IBM information disclosure

Agile Information Security’s lead researcher and a well-known bug hunter regularly involved in hacking events such as Pwn2Own, Pedro Ribeiro has posted on GitHub the details of four zero-day vulnerabilities for the IBM Data Risk Manager (IDRM) enterprise security tool.

IBM itself describes this product as “a data leakage risk management center that allows managers and any other employees to identify, analyze and visualize data leakage risks without special training, and take the necessary actions to protect the business.”

Ribeiro writes that he discovered four errors in IDRM and actively collaborated with CERT / CC specialists, trying to convey information about bugs to IBM engineers through an official vulnerability disclosure program. However, despite the severity of the errors found, IBM refused to accept the expert report, sending a strange answer:

“We evaluated this report and closed it outside the scope of our vulnerability disclosure program, because this product is intended only for“ extended ”support paid by our customers. This is stated in the rules. To be eligible to participate in this program, you must not be contracted to perform security testing for IBM, its subsidiaries, or IBM customers for six months prior to submitting the report. ”

Ribeiro admits that he still does not understand what this answer means. The researcher asks many questions: why did IBM refuse to accept its free-of-charge vulnerability report? Does this mean that in this case, the company accepts reports only from its customers? Or maybe this product is not supported? But then, why is it still being sold to new customers, and why is the company behaving so irresponsibly?

Having failed to get an answer and reaction from IBM, the researcher published information on open access issues so that companies using IDRM could take measures to prevent attacks. All vulnerabilities found by the expert can be used remotely and are as follows:

  • IDRM authentication bypass
  • The ability to inject commands in one of the IDRM APIs, which allows attackers to run their own commands in the application;
  • Hard-coded credentials: a3user / idrm;
  • Vulnerability in the IDRM API, which allows remote attackers to download any files.

In addition to a detailed description of the problems, two Metasploit modules have been published that exploit authentication bypass and provide remote code execution, as well as downloading arbitrary files.

Only after the information about the four 0-days came to the media yesterday, IBM representatives finally drew attention to Ribeiro and the problems he found.

The company said that an error occurred: the researcher should not have received such a strange answer, and the vulnerabilities discovered by him should not have been left unattended.

The company now reports that command injection vulnerabilities that threatened IBM Data Risk Manager versions 2.0.1, 2.0.2, and 2.0.3 were fixed in version 2.0.4. This version also solved the problem of downloading arbitrary files, which posed a threat to versions 2.0.2 and 2.0.3.

Hard-coded credentials that are active “out of the box” are still present in IDRM, but the company recalls that they need to be reset and changed during the first installation, according to the manual.

It is also reported that company engineers are studying the problem associated with authentication bypass in IDRM. Specialists promise to release patches and update recommendations to reduce risks in the near future.

Ribeiro commented on the belated reaction of the company to The Register reporters:

“It is very sad that I have to publicly disclose information about 0-day and publicly shame them in order to force me to fix critical vulnerabilities, while they advertise themselves as an elite company that provides security services.

As I already wrote in my report, I just wanted to inform them [about the problems] and did not ask for anything in return, except for mention of fixing the vulnerability. And by the way: I find it very sad that IBM, a multi-billion dollar company, is not able to scrape together a few dollars to pay information security researchers, although it is presented at HackerOne. ”

The expert’s last rebuke is that the IBM vulnerability reward program does not imply any cash rewards, only honor and gratitude.