detect unusual network traffic patterns or certificate anomalies related to the affected applications.
Upgrade to the patched versions of IBM Security AppScan Enterprise (8.6.0.2 or later) and Rational Policy Tester (8.5.0.3 or later).
Implement a robust certificate validation process within the proxy configuration. This should include checking the certificate's chain of trust, subject, revocation status (CRL or OCSP), and validity period.
Enforce strict network segmentation to limit the attacker's ability to establish a man-in-the-middle position.
Educate users about the risks of using untrusted proxy servers and the importance of verifying SSL/TLS certificates.
Regularly review and update security policies and procedures related to application security testing and proxy usage.