Introduction
Any local user on a Windows system running IBM Informix Dynamic Server 14.10 can gain administrative access to the database without a password. This issue enables privilege escalation and lateral movement for attackers who have any local account on the affected host. The vulnerability is significant for organizations that rely on Informix for critical data workloads, especially in regulated industries.
IBM is a global leader in enterprise IT solutions, with Informix serving as a core database platform for sectors such as finance, healthcare, and government. Informix is known for its high performance and reliability in transactional and embedded environments, making it a trusted choice for mission-critical applications.
Technical Information
CVE-2024-45675 is a local authentication bypass vulnerability in IBM Informix Dynamic Server 14.10, specifically on Windows platforms. The flaw is present in the DB-Access utility, which is used for local database connections. When a user initiates a connection to the Informix server locally, the authentication mechanism is supposed to validate the provided credentials against the requested user identity. However, due to improper implementation of password verification in the local connection handler, the server does not require or check the password for the specified user account.
This means any local user, regardless of their privilege level, can connect to the Informix server as any other user, including the database administrator, simply by specifying the target username. The vulnerability is classified under CWE-309 (Use of Password System for Primary Authentication) and is only present on Windows. Non-Windows platforms such as Linux, Unix, and AIX are not affected.
The root cause is the lack of proper credential checks in the code path handling local connections via DB-Access. No public code snippets or stack traces are available for this issue. Exploitation does not require any user interaction or prior privileges beyond local access to the Windows host running Informix.
Affected Systems and Versions
- IBM Informix Dynamic Server version 14.10 on Windows is affected.
- The vulnerability is present in all 14.10 releases prior to 14.10.xC11W1.
- Only Windows installations are impacted. Linux, Unix, and other non-Windows platforms are not vulnerable.
Vendor Security History
IBM has a history of security issues in the Informix product line, including privilege escalation (CVE-2018-1631) and remote code execution (CVE-2017-1092). IBM typically responds promptly to vulnerabilities with security bulletins and patches. The fix for CVE-2024-45675 was released in version 14.10.xC11W1, less than a week after public disclosure.
