[ad_1]
A cybersecurity researcher today publicly disclosed technical details and PoC for 4 fixed zero-day vulnerabilities affecting business security software offered by IBM after the company refused to accept the disclosure.
The premium product in question is the IBM Data Risk Manager (IDRM), which was developed to analyze the assets of an organization’s confidential business information and determine the risks involved.
According to Pedro Ribeiro of Agile Information Security, IBM Data Risk Manager contains three critical vulnerabilities and a serious error, listed below, that could be exploited by an unauthenticated attacker accessible through a network, and when they are chained together, this can also lead to remote code execution as root.
- Authentication Bypass
- Team injection
- Insecure default password
- Download arbitrary files
Ribeiro successfully tested flaws in IBM Data Risk Manager version 2.0.1–2.0.3, which is not the latest software version, but believes that they also work through 2.0.4 to the latest version 2.0.6, because “not on any list changes there is a mention of fixed vulnerabilities. “
“IDRM is a business security product that processes sensitive information. Adherence to such a product can lead to large-scale obligations of the company, because the tool has credentials for access to other security tools, not to mention the content of the information. about critical vulnerabilities that affect the company, “Ribeiro said.
Critical Zero Day Vulnerabilities in IBM Data Risk Manager
In short, an authentication bypass error uses a logical error in the session identifier function to reset the password of any existing account, including the administrator.
The disadvantage of command injection is that IBM’s corporate security software allows users to scan the network using Nmap scripts, which apparently can be equipped with malicious commands when attackers provide them.
According to the vulnerability disclosure, for SSH and running sudo commands, the IDRM virtual device also has a built-in administrator with the username “a3user” and the default password “idrm”, which, if left unchanged, can allow Remote Attackers to gain full control over specific systems.
The final vulnerability is the API endpoint, which allows authenticated users to download syslog files. However, according to the researcher, one of the parameters for this endpoint suffers from a transverse directory error, which could allow attackers to download any file from the system.
In addition to the technical details, the researcher also released two Metasploit modules to bypass authentication, remote code execution, and problems downloading arbitrary files.
Ribeiro claims to have reported this issue to IBM through CERT / CC, and in response, the company refused to accept the vulnerability report and said: “We rated this report and close it outside of our disclosure program. vulnerability, because this product is intended only for “extended” support paid by our customers. “
In response, Ribeiro said: “In any case, I did not ask and did not expect a reward, because I do not have a HackerOne account and I do not agree with the terms of disclosure from HackerOne or IBM there. I just wanted to open them to IBM in charge and let them fix it.
Hacker News has contacted IBM and we will update the article when more information appears.
https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md
[ad_2]
