View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 22, 2020updated 23 Apr 2020 7:36am

IBM Rejects 0Day Disclosure: Remote Exploit Gives Root, No Patch Yet

“As for the default password, they say that they recommend to have it changed, but that's a lie."

By CBR Staff Writer

A cyber security researcher has publicly disclosed vulnerabilities in IBM’s Data Risk Manager, claiming that Big Blue refused to action the vulnerability report sent via CERT/CC,s saying it was “out of scope”. With his exploit code now live, users are urged to assess risk and mitigate where possible.

The bugs — which Pedro Ribeiro has detailed on GitHub — are in the IBM enterprise security software tool, which aggregates and displays security risks gleaned via scanning and risk management software.

Ribeiro, Director of Research at Agile Information Security, found three critical risk and one high risk vulnerabilities; an authentication bypass, command injection, insecure default password and an arbitrary file download. It is possible for an attacker to chain these vulnerabilities so they can remotely execute code as root within a system.

The security firm said it tried to responsibly disclose the zero days to IBM by contacting the CERT Coordination Center (CERT/CC) to make an official vulnerability report, however IBM refused the report and responded to CERT/CC with the following message;

“We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers.”

The security researcher descibed this as an “unbelievable response by IBM”. Any unauthorised access into IBM’s Data Risk manager could have serious consequences due to its processing of sensitive information.

A hack of the manager could lead to an organisation experiencing a large scale compromise, he added.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

An IBM spokesperson told Computer Business Review via email that: “A process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

That security advisory is live and can be accessed here. (IBM says in it that two of the vulns are fixed and an update to the software will fix them. It adds that “An authentication bypass vulnerability was also reported to exist in product versions 2.0.1 and greater.  IBM is investigating this report and will provide further information on fix action as appropriate.”).

Speaking to Computer Business Review Pedroo Riberio says that IBM has not contacted him yet.

“According to them (IBM), two of the vulnerabilities were fixed in version 2.0.4. I’m not sure what to think of it, since there is no record of any fixed vulnerability in any of the change logs that IBM have published since then.”

IBM’s Data Risk Manager Disclosure

Since IBM appeared to not be accepting the security report Pedro Ribeiro decided to disclose the zerodays online.

Ribeiro notes that he was not seeking a bounty and does not even have a HackerOne account through which to receive one. “I simply wanted to disclose these to IBM responsibly and let them fix it,” he said.

One of the issues reported by Ribeiro involves an insecure default password. The administrative user in the manager’s virtual appliance is listed as ‘a3user’ this lets you login and run sudo commands.

It also has a default password of ‘idrm’. The researcher found that using the authentication bypass and command injection vulnerabilities they could take advantage of these default password and initiate a remote code execution as root on the manager’s virtual appliance.

Riberio says that: “As for the default password, they say that they recommend to have it changed, but that’s a lie. If you follow the link they provide in the advisory, it’s very clear that they say the password CAN be changed, but they don’t recommend to do so there or force the user to do so.”

See Also: The FCA is “Waving the White Flag” Over AML, KYC Processes

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU