IBM has acknowledged that it mishandled a bug report that identified four vulnerabilities in its enterprise security software, and plans to issue an advisory.
IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure. At least some versions of the Linux-powered suite included four exploitable holes, identified and, at first, privately disclosed by security researcher Pedro Ribeiro at no charge. Three are considered to be critical, and one is high risk.
The software flaws can be chained together to achieve unauthenticated remote code execution as root on a vulnerable installation, as described in an advisory Ribeiro published today on GitHub.
Prior to going public, Ribeiro had tried to get CC/CERT to privately coordinate responsible disclosure with IBM, but Big Blue refused to accept the bug report. He said the mainframe giant replied thus: "We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for 'enhanced' support paid for by our customers."
"This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide," said Ribeiro in his disclosure.
Bad cup of Java leaves nasty taste in IBM Watson's 'AI' mouth: Five security bugs to splat in analytics gearREAD MORE
The vulnerabilities consist of authentication bypass, command injection, insecure default password, and arbitrary file download. Using the first three, an unauthenticated remote user can run arbitrary code, and there's now a Metasploit module to do so. Vulnerabilities one and four allow an unauthenticated attacker to download arbitrary files from the system. There's also a Metasploit module for that attack chain.
The flaws don't yet have CVE designations, and as far as we can tell, no patches nor updates to address the holes are available right now. The first three have been confirmed to affect IBM Data Risk Manager 2.0.1 to 2.0.3. Ribeiro believes versions 2.0.4 to 2.0.6, the latest release, are also vulnerable but that has not been confirmed. The fourth affects IDRM 2.0.2 and 2.0.3, and possibly 2.0.4 to 2.0.6. The Register asked IBM whether 2.0.6 is affected but IBM's spokesperson did not respond.
IBM however did say that it had fumbled the report. "A process error resulted in an improper response to the researcher who reported this situation to IBM," a company spokesperson told The Register. "We have been working on mitigation steps and they will be discussed in a security advisory to be issued."
Ribeiro dismissed IBM's response in an email to The Register. "Well, what can I say," he said. "It's a joke right? I think it's pretty sad that I have to disclose a zero-day and shame them publicly to get them to patch critical vulnerabilities in a security product, while they sell themselves as an elite company providing security services."
"Like I said in my advisory, I was just looking to disclose it to them without asking anything in return except a mention when the vulnerability was fixed. Having said that, I also think it's pretty sad that a multi-billion dollar company like IBM can't scrounge a few dollars to pay security researchers despite being part of HackerOne."