Researcher Discloses 4 Zero-Day Bugs in IBM Enterprise Security Software

    IBM Data Risk Manager (IDRM)

    A cybersecurity researcher today publicly disclosed technical details and PoC for 4 unpatched zero-day vulnerabilities affecting an enterprise security software offered by IBM after the company refused to acknowledge the responsibly submitted disclosure.

    The affected premium product in question is IBM Data Risk Manager (IDRM) that has been designed to analyze sensitive business information assets of an organization and determine associated risks.

    According to Pedro Ribeiro from Agile Information Security firm, IBM Data Risk Manager contains three critical severity vulnerabilities and a high impact bug, all listed below, which can be exploited by an unauthenticated attacker reachable over the network, and when chained together could also lead to remote code execution as root.

    • Authentication Bypass
    • Command Injection
    • Insecure Default Password
    • Arbitrary File Download

    Ribeiro successfully tested the flaws against IBM Data Risk Manager version 2.0.1 to 2.0.3, which is not the latest version of the software but believes they also work through 2.0.4 to the newest version 2.0.6 because “there is no mention of fixed vulnerabilities in any change log.”

    “IDRM is an enterprise security product that handles very sensitive information. A compromise of such a product might lead to a full-scale company compromise, as the tool has credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company,” Ribeiro said.

    Critical Zero-Day Vulnerabilities in IBM Data Risk Manager

    In brief, the authentication bypass flaw exploits a logical error in the session ID feature to reset the password for any existing account, including the administrator.

    The command injection flaw resides in the way IBM’s enterprise security software lets users perform network scans using Nmap scripts, which apparently can be equipped with malicious commands when supplied by attackers.

    According to the vulnerability disclosure, to SSH and run sudo commands, IDRM virtual appliance also has a built-in administrative user with username “a3user” and default password of “idrm,” which if left unchanged, could let remote attackers take complete control over the targeted systems.

    The last vulnerability resides in an API endpoint that allows authenticated users to download log files from the system. However, according to the researcher, one of the parameters to this endpoint suffers from a directory traversal flaw that could let malicious users download any file from the system.

    Besides technical details, the researcher has also released two Metasploit modules for authentication bypass, remote code execution, and arbitrary file download issues.

    Ribeiro claims to have reported this issue to IBM via CERT/CC and in response, the company refused to accept the vulnerability report, saying: ” We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers.”

    In response Ribeiro said, “In any case, I did not ask or expect a bounty since I do not have a HackerOne account and I don’t agree with HackerOne’s or IBM’s disclosure terms there. I simply wanted to disclose these to IBM responsibly and let them fix it.”

    The Hacker News has reached out to IBM, and we will update the article as more information becomes available.


    An IBM spokesperson told The Hacker News that “a process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

    Recent Articles

    How to Create a Transparent Background in GIMP

      Eradicating the background is among the most used graphic design procedures. There might be many the reason why you’ll wish to try this. For instance,...

    Multiple High-Profile Accounts Hacked in the Biggest Twitter Hack of All Time

      Social media platform Twitter, earlier as we speak on Wednesday, was on hearth after it suffered one of many greatest cyberattacks in its historical...

    How to easily set up a DNS over the Nginx TLS Resolver on Ubuntu

      This tutorial shall be displaying you tips on how to arrange your individual DNS over TLS (DoT) resolver on Ubuntu with Nginx, so your...

    How to install Self-Hosted Accounting Software on Debian 10 Buster

      This tutorial can be displaying you find out how to set up Akaunting on Debian 10 Buster with Apache or Nginx internet server. Akaunting...

    How to Install Ubuntu Opera Browser

      Discover ways to set up Opera browser simply and safely on Ubuntu and Debian primarily based distributions. Opera browser was among the many first few...

    Related Stories