IBM Security Verify

 View Only
Expand all | Collapse all

Security Issue : No Authorization Needed for reading data for PDADMIN via REST API

  • 1.  Security Issue : No Authorization Needed for reading data for PDADMIN via REST API

    Posted Mon September 19, 2022 10:21 AM
    Hi Team 

    we had a scenario where we are reading all the user from the ISAM system through PD admin command 
    https://{appliance_hostname}/pdadmin
    Method : Post
    POST_DATA: { "user_id":"The user id", "user_pwd":"The userpassword", "commands": [
    "user list * 0"
    ] }

    Expected Result
    User with required permission should be able to fetch data from system 

    Actual Result 
    Any user without having Group or ACL membership assigned is able to fetch the data which look like security bug 


    ------------------------------
    Narottam Singh
    ------------------------------


  • 2.  RE: Security Issue : No Authorization Needed for reading data for PDADMIN via REST API
    Best Answer

    Posted Mon September 19, 2022 11:31 AM
    Hello Narrotam,

    Authorization isn't enforced at the LMI level unless you're using Management Authorization:
    https://www.ibm.com/docs/en/sva/10.0.4?topic=settings-managing-roles-users-groups

    Regardless, the LMI Authorization is totally decoupled from the 'pdadmin' authorization, which relies on ACLs.

    The pdadmin authorization is determined by the value used for 'user_id' in the pdadmin command line.
    Furthermore, the default effective ACL on the '/Management/Users' endpoint allows any authenticated user to Traverse and view the Users endpoint:
    pdadmin sec_master> object show /Management/Users
    Name: /Management/Users
    Description: Delegated user administration root.
    Type: 0 (Unknown)
    Is Policy Attachable: Yes
    Extended Attributes:
    Attached ACL:
    Attached POP:
    Attached AuthzRule:

    Effective Extended Attributes:
    Effective ACL: default-management
    Effective POP:
    Effective AuthzRule:

    pdadmin sec_master> acl show default-management
    ACL Name: default-management
    Description: Default Management ACL.
    Entries:
    Group iv-admin TcmdbsvaBtRNWA
    Group ivmgrd-servers Ts
    Any-other Tv
    pdadmin sec_master>

    The minimum permissions needed to perform the 'user list' command are 'Tv'. When a user attempts to run this command it will come back with no result, but it will not throw an error when you have no permissions.

    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: Security Issue : No Authorization Needed for reading data for PDADMIN via REST API

    Posted Wed September 28, 2022 05:07 AM
    Thanks for the reply , it resolved our issue

    ------------------------------
    Narottam Singh
    ------------------------------