Disclosed: 4 IBM zero-days Bugs after company refused to patch

A cybersecurity researcher has published details and PoC for 4 unpatched zero-day vulnerabilities impacting an IBM security product after the company refused to acknowledge the responsibly submitted disclosure.

The bugs impact the IBM Data Risk Manager (IDRM), an enterprise security tool that has been designed to analyze sensitive business information assets. It aggregates feeds from vulnerability scanning tools and other risk management tools to let admins investigate security issues.

According to firm, IDRM contains three critical severity vulnerabilities and a high impact bug, which can be exploited by an unauthenticated attacker, and when chained together could also lead to remote code execution as root. The details are published on GitHub.

The four issues, as reported, are:

  • Authentication Bypass
  • Command Injection
  • Insecure Default Password
  • Arbitrary File Download

The flaws against IDRM are present in version 2.0.1 to 2.0.3, but believe they also work through 2.0.4 to the newest version 2.0.6 because "there is no mention of fixed vulnerabilities in any change log."

All four bugs are remotely exploitable. If the IDRM appliance is exposed online, attacks can be carried out over the internet.  However, even if the IDRM is not exposed online, an attacker who has access to a workstation on a company's internal network can chain the four bugs together to take over the IDRM appliance, extract credentials for other systems, and move laterally to other systems on the company's network.

Critical Zero-Day Vulnerabilities in IDRM

 

In brief, the authentication bypass flaw exploits a logical error in the session ID feature to reset the password for any existing account, including the administrator.

 

The command injection flaw resides in the way IBM's enterprise security software lets users perform network scans using Nmap scripts, which apparently can be equipped with malicious commands when supplied by attackers.

According to the vulnerability disclosure, to SSH and run sudo commands, IDRM virtual appliance also has a built-in administrative user with username "a3user" and default password of "idrm," could let remote attackers take complete control over the targeted systems.

 

The last vulnerability resides in an API endpoint that allows authenticated users to download log files from the system.

 

Besides technical details, the researcher has also released two Metasploit modules for authentication bypass, remote code execution, and arbitrary file download issues.

 

Recommendations:

  •  It is recommended that customers upgrade to the most current IDRM version 2.0.6.
  •  Existing customers may download the current version via IBM Passport Advantage   at https://www.ibm.com/software/passportadvantage/pacustomers.html