IBM has admitted to mismanaging a bug report that identified four vulnerabilities in its enterprise security software and plans to issue a notification.
IBM Data Risk Manager offers security-focused vulnerability analysis and analysis to help businesses identify weaknesses in their infrastructure. At least some versions of the Linux-powered suite included four actionable holes, identified and initially released for free by security researcher Pedro Ribeiro. Three are considered critical and one is high risk.
Software flaws can be chained together to get unauthenticated remote code execution as root on a vulnerable installation, as described in an opinion Ribeiro posted today on GitHub.
Before going public, Ribeiro had tried to get CC / CERT to privately coordinate responsible disclosure with IBM, but Big Blue refused to accept the bug report. He said the mainframe giant said, “We have assessed this report and concluded that it is beyond the scope of our vulnerability disclosure program, as this product is only intended for” enhanced “support. paid by our customers. “
“This is an incredible response from IBM, a multi-billion dollar company that sells enterprise security products and security consulting services to large companies around the world,” said said Ribeiro in his press release.
A bad cup of Java leaves an unpleasant taste in IBM Watson's “ AI ” mouth: five security bugs to be eliminated in analytical equipment
The vulnerabilities include bypassing authentication, injecting commands, insecure default password, and downloading arbitrary files. Using the first three, an unauthenticated remote user can execute arbitrary code, and there are now a Metasploit module do this. Vulnerabilities one and four allow an unauthenticated attacker to download arbitrary files from the system. There is also a Metasploit module for this attack chain.
Defects do not yet have CVE designations, and as far as we can tell, no fixes or updates to correct the holes are available at this time. It has been confirmed that the first three affect IBM Data Risk Manager 2.0.1 to 2.0.3. Ribeiro believes that versions 2.0.4 to 2.0.6, the latest version, are also vulnerable, but this has not been confirmed. The fourth affects IDRM 2.0.2 and 2.0.3, and possibly 2.0.4 to 2.0.6. The register asked IBM if version 2.0.6 was affected, but the IBM spokesperson did not respond.
IBM, however, said it had escaped the report. “A process error resulted in an incorrect response to the researcher who reported the situation to IBM,” said a company spokesperson. The register. “We have worked on mitigation measures and they will be discussed in a safety notice to be published.”
Ribeiro rejected IBM's response in an email to The register. “Well, what can I say,” he said. “It's a joke, isn't it? I think it's sad enough that I have to disclose a zero day and shame them publicly to get them to fix the critical vulnerabilities of a security product, so that they sell themselves as an elite company providing security services. “
“As I said in my review, I was just trying to disclose it to them without asking anything in return, except for a mention when the vulnerability was corrected. Having said that, I also think it's pretty sad that a company billions of dollars like IBM can't make a few dollars to pay security researchers despite being a member of HackerOne. “
Webcast: Build the Next Generation of Your Business in the Public Cloud