Multiple security flaws within IBM Data Risk Manager (IDRM), one of IBM’s enterprise security tools, were reportedly revealed by a third-party security researcher. Incidentally, the Zero-Day security vulnerabilities haven’t yet been officially acknowledged, let alone successfully patched by IBM.
A researcher who discovered at least four security vulnerabilities, with potential Remote Code Execution (RCE) capabilities, is reportedly available in the wild. The researcher claims he had attempted to approach IBM and share the details of the security flaws inside IBM’s Data Risk Manager security virtual appliance, but IBM refused to acknowledge them and consequentially, has apparently left them unpatched.
IBM Refuses To Accept Zero-Day Security Vulnerability Report?
The IBM Data Risk Manager is an enterprise product that provides data discovery and classification. The platform includes detailed analytics about the business risk that is based on the information assets inside the organization. Needless to add, the platform has access to critical and sensitive information about the businesses that use the same. If compromised, the entire platform can be turned into a slave that can offer hackers easy access to even more software and databases.
Security researcher discloses four zero-days #vulnerabilities that impact the IBM Data Risk Manager (IDRM), one of IBM's #enterprisesecurity tools. #cybersecurity https://t.co/jvdcufgQqi https://t.co/2cKjfrCOoz
— David De Sousa (@DavidDeSDrumond) April 21, 2020
Pedro Ribeiro of Agile Information Security in the UK investigated version 2.0.3 of IBM Data Risk Manager and reportedly discovered a total of four vulnerabilities. After confirming the flaws, Ribeiro attempted disclosure to IBM through the CERT/CC at Carnegie Mellon University. Incidentally, IBM operates the HackerOne platform, which is essentially an official channel to report such security weaknesses. However, Ribeiro is not a HackerOne user and apparently didn’t want to join, so he tried going through CERT/CC. Strangely, IBM refused to acknowledge the flaws with the following message:
“We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.”
After the free vulnerability report was reportedly rejected, the researcher published details on GitHub about the four issues. The researcher assures the reason for publishing the report was to make companies that use IBM IDRM aware of the security flaws and allow them to put mitigations in place to prevent any attacks.
What Are The 0-Day Security Vulnerabilities In IBM IDRM?
Of the four, three of the security flaws can be used together to gain root privileges on the product. The flaws include an authentication bypass, a command injection flaw, and an insecure default password.
The authentication bypass allows an attacker to abuse an issue with an API to get the Data Risk Manager appliance to accept an arbitrary session ID and a username and then send a separate command to generate a new password for that username. Successful exploitation of the attack essentially yields access to the web administration console. This means the platform’s authentication or authorized access systems are completely bypassed and the attacker has full administrative access to IDRM.
With the admin access, an attacker can use the command injection vulnerability to upload an arbitrary file. When the third flaw is combined with the first two vulnerabilities, it allows an unauthenticated remote attacker to achieve Remote Code Execution (RCE) as root on the IDRM virtual appliance, leading to complete system compromise. Summarizing the four Zero-Day Security Vulnerabilities in IBM IDRM:
- A bypass of the IDRM authentication mechanism
- A command injection point in one of the IDRM APIs that lets attacks run their own commands on the app
- A hardcoded username and password combo of a3user/idrm
- A vulnerability in the IDRM API that can allow remote hackers to download files from the IDRM appliance
If that’s not damaging enough, the researcher has promised to reveal details about two Metasploit modules that bypass authentication and exploit the remote code execution and arbitrary file download flaws.
It is important to note that despite the presence of the security vulnerabilities inside IBM IDRM, the chances of successfully exploiting the same are rather slim. This is primarily because companies that deploy IBM IDRM on their systems usually prevent access through the internet. However, if the IDRM appliance is exposed online, attacks can be carried out remotely. Moreover, an attacker who has access to a workstation on a company’s internal network can potentially take over the IDRM appliance. Once successfully compromised, the attacker can easily extract credentials for other systems. These would potentially give the attacker the ability to move laterally to other systems on the company’s network.