Four zero-day vulnerabilities have been identified in IBM Data Risk Manager (IDRM) which could allow the downloading of arbitrary files and, if chained together, remote code execution. The security researcher who discovered the vulnerabilities, Pedro Ribeiro, Director of Research at Agile Information Security, released details of the flaws on GitHub after IBM refused to acknowledge the vulnerabilities, which were responsibly disclosed to the company via CERT/CC. Metasploit modules have also been released for three of the flaws – authentication bypass, remote code execution, and arbitrary file download.
IDRM is an enterprise security solution used to discover, analyze, and visualize data-related business risks. The software handles highly sensitive information such as credentials for other enterprise security tools and contains information about critical enterprise vulnerabilities, according to Ribeiro.
Three of the zero-day vulnerabilities are critical, with the fourth rated as a high impact bug. The three critical vulnerabilities are an authentication bypass flaw, command injection flaw, and insecure default password, with the fourth allowing the downloading of arbitrary files. The vulnerabilities are present in IDRM versions 2.0.1 to 2.0.3 and are also believed to affect the latest versions of IDRM: 2.0.4 to 2.0.6.
The first vulnerability is due to a logical error in the session ID feature. It can be exploited remotely by an unauthenticated user to reset the password for any existing account, including the administrator account. The second flaw concerns a function of the software that allows users to perform network scans using Nmap scripts. There are insufficient controls in place to prevent the injection of malicious commands. The solution also has default administrative credentials: a3user/idrm, which could be used by an attacker to take full control of targeted systems.
The high impact flaw is present in an API endpoint, which allows the downloading of log files but, as a result of a directory traversal flaw, other files could be downloaded from the system. Ribeiro says that chaining the first three vulnerabilities permits remote code execution. Chaining the first and fourth vulnerabilities allows the downloading of arbitrary files.
IBM refused to acknowledge to the CERT/CC report, stating, “We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers.”
Ribeiro says that the vulnerabilities were not disclosed in order to receive a bug bounty, but instead were disclosed to allow IBM to fix the flaws. IBM has since released a statement saying, “A process error resulted in an improper response to the researcher who reported this situation to IBM.” IBM is now taking steps to mitigate the vulnerabilities and a security advisory about the flaws will be issued.