Pierluigi Paganini April 21, 2020

A security researcher disclosed details of four zero-day flaws impacting an IBM security product after the IT giant refused to address them.

The security researcher Pedro Ribeiro, Director of Research at Agile Information Security, has published details about four zero-day vulnerabilities affecting the IBM Data Risk Manager (IDRM) after the company refused to address the issues.

The IBM Data Risk Manager is an enterprise security product that aggregates feeds from vulnerability scanning tools and other risk management tools allowing to analyzed security events and data-related business risks.

IDRM handles very sensitive information, for this reason the exploitation of any issue affecting the product could have important consequences.

The IBM Data Risk Manager manages credentials to access other security tools used in the enterprise and information about security vulnerabilities that affect the organizations.

“The IDRM Linux virtual appliance was analysed and it was found to contain four vulnerabilities, three critical risk and one high risk:

• Authentication Bypass
• Command Injection
• Insecure Default Password
• Arbitrary File Download

This advisory describes the four vulnerabilities and the steps necessary to chain the first three to achieve unauthenticated remote code execution as root.” the expert wrote on GitHub. “In addition, two Metasploit modules that bypass authentication and exploit the remote code execution and arbitrary file download are being released to the public.“

The researchers attempted to report the issues to IBM with the coordination of the CERT/CC, but the company did not acknowledged the vulnerability and provided the following response to the CERT/CC:

“we have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.“

The researcher explained that he has yet to understand what IBM’s reply means, these are the open questions of the expert:

• “Why did IBM refuse to accept a FREE detailed vulnerability report?
• “What does their answer mean? Are the only accepting vulnerability reports from customers?
• “Or is the product out of support? If so, why is still being offered for sale to new customers?
• “How can they be so irreponsible while selling an enterprise security product?”

“This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” Ribeiro added.

Anyway, Ribeiro decided to publish technical details of the flaws in the IBM Data Risk Manager due to their level of severity allowing enterprises that use the security tool to mitigate the risk of cyber attacks.

The researcher explained that chaining the first three issue it is possible to remotely execute arbitrary code as root.

The expert also released two Metasploit modules that bypass authentication and exploit the remote code execution and arbitrary file download.

“At the time of disclosure, it is unclear if the latest version 2.0.6 is affected by these, but most likely it is, as there is no mention of fixed vulnerabilities in any changelog, and it was released before the attempt to report these vulnerabilities to IBM. The latest version Agile InfoSec has access to is 2.0.3, and that one is certainly vulnerable.” concluded the expert.

Pierluigi Paganini

(SecurityAffairs – IBM Data Risk Manager, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]