Researcher Found Four ZERO-Days Vulnerability in IBM Security Product

IBM Data Risk Manager
IBM Data Risk Manager

Four ZERO-Days in IBM Security Product

Cybersecurity researcher Pedro Ribeiro from Agile Information Security has published 4 Zero-Days Vulnerabilities in IBM Data Risk Manager (IDRM) security product. The researcher has published the POC’s details after the company refused to patch these Vulnerabilities.

According to the researcher, these vulnerabilities are remotely exploitable, so they should be patched.

IBM refused and replied,

we have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for "enhanced" support paid for by our customers. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.

 

IBM Data Risk Manager (IDRM) is an enterprise security software by IBM that aggregates and provides a full view of all the enterprise security risks, akin to an electronic risk register.

The product receives information feeds from vulnerability scanning and other risk management softwares, aggregates them and allows a user to investigate them and perform comprehensive analysis.

The IDRM Linux virtual appliance was analysed and it was found to contain four vulnerabilities, three critical risk and one high risk:

  1. Authentication Bypass
  2. Command Injection
  3. Insecure Default Password
  4. Arbitrary File Download

This advisory describes the four vulnerabilities and the steps necessary to chain the first three to achieve unauthenticated remote code execution as root. In addition, two Metasploit modules that bypass authentication and exploit the remote code execution and arbitrary file download are being released to the public.

For Full POC details check here in Github

Four Zero-Days Vulnerability details are as follow.

#1: Authentication Bypass

  • CWE-287: Improper Authentication
  • CVE-TODO (not assigned yet)
  • Risk Classification: Critical
  • Attack Vector: Remote
  • Constraints: None / N/A
  • Affected Products / Versions:
    IBM Data Risk Manager 2.0.1 to 2.0.3 confirmed to be vulnerable
    IBM Data Risk Manager 2.0.4 to 2.0.6 likely to be vulnerable

Details:

IDRM has an API endpoint at /albatross/saml/idpSelection that associates an ID provided by the attacker with a valid user on the system.

#2: Command Injection

  • CWE-77: Command Injection
  • CVE-TODO (not assigned yet)
  • Risk Classification: Critical
  • Attack Vector: Remote
  • Constraints: Authentication Required
  • Affected Products / Versions:
    IBM Data Risk Manager 2.0.1 to 2.0.3 confirmed to be vulnerable
    IBM Data Risk Manager 2.0.4 to 2.0.6 likely to be vulnerable

Details:

IDRM exposes an API at /albatross/restAPI/v2/nmap/run/scan that allows an authenticated user to perform nmap scans.

#3: Insecure Default Password

  • CWE-798: Use of Hard-coded Credentials
  • CVE-TODO (not assigned yet)
  • Risk Classification: Critical
  • Attack Vector: Remote
  • Constraints: None / N/A
  • Affected Products / Versions:
    IBM Data Risk Manager 2.0.1 to 2.0.3 confirmed to be vulnerable
    IBM Data Risk Manager 2.0.4 to 2.0.6 likely to be vulnerable

Details:

The administrative user in the IDRM virtual appliance is “a3user”. This user is allowed to login via SSH and run sudo commands, and it is set up with a default password of “idrm”.

When combined with vulnerabilities #1 and #2, this allows an unauthenticated attacker to achieve remote code execution as root on the IDRM virtual appliance, leading to complete system compromise.

While IDRM forces the administrative user of the web interface (“admin”) to change its password upon first login, it does not require the same of “a3user”.

#4: Arbitrary File Download

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • CVE-TODO (not assigned yet)
  • Risk Classification: High
  • Attack Vector: Remote
  • Constraints: Authentication Required
  • Affected Products / Versions:
    IBM Data Risk Manager 2.0.2 and 2.0.3 confirmed to be vulnerable
    IBM Data Risk Manager 2.0.4 to 2.0.6 likely to be vulnerable

Details:

IDRM exposes an API at /albatross/eurekaservice/fetchLogFiles that allows an authenticated user to download log files from the system. However, the logFileNameList parameter contains a basic directory traversal flaw that allows an attacker to download any file off the system.

Solutions:

IBM refused to acknowledge this vulnerability report, so most likely won’t fix this vulnerability. Make sure you uninstall the product so it does not endanger your network / company, as researcher said.

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

Tags from the story
, ,
More from Priyanshu Sahay

Termshark 2.1v Released – Wireshark Based UI

Termshark is a terminal User Interface (UI) for tshark, inspired by Wireshark....
Read More

Leave a Reply

Your email address will not be published. Required fields are marked *