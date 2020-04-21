Image: IBM

A security researcher today released details of four zero-day vulnerabilities that affect an IBM security product after the company refused to glue errors after a private error-sharing attempt.

Bugs affect IBM Data Risk Manager (IDRM), a business security tool that pools sources of vulnerability scanning tools and other risk management tools to allow administrators to investigate security issues.

“IDRM is a business security product that manages very sensitive information,” said Pedro Ribeiro, director of Agile Information Security Research, and who discovered the four mistakes.

“A commitment to such (a) product may be a company-wide undertaking, as the tool has credentials for accessing other security tools, not to mention information on critical vulnerabilities affecting it. company, “he added.

IBM declined to report any problems

Ribeiro said he found four bugs in IDRM and worked with the CERT / CC team to report problems to IBM through its official bugfix program.

The security researcher said that despite the severity of the four errors he reported, IBM refused to accept error disclosure in a response to what appears to be a nonsensical answer:

we have rated this report and closed it out of the field for our vulnerability disclosure program, as this product provides only “enhanced” support that our customers pay.. This is described in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you do not have to be contracted to perform security tests for IBM Corporation, an IBM affiliate, or an IBM customer within six months of shipping. a report.

The researcher said that to date, he has yet to understand what the answer meant, and he still has questions, such as:

“Why IBM refused to accept one FREE .T detailed vulnerability report?

detailed vulnerability report? “What does your response mean? Are they the only ones that accept client vulnerability reports?

“Or is the product unsupported? If so, why is it still being offered to new customers?

“How can they be so irresponsible while selling a business security product?”

“This is an incredible response from IBM, a $ 1 billion company that sells security consulting and security consulting products to large corporations worldwide,” said Ribeiro.

ZDNet has reached out to IBM to clarify their answer and see if this was just a misunderstanding, rather than a deliberate decision to leave an IDRM unpacked, despite the seriousness of the four issues. We will update this article if we hear business information.

Details released today on GitHub

Seeing that IBM was not interested in reviewing the bugs, the researcher today posted details on four issues on GitHub so that companies using the product can mitigate attacks to prevent them.

As reported, the four issues are:

An bypass of the IDRM authentication mechanism

A command injection point in one of the IDRM APIs that allows attacks to execute their own commands in the application

A3user / idrm hardcode username and password combo

IDRM API vulnerability that could allow remote hackers to download files from the IDRM application

“This warning describes the four vulnerabilities and steps required to chain the first three to achieve non-rooted remote code execution,” said Ribeiro.

“In addition, two Metasploit modules are being released to the public, which disable authentication and exploit remote code execution and arbitrary file downloads.”

The four errors are remotely exploitable, added Ribeiro. If the IDRM device is exposed online, attacks on the Internet may occur. These systems are usually not accessible to the Internet, which reduces the impact on organizations using IDRM.

However, even if the IDRM is not exposed online, an attacker who has access to a workstation on a company’s internal network can chain four errors together to take over the IDRM. , extract credentials from other systems, and laterally move to other systems. the company network