SECURITY
SECURITY
SECURITY
Four serious security vulnerabilities found in IBM Data Risk Manager
Four serious security vulnerabilities have been found in International Business Machine Corp.’s Data Risk Manager that can allow hackers to execute unauthenticated remote code — and there’s no patch yet available.
IBM Data Risk Manager, previously known as Agile 3 Solutions, is a software platform that aggregates data from different systems across an organization to determine associated risks.
The vulnerabilities were discovered and publicized today by security researcher Pedro Ribeiro from Agile Information Security. They include an authentication bypass, command injection, insecure default password and arbitrary file download. The first three vulnerabilities can be combined to allow a remote attacker to gain full system access, while the fourth one is a “path traversal” bug that allows an attacker to download any file off a system.
“IDRM is an enterprise security product that handles very sensitive information,” Ribeiro explained. “A compromise of such a product might lead to a full-scale company compromise, as the tool has credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.”
Ribeiro claims that he worked with the CERT/CC team to report the issues to IBM through its bug bounty program, but IBM refused to accept the bug disclosure because it apparently didn’t fall within its guidelines.
“We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers,” IBM said in response to the bug report. “This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.”
Having failed to gain a response from IBM, Ribeiro decided to publish the details of the vulnerabilities in an effort to get IBM to act on them. IBM has since responded to the disclosure, saying that “a process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”
Now that IBM is on the case, it’s likely that patch or at the least mitigation options may be forthcoming soon.
Image: IBM
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
