CVE-2020-4468

Vulnerability

IBM i2 Intelligent Analysis Platform version 9.2.1 is affected by a memory corruption vulnerability that can lead to remote code execution. The issue exists in the document parsing component and requires the victim to open a specially crafted document. The official description confirms that the vulnerability is caused by memory corruption when processing crafted documents [1].

Exploitation

An attacker can exploit this vulnerability by tricking a user into opening a malicious document (e.g., via email or a web download). No prior authentication is required, but user interaction is necessary. The attack vector is local (AV:L) according to the CVSS vector, meaning the attacker must deliver the file to the victim's local system. The attacker does not need any special privileges, and the exploitation does not require a race window or other timing attacks [1].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the victim's system with the privileges of the victim. This could result in full compromise of confidentiality, integrity, and availability (CIA) as indicated by the CVSS base score of 7.8 and the vector (C:H/I:H/A:H). The attacker could also cause the application to crash, leading to denial of service [1].

Mitigation

IBM has released a security fix as part of their advisory. Affected users should upgrade to a patched version as specified in IBM support document. As of the CVE publication date (May 14, 2020), the fix should be available. No workarounds are mentioned in the provided reference, so applying the official patch is recommended [1].