Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

IBM == Insecure Business Machines: No-auth remote root exec exploit in Data Risk Manager drops after Big Blue snubs bug report

IT giant admits it made 'a process error, improper response' to flaw finder

IBM has acknowledged that it mishandled a bug report that identified four vulnerabilities in its enterprise security software, and plans to issue an advisory.

IBM Data Risk Manager offers security-focused vulnerability scanning and analytics, to help businesses identify weaknesses in their infrastructure. At least some versions of the Linux-powered suite included four exploitable holes, identified and, at first, privately disclosed by security researcher Pedro Ribeiro at no charge. Three are considered to be critical, and one is high risk.

The software flaws can be chained together to achieve unauthenticated remote code execution as root on a vulnerable installation, as described in an advisory Ribeiro published today on GitHub.

Prior to going public, Ribeiro had tried to get CC/CERT to privately coordinate responsible disclosure with IBM, but Big Blue refused to accept the bug report. He said the mainframe giant replied thus: "We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for 'enhanced' support paid for by our customers."

"This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide," said Ribeiro in his disclosure.

IBM

Bad cup of Java leaves nasty taste in IBM Watson's 'AI' mouth: Five security bugs to splat in analytics gear

READ MORE

The vulnerabilities consist of authentication bypass, command injection, insecure default password, and arbitrary file download. Using the first three, an unauthenticated remote user can run arbitrary code, and there's now a Metasploit module to do so. Vulnerabilities one and four allow an unauthenticated attacker to download arbitrary files from the system. There's also a Metasploit module for that attack chain.

The flaws don't yet have CVE designations, and as far as we can tell, no patches nor updates to address the holes are available right now. The first three have been confirmed to affect IBM Data Risk Manager 2.0.1 to 2.0.3. Ribeiro believes versions 2.0.4 to 2.0.6, the latest release, are also vulnerable but that has not been confirmed. The fourth affects IDRM 2.0.2 and 2.0.3, and possibly 2.0.4 to 2.0.6. The Register asked IBM whether 2.0.6 is affected but IBM's spokesperson did not respond.

IBM however did say that it had fumbled the report. "A process error resulted in an improper response to the researcher who reported this situation to IBM," a company spokesperson told The Register. "We have been working on mitigation steps and they will be discussed in a security advisory to be issued."

Ribeiro dismissed IBM's response in an email to The Register. "Well, what can I say," he said. "It's a joke right? I think it's pretty sad that I have to disclose a zero-day and shame them publicly to get them to patch critical vulnerabilities in a security product, while they sell themselves as an elite company providing security services."

"Like I said in my advisory, I was just looking to disclose it to them without asking anything in return except a mention when the vulnerability was fixed. Having said that, I also think it's pretty sad that a multi-billion dollar company like IBM can't scrounge a few dollars to pay security researchers despite being part of HackerOne."

As Riberio observed in his advisory, IBM's vulnerability reward program offers no cash awards, only kudos. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like