IBM Tells Researcher It Will Not Patch Serious Data Risk Manager Flaws

A security researcher says IBM has told him that it would not be patching several vulnerabilities found in its Data Risk Manager product, despite demonstrating that they can be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges. [UPDATE BELOW]

Pedro Ribeiro of Agile Information Security has disclosed technical information for a total of four zero-day vulnerabilities affecting IBM Data Risk Manager, an enterprise security solution that “provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business.”

The vulnerabilities include authentication bypass, command injection, default password, and arbitrary file download issues. Ribeiro warned that a remote, unauthenticated attacker could chain the first three vulnerabilities to execute arbitrary code as root. Moreover, an attacker could combine the authentication bypass and arbitrary file download flaws to download files from the targeted system.

The security holes were reported to IBM through CERT/CC, but the vendor said it had assessed the report and closed it for being out of scope for its vulnerability disclosure program “since this product is only for ‘enhanced’ support paid for by our customers.”

Ribeiro says he does not understand the company’s explanation for not accepting his report and he is baffled by the decision.

“This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products […],” the researcher noted.

SecurityWeek has reached out to IBM for comment and will update this article if the company responds. IBM has a bug bounty program, but currently it’s not offering any monetary rewards for vulnerabilities found in its products.

In addition to the technical details, Ribeiro released two Metasploit modules that exploit the vulnerabilities for remote code execution and arbitrary file downloading.

The researcher says he has conducted his tests on a Data Risk Manager Linux virtual appliance version 2.0.3. The latest version is 2.0.6, but Ribeiro believes this version is affected as well as it has been available since before his report to IBM and its changelog does not mention anything about vulnerabilities being fixed.

UPDATE: Minutes after this article was published, IBM provided the following statement to SecurityWeek:

“A process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

UPDATE 2: IBM has published an advisory. The company says the command injection and file download vulnerabilities have already been patched in version 2.0.4. 

Related: Flaws in IBM QRadar Allow Remote Command Execution

Related: IBM Patches XSS Flaws in InfoSphere BigInsights