Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

IBM Tells Researcher It Will Not Patch Serious Data Risk Manager Flaws

A security researcher says IBM has told him that it would not be patching several vulnerabilities found in its Data Risk Manager product, despite demonstrating that they can be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges. [UPDATE BELOW]

A security researcher says IBM has told him that it would not be patching several vulnerabilities found in its Data Risk Manager product, despite demonstrating that they can be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges. [UPDATE BELOW]

Pedro Ribeiro of Agile Information Security has disclosed technical information for a total of four zero-day vulnerabilities affecting IBM Data Risk Manager, an enterprise security solution that “provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business.”

The vulnerabilities include authentication bypass, command injection, default password, and arbitrary file download issues. Ribeiro warned that a remote, unauthenticated attacker could chain the first three vulnerabilities to execute arbitrary code as root. Moreover, an attacker could combine the authentication bypass and arbitrary file download flaws to download files from the targeted system.

The security holes were reported to IBM through CERT/CC, but the vendor said it had assessed the report and closed it for being out of scope for its vulnerability disclosure program “since this product is only for ‘enhanced’ support paid for by our customers.”

Ribeiro says he does not understand the company’s explanation for not accepting his report and he is baffled by the decision.

“This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products […],” the researcher noted.

SecurityWeek has reached out to IBM for comment and will update this article if the company responds. IBM has a bug bounty program, but currently it’s not offering any monetary rewards for vulnerabilities found in its products.

In addition to the technical details, Ribeiro released two Metasploit modules that exploit the vulnerabilities for remote code execution and arbitrary file downloading.

The researcher says he has conducted his tests on a Data Risk Manager Linux virtual appliance version 2.0.3. The latest version is 2.0.6, but Ribeiro believes this version is affected as well as it has been available since before his report to IBM and its changelog does not mention anything about vulnerabilities being fixed.

UPDATE: Minutes after this article was published, IBM provided the following statement to SecurityWeek:

“A process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

UPDATE 2: IBM has published an advisory. The company says the command injection and file download vulnerabilities have already been patched in version 2.0.4. 

Related: Flaws in IBM QRadar Allow Remote Command Execution

Related: IBM Patches XSS Flaws in InfoSphere BigInsights

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.