TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Security / Software Development

IBM Aspera Faspex High-Speed File Transfer Has a Killer Bug

With a CVSS score of 9.8 and active exploits using the IceFire ransomware, this is a "Patch It, Now!" bug.
Apr 5th, 2023 7:03am by
Featued image for: IBM Aspera Faspex High-Speed File Transfer Has a Killer Bug
Featured image via Unsplash.

You can’t say IBM didn’t warn us. On Jan. 26, 2023, Big Blue warned us of multiple security vulnerabilities in its ultrafast Aspera Faspex file transfer software. In particular, CVE-2022-47986, with a Common Vulnerability Scoring System (CVSS) critical rating of 9.8, is as bad a security hole as you can get.

Making matters worse, the bug’s discoverers, security company Assetnote published a blog post on the Aspera Faspex vulnerability a week later. In it, they explained how an unauthenticated attacker could exploit it to execute arbitrary commands.

Now in an ideal world, this would just be a good teaching moment. In it, they explain how a remote attacker can exploit a YAML deserialization flaw for arbitrary code execution using specially crafted API calls to a now obsolete API call Guess what? We don’t live in such a world.

The non-profit Shadowserver Foundation Internet group reported seeing exploitation attempts in early February. The security company Rapid7 reported that it had discovered multiple exploitation incidents, including its use in the Linux and Windows IceFire ransomware campaign.

Rapid7 has confirmed at least one recent case where a customer’s system was compromised. Given the ongoing exploitation of the vulnerability and the fact that Aspera Faspex is commonly installed on the network perimeter, Rapid7 strongly advises users to apply patches on an emergency basis, rather than waiting for a regular patch cycle.

I could have told you that. This is a classic example of a solved security problem being ignored by administrators until it blew up in their faces.

Specifically, IBM has identified affected products as Aspera Faspex 4.4.2 Patch Level 1 and earlier versions. The vulnerability is addressed in version 4.4.2 Patch Level 2. So you need to immediately update your software to the latest patch level to safeguard your systems. That’s it, kids.

Finding Exploitation Attempts

To identify potential exploitation attempts, look at your logfiles in the default directory:

/opt/aspera/faspex/log

If you see anything about the PackageRelayController#relay_package, look closely and treat it suspiciously. Honestly, at this point, though, if you’re still unpatched and your server’s connected to the Internet, I think it’s safe to assume that you’ve been hacked.

So, what can you do about it? Upgrade to 4.4.2 Patch Level 2 right now. Do not pass Go, do not collect $200, just patch it already.

Oh, and if some of your files are now encrypted and have an extension of .iceFire? Bad news, you’ve got a case of IceFire. Other than paying the ransom and hoping that you’ll be able to unencrypt your files or, better, restore everything from a clean backup, there’s not much you can do about it.

Good luck. You’re going to need it.

Group Created with Sketch.
TNS owner Insight Partners is an investor in: sentinelone.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.