CVE-2023-35907
Published: 29 January 2025
Summary
CVE-2023-35907 is a medium-severity Weak Password Requirements (CWE-521) vulnerability in Ibm Aspera Faspex. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).
Deeper analysis
IBM Aspera Faspex versions 5.0.0 through 5.0.10 are affected by CVE-2023-35907, a vulnerability stemming from the lack of a default requirement for strong passwords (CWE-521). This configuration weakness allows users to set weak passwords, rated with a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.
Remote attackers with no privileges can exploit this over the network without user interaction, though it requires high attack complexity, likely involving brute-force attempts or password guessing against weak credentials. Successful exploitation enables compromise of user accounts, granting high-level access to confidential data within the Faspex environment.
IBM's security advisory at https://www.ibm.com/support/pages/node/7181814 provides details on mitigation, recommending enforcement of strong password policies to address the default configuration issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-39899
Vulnerability details
IBM Aspera Faspex 5.0.0 through 5.0.10 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak default password policy (CWE-521) directly enables remote brute-force/password guessing (T1110/T1110.001) to obtain valid accounts (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates ensuring authenticators like passwords have sufficient strength of mechanism and changing defaults, comprehensively addressing the CVE's lack of strong password requirements.
Requires specifying password requirements and changing default passwords at first logon as part of account management, mitigating the default weak password configuration.
Limits consecutive unsuccessful logon attempts and enforces account lockouts, preventing brute-force exploitation of weak passwords enabled by the CVE.