IBM Security Verify Access, an authorization and network security policy management solution, was discovered by IT security researcher Pierre Barre to be impacted by 32 security vulnerabilities, at least half of which could have been leveraged to facilitate total authentication infrastructure compromise, according to SecurityWeek.
Malicious multi-factor authenticators could be added by threat actors to ISVA through the abuse of the solution's authentication bypass issue and back-end access, which could then allow complete infrastructure takeovers, noted Barre. "Note that even with network restrictions, a low privileged user on a trusted machine can fully compromise the authentication solution, since the back-end used to manage the entire authentication infrastructure can be reached without authentication by sending a specific HTTP header," Barre said. With IBM refusing to address the flaws as it passed the responsibility of communications filtering to their customers, organizations have been urged by Barre to mitigate the threat through network segmentation and the adoption of additional authentication measures.
