CVE-2018-1680

Vulnerability

IBM Security Privileged Identity Manager Virtual Appliance version 2.2.1 does not require users to set strong passwords by default. This weakness affects all user accounts created under the default password policy, making it easier for attackers to guess or brute-force credentials.

Exploitation

An attacker with network access to the appliance can attempt to compromise user accounts by exploiting the lack of a strong password requirement. No prior authentication or special privileges are needed; the attacker can perform password guessing or brute-force attacks against user accounts that have weak passwords.

Impact

Successful exploitation allows an attacker to gain unauthorized access to the affected appliance with the privileges of the compromised user account. This can lead to disclosure of sensitive information, modification of system configurations, or further lateral movement within the environment.

Mitigation

IBM has addressed this issue in a security bulletin [1]. Administrators should apply the fix provided in the bulletin, which updates the password policy to enforce strong passwords. As of the publication date (2019-04-02), no workaround is documented; upgrading to a fixed version is recommended.