IBM Spectrum Virtualize information disclosure

Vulnerability

IBM Spectrum Virtualize versions 8.3, 8.4, and 8.5, as well as all IBM SAN Volume Controller, IBM Storwize, and IBM FlashSystem products running this software, store SNMPv3 server credentials in plaintext in system logs and audit logs [1]. Any authenticated user with access to these log files can read the credentials. The vulnerability is present in all affected versions prior to the fixed releases listed below.

Exploitation

An attacker must first obtain valid authentication credentials for the IBM Spectrum Virtualize system. Once authenticated, the attacker can access the system logs or audit logs where SNMPv3 credentials are written in plaintext. No special privileges beyond standard user access are required to read these logs [1].

Impact

Successful exploitation allows an attacker to retrieve SNMPv3 server credentials, leading to unauthorized access to the SNMPv3 management plane. This could enable further reconnaissance or manipulation of network devices managed via SNMPv3, resulting in a high confidentiality impact [1].

Mitigation

IBM has released fixed code levels: 8.5.3.0, 8.5.2.3, 8.5.0.7, 8.4.0.10, and 8.3.1.9 (or later) for all affected products [1]. Users should upgrade to these versions or later to remediate the vulnerability. No workaround is available; upgrading is the only mitigation.