[German]Security researchers have just revealed four unpatched vulnerabilities in IBM Data Risk Manager. The vulnerabilities were reported to IBM, but IBM rejected the report due to lack of formal requirements. Three vulnerabilities are considered critical.
Advertising
IBM Data Risk Manager is actually designed to protect corporate networks and provide administrators with data from various security solutions running on the network. But the way the 0-day vulnerabilities have now been made public is a kind of a special taste.
I am disclosing four 0day for IBM Data Risk Manager, an ENTERPRISE SECURITY APPLIANCE@IBMSecurity refused to accept @certcc's disclosure and told them to fleck off!
Advisory and exploits here, have fun: https://t.co/60a7XRZt4C— Pedro Ribeiro (@pedrib1337) April 21, 2020
Pedro Ribeiro made this public yesterday in the above tweet. There he points out that he published the vulnerabilities in IBM Data Risk Manager because IBM-Security had rather rebuffed him with his reports about the vulnerabilities. The reasoning:
we have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for "enhanced" support paid for by our customers. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.
The reported case was closed by IBM, because the product is only available for paying customers. An analysis of the IBM Data Risk Manager Linux virtual appliance revealed that it contained four vulnerabilities, three of which were classified as critical and one as high risk. The four vulnerabilities:
- Authentication bypass
- Command Injection
- Insecure default password
- Any download of files
On GitHub, security researchers describe the four vulnerabilities and the steps required to chain the first three. This allows for unauthenticated remote code execution as root. The researchers also release two metasploit modules that bypass authentication, allow remote code execution and exploit arbitrary file downloads. Quasi the full program. For IBM, the shot may now have backfired. At The Hacker News, ZDNet and Bleeping Computer are also articles on the subject. Any of you who use the IBM Data Risk Manager up to version 2.0.6?
Advertising
