IBM Aspera Faspex High-Speed File Transfer Has a Killer Bug
You can’t say IBM didn’t warn us. On Jan. 26, 2023, Big Blue warned us of multiple security vulnerabilities in its ultrafast Aspera Faspex file transfer software. In particular, CVE-2022-47986, with a Common Vulnerability Scoring System (CVSS) critical rating of 9.8, is as bad a security hole as you can get.
Making matters worse, the bug’s discoverers, security company Assetnote published a blog post on the Aspera Faspex vulnerability a week later. In it, they explained how an unauthenticated attacker could exploit it to execute arbitrary commands.
Now in an ideal world, this would just be a good teaching moment. In it, they explain how a remote attacker can exploit a YAML deserialization flaw for arbitrary code execution using specially crafted API calls to a now obsolete API call Guess what? We don’t live in such a world.
The non-profit Shadowserver Foundation Internet group reported seeing exploitation attempts in early February. The security company Rapid7 reported that it had discovered multiple exploitation incidents, including its use in the Linux and Windows IceFire ransomware campaign.
Rapid7 has confirmed at least one recent case where a customer’s system was compromised. Given the ongoing exploitation of the vulnerability and the fact that Aspera Faspex is commonly installed on the network perimeter, Rapid7 strongly advises users to apply patches on an emergency basis, rather than waiting for a regular patch cycle.
I could have told you that. This is a classic example of a solved security problem being ignored by administrators until it blew up in their faces.
Specifically, IBM has identified affected products as Aspera Faspex 4.4.2 Patch Level 1 and earlier versions. The vulnerability is addressed in version 4.4.2 Patch Level 2. So you need to immediately update your software to the latest patch level to safeguard your systems. That’s it, kids.
Finding Exploitation Attempts
To identify potential exploitation attempts, look at your logfiles in the default directory:
If you see anything about the PackageRelayController#relay_package, look closely and treat it suspiciously. Honestly, at this point, though, if you’re still unpatched and your server’s connected to the Internet, I think it’s safe to assume that you’ve been hacked.
So, what can you do about it? Upgrade to 4.4.2 Patch Level 2 right now. Do not pass Go, do not collect $200, just patch it already.
Oh, and if some of your files are now encrypted and have an extension of .iceFire? Bad news, you’ve got a case of IceFire. Other than paying the ransom and hoping that you’ll be able to unencrypt your files or, better, restore everything from a clean backup, there’s not much you can do about it.
Good luck. You’re going to need it.