Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

IBM Tells Researcher It Will Not Patch Serious Data Risk Manager Flaws

A security researcher says IBM has told him that it would not be patching several vulnerabilities found in its Data Risk Manager product, despite demonstrating that they can be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges. [UPDATE BELOW]

A security researcher says IBM has told him that it would not be patching several vulnerabilities found in its Data Risk Manager product, despite demonstrating that they can be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges. [UPDATE BELOW]

Pedro Ribeiro of Agile Information Security has disclosed technical information for a total of four zero-day vulnerabilities affecting IBM Data Risk Manager, an enterprise security solution that “provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business.”

The vulnerabilities include authentication bypass, command injection, default password, and arbitrary file download issues. Ribeiro warned that a remote, unauthenticated attacker could chain the first three vulnerabilities to execute arbitrary code as root. Moreover, an attacker could combine the authentication bypass and arbitrary file download flaws to download files from the targeted system.

The security holes were reported to IBM through CERT/CC, but the vendor said it had assessed the report and closed it for being out of scope for its vulnerability disclosure program “since this product is only for ‘enhanced’ support paid for by our customers.”

Ribeiro says he does not understand the company’s explanation for not accepting his report and he is baffled by the decision.

“This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products […],” the researcher noted.

SecurityWeek has reached out to IBM for comment and will update this article if the company responds. IBM has a bug bounty program, but currently it’s not offering any monetary rewards for vulnerabilities found in its products.

In addition to the technical details, Ribeiro released two Metasploit modules that exploit the vulnerabilities for remote code execution and arbitrary file downloading.

The researcher says he has conducted his tests on a Data Risk Manager Linux virtual appliance version 2.0.3. The latest version is 2.0.6, but Ribeiro believes this version is affected as well as it has been available since before his report to IBM and its changelog does not mention anything about vulnerabilities being fixed.

UPDATE: Minutes after this article was published, IBM provided the following statement to SecurityWeek:

“A process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

UPDATE 2: IBM has published an advisory. The company says the command injection and file download vulnerabilities have already been patched in version 2.0.4. 

Related: Flaws in IBM QRadar Allow Remote Command Execution

Related: IBM Patches XSS Flaws in InfoSphere BigInsights

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.