A cyber security researcher has publicly disclosed vulnerabilities in IBM’s Data Risk Manager, claiming that Big Blue refused to action the vulnerability report sent via CERT/CC,s saying it was “out of scope”. With his exploit code now live, users are urged to assess risk and mitigate where possible.
The bugs — which Pedro Ribeiro has detailed on GitHub — are in the IBM enterprise security software tool, which aggregates and displays security risks gleaned via scanning and risk management software.
Ribeiro, Director of Research at Agile Information Security, found three critical risk and one high risk vulnerabilities; an authentication bypass, command injection, insecure default password and an arbitrary file download. It is possible for an attacker to chain these vulnerabilities so they can remotely execute code as root within a system.
The security firm said it tried to responsibly disclose the zero days to IBM by contacting the CERT Coordination Center (CERT/CC) to make an official vulnerability report, however IBM refused the report and responded to CERT/CC with the following message;
“We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers.”
The security researcher descibed this as an “unbelievable response by IBM”. Any unauthorised access into IBM’s Data Risk manager could have serious consequences due to its processing of sensitive information.
A hack of the manager could lead to an organisation experiencing a large scale compromise, he added.
An IBM spokesperson told Computer Business Review via email that: “A process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”
That security advisory is live and can be accessed here. (IBM says in it that two of the vulns are fixed and an update to the software will fix them. It adds that “An authentication bypass vulnerability was also reported to exist in product versions 2.0.1 and greater. IBM is investigating this report and will provide further information on fix action as appropriate.”).
Speaking to Computer Business Review Pedroo Riberio says that IBM has not contacted him yet.
“According to them (IBM), two of the vulnerabilities were fixed in version 2.0.4. I’m not sure what to think of it, since there is no record of any fixed vulnerability in any of the change logs that IBM have published since then.”
IBM’s Data Risk Manager Disclosure
Since IBM appeared to not be accepting the security report Pedro Ribeiro decided to disclose the zerodays online.
Ribeiro notes that he was not seeking a bounty and does not even have a HackerOne account through which to receive one. “I simply wanted to disclose these to IBM responsibly and let them fix it,” he said.
I am disclosing four 0day for IBM Data Risk Manager, an ENTERPRISE SECURITY APPLIANCE@IBMSecurity refused to accept @certcc's disclosure and told them to fleck off! ?
Advisory and exploits here, have fun: https://t.co/60a7XRZt4C— Pedro Ribeiro (@pedrib1337) April 21, 2020
One of the issues reported by Ribeiro involves an insecure default password. The administrative user in the manager’s virtual appliance is listed as ‘a3user’ this lets you login and run sudo commands.
It also has a default password of ‘idrm’. The researcher found that using the authentication bypass and command injection vulnerabilities they could take advantage of these default password and initiate a remote code execution as root on the manager’s virtual appliance.
Riberio says that: “As for the default password, they say that they recommend to have it changed, but that’s a lie. If you follow the link they provide in the advisory, it’s very clear that they say the password CAN be changed, but they don’t recommend to do so there or force the user to do so.”