What did it take for stubborn IBM to fix flaws in its Data Risk Manager security software? Someone dropping zero-days • The Register


IBM is under fire for refusing to patch critical vulnerabilities in its Data Risk Manager product until exploit code was publicly disclosed.

In what seems a shortsighted move, when a proactive approach may have been better, Big Blue turned down a privately disclosed report of flaws in its enterprise security software – only to issue fixes after details of the holes emerged online.

Three of the four vulnerabilities – CVE-2020-4427, CVE-2020-4428, and CVE-2020-4429 – can be combined to potentially achieve unauthenticated remote code execution as root on vulnerable installations. This is possible if the user account a3user‘s default password of idrm has not been changed, and administrators are not prompted to do so. The fourth vulnerability, CVE-2020-4430, can be abused to download arbitrary files from the system.

They were discovered by Pedro Ribeiro of Agile Information Security, who privately tipped off IBM of the weaknesses. When Big Blue snubbed his report, he went public with the details on April 21, and his exploit code was added to the popular Metasploit framework a few days later for anyone to use. About a week later, on May 7, the IT titan issued versions 2.0.4.1 and 2.0.6.2 of Data Risk Manager said to address the reported flaws.

IBM also told customers that, for the exploit to work, SAML authentication needed to be enabled, and this is not enabled by default. Ribeiro said this claim was “total bull****” because, according to his research, the authentication method is enabled on production deployments.

When Ribeiro earlier tried to coordinate disclosure with IBM and the US govt-funded CERT Coordination Center, he said Big Blue responded by saying the software was out of scope for its HackerOne-hosted bug-bounty program, due to being in extended support mode:

Ribeiro said he wasn’t interested in a bounty – not that Big Blue pays out actual cash for reported flaws – rather, he just wanted IBM to take his findings seriously and address the programming blunders in its product.

“This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” Ribeiro thundered this month. “They refused to accept a free high-quality vulnerability report on one of their products.

“I did not ask or expect a bounty since I do not have a HackerOne account and I don’t agree with HackerOne’s or IBM’s disclosure terms there. I simply wanted to disclose these to IBM responsibly and let them fix it.”

That refusal led to Ribeiro emitting, essentially, zero-day exploits for IBM’s Data Risk Manager, which spurred the tech giant into addressing its flawed code.

“IBM’s DRM is an enterprise security product that handles very sensitive information,” he continued. “The hacking of an IDRM appliance might lead to a full-scale company compromise, as it stores credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.

“Why did IBM refuse to accept a free detailed vulnerability report?”

The Register has asked Big Blue for its side of the story, and we will let you know if it gets back to us. ®

Sponsored:
Webcast: Ransomware has gone nuclear



Source link

Recent articles

PlayStation Store Update Worldwide – July 7, 2020

Each week Sony brings PlayStation 4, PlayStation 3, PlayStation Vita and PlayStation Portable owners new content, add-ons, games and more. PlayStation LifeStyle catalogs...

SAA pilots isolated as other unions gradually back severance scheme | News

South African Airways unions have largely indicated acceptance of voluntary severance packages as part of the airline’s rescue, after the government warned that...

2014 FIFA World Cup™ – News – Behind the World Cup record: Miroslav Klose

​Miroslav Klose broke Ronaldo's record on this day in 2014 He did it in front of the Brazilian's eyes Klose set...

Get your finances in top shape now to refi your student loans

Student loan refinancing rates are near record lows, but...

Ady Barkan Endorses Joe Biden for President

According to a transcript of the conversation between Mr. Biden and Mr. Barkan, the two disagreed over Medicare for all and Mr. Biden...

Manage containers in namespaces by using nsenter

With containers becoming the de facto application deployment standard, we all must understand how to guarantee security, isolation, and resource restrictions. Linux namespaces...

Leave a reply

Please enter your comment!
Please enter your name here