CVE-2023-37398
Published: 29 January 2025
Summary
CVE-2023-37398 is a medium-severity Weak Password Requirements (CWE-521) vulnerability in Ibm Aspera Faspex. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-7 (Unsuccessful Logon Attempts).
Deeper analysis
CVE-2023-37398 is a vulnerability in IBM Aspera Faspex versions 5.0.0 through 5.0.10, where the software does not enforce strong passwords by default. This weakness, classified under CWE-521 (Weak Password Requirements), enables attackers to more readily compromise user accounts through password guessing or brute-force attempts. The issue carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network accessibility with high attack complexity but significant confidentiality impact.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network. The high attack complexity arises from the need to perform repeated authentication attempts against accounts protected only by weak or default passwords. Successful exploitation allows attackers to gain unauthorized access to compromised user accounts, potentially exposing sensitive data transferred via the Faspex platform.
IBM has published an advisory detailing mitigation steps at https://www.ibm.com/support/pages/node/7181814, which security practitioners should consult for patching and configuration recommendations to enforce stronger password policies.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-41299
Vulnerability details
IBM Aspera Faspex 5.0.0 through 5.0.10 does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak default password policy (CWE-521) directly lowers the bar for successful password guessing and brute-force authentication attempts against network-exposed accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates management of authenticators including sufficient strength for passwords and changing defaults prior to use, comprehensively addressing the lack of strong password requirements by default in IBM Aspera Faspex.
Enforces limits on unsuccessful logon attempts and account lockouts, mitigating brute-force exploitation of weak or default passwords.
Requires establishment and enforcement of secure configuration settings, including those for strong password policies to prevent use of weak defaults.