A cybersecurity researcher today publicly disclosed technical details and PoC for 4 unpatched zero-day vulnerabilities affecting an enterprise security software offered by IBM after the company refused to acknowledge the responsibly submitted disclosure.

The affected premium product in question is IBM Data Risk Manager (IDRM) that has been designed to analyze sensitive business information assets of an organization and determine associated risks.

According to Pedro Ribeiro from Agile Information Security firm, IBM Data Risk Manager contains three critical severity vulnerabilities and a high impact bug, all listed below, which can be exploited by an unauthenticated attacker reachable over the network, and when chained together could also lead to remote code execution as root.

Authentication Bypass

Command Injection

Insecure Default Password

Arbitrary File Download

Ribeiro successfully tested the flaws against IBM Data Risk Manager version 2.0.1 to 2.0.3, which is not the latest version of the software but believes they also work through 2.0.4 to the newest version 2.0.6 because “there is no mention of fixed vulnerabilities in any change log.”

“IDRM is an enterprise security product that handles very sensitive information. A compromise of such a product might lead to a full-scale company compromise, as the tool has credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company,” Ribeiro said.

Critical Zero-Day Vulnerabilities in IBM Data Risk Manager

In brief, the authentication bypass flaw exploits a logical error in the session ID feature to reset the password for any existing account, including the administrator.

The command injection flaw resides in the way IBM’s enterprise security software lets users perform network scans using Nmap scripts, which apparently can be equipped with malicious commands when supplied by attackers.

According to the vulnerability disclosure, to SSH and run sudo commands, IDRM virtual appliance also has a built-in administrative user with username “a3user” and default password of “idrm,” which if left unchanged, could let remote attackers take complete control over the targeted systems.

The last vulnerability resides in an API endpoint that allows authenticated users to download log files from the system. However, according to the researcher, one of the parameters to this endpoint suffers from a directory traversal flaw that could let malicious users download any file from the system.

Besides technical details, the researcher has also released two Metasploit modules for authentication bypass, remote code execution, and arbitrary file download issues.

Ribeiro claims to have reported this issue to IBM via CERT/CC and in response, the company refused to accept the vulnerability report, saying: ” We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers.”

In response Ribeiro said, “In any case, I did not ask or expect a bounty since I do not have a HackerOne account and I don’t agree with HackerOne’s or IBM’s disclosure terms there. I simply wanted to disclose these to IBM responsibly and let them fix it.”

The Hacker News has reached out to IBM, and we will update the article as more information becomes available.

Update:

An IBM spokesperson told The Hacker News that “a process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”