CVE-2020-4264

Vulnerability

A memory corruption vulnerability exists in IBM i2 Intelligent Analysis Platform version 9.2.1. By persuading a victim to open a specially-crafted file, a local attacker can trigger this memory corruption to execute arbitrary code on the system. The vulnerability is identified by IBM X-Force ID 175647 and is part of a series of similar memory corruption issues in the platform [1].

Exploitation

The attacker requires local access to the system and must convince the victim to open a malicious file. No special authentication or privileges are needed beyond the victim's user permissions. The exploitation vector is file-based; the attacker crafts a file that exploits the memory corruption when parsed by the i2 Analyst's Notebook application. User interaction is required (the victim must open the file) [1].

Impact

Successful exploitation results in arbitrary code execution with the privileges of the victim user. This can lead to full compromise of confidentiality, integrity, and availability (CIA) of the system, depending on the victim's access level. The CVSS v3.0 base score is 7.8 (High) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H [1].

Mitigation

IBM has addressed this vulnerability in security update available via the IBM Support page for i2 Analyst's Notebook and i2 Analyst's Notebook Premium. Users should apply the fix as listed in the security bulletin [1]. No workarounds are documented; upgrading to the patched version is the recommended mitigation.