Four serious security vulnerabilities have been found in International Business Machine Corp.’s Data Risk Manager that can allow hackers to execute unauthenticated remote code — and there’s no patch yet available.

IBM Data Risk Manager, previously known as Agile 3 Solutions, is a software platform that aggregates data from different systems across an organization to determine associated risks.

The vulnerabilities were discovered and publicized today by security researcher Pedro Ribeiro from Agile Information Security. They include an authentication bypass, command injection, insecure default password and arbitrary file download. The first three vulnerabilities can be combined to allow a remote attacker to gain full system access, while the fourth one is a “path traversal” bug that allows an attacker to download any file off a system.

“IDRM is an enterprise security product that handles very sensitive information,” Ribeiro explained. “A compromise of such a product might lead to a full-scale company compromise, as the tool has credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.”

Ribeiro claims that he worked with the CERT/CC team to report the issues to IBM through its bug bounty program, but IBM refused to accept the bug disclosure because it apparently didn’t fall within its guidelines.

“We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers,” IBM said in response to the bug report. “This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.”

Having failed to gain a response from IBM, Ribeiro decided to publish the details of the vulnerabilities in an effort to get IBM to act on them. IBM has since responded to the disclosure, saying that “a process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”

Now that IBM is on the case, it’s likely that patch or at the least mitigation options may be forthcoming soon.

Image: IBM