Technical details and PoC for 4 unpatched zero-day bugs that impact the enterprise security software offered by IBM were revealed by cyber security researchers.
The product that has been affected by the bug is IBM Data Risk Manager (IDRM) which is designed to analyze sensitive business information assets of an organization and determine associated risks.
Pedro Ribeiro from Agile Information Security firm stated that IBM Data Risk Manager had 4 bugs out of which three are of critical severity and one is a high impact bug. These bugs could be exploited by an unauthenticated hacker to perform remote code execution.
The four bugs include Authentication Bypass, Command Injection, Insecure Default Password and Arbitrary File Download.
Ribeiro tested the flaws against IBM Data Risk Manager version 2.0.1 to 2.0.3, and believes that it will work through 2.0.4 to the newest version 2.0.6 as well as fixed vulnerabilities are not mentioned in any change log.
He stated that IDRM is an enterprise security product which deals with very sensitive information. If such a product gets compromised, then it might lead to a full-scale company compromise also because the tool has credentials to access other security tools. Besides, it also contains information about critical vulnerabilities that affect the company.
The authentication bypass flaw exploits a logical error in the session ID feature to reset the password for any existing account that includes the administrator as well.
The command injection flaw which resides in the way IBM’s enterprise security software lets users perform network scans using Nmap scripts can be provided with malicious commands when supplied by attackers.
IDRM virtual appliance has a built-in administrative user with username “a3user” and default password of “idrm,” which if left unchanged, could let remote attackers take complete control over the targeted systems.
The arbitrary file download vulnerability resides in an API endpoint that allows authenticated users to download log files from the system. But since one of the parameters to this endpoint has a directory traversal flaw, it would allow attackers to download any file from the system.
The researcher has also released two Metasploit modules for authentication bypass, remote code execution, and arbitrary file download issues.
He has reported this issue to IBM via CERT/CC but the company refused to accept the vulnerability report. Later an IBM spokesperson told that a process error had resulted in an improper response to the researcher who reported this situation and that they are working on mitigation steps which will be discussed in a security advisory to be issued.