IBM is under fire for refusing to patch critical vulnerabilities in its Data Risk Manager product until exploit code was publicly disclosed.
In what seems a shortsighted move, when a proactive approach may have been better, Big Blue turned down a privately disclosed report of flaws in its enterprise security software – only to issue fixes after details of the holes emerged online.
Three of the four vulnerabilities – CVE-2020-4427, CVE-2020-4428, and CVE-2020-4429 – can be combined to potentially achieve unauthenticated remote code execution as root on vulnerable installations. This is possible if the user account
a3user's default password of
idrm has not been changed, and administrators are not prompted to do so. The fourth vulnerability, CVE-2020-4430, can be abused to download arbitrary files from the system.
They were discovered by Pedro Ribeiro of Agile Information Security, who privately tipped off IBM of the weaknesses. When Big Blue snubbed his report, he went public with the details on April 21, and his exploit code was added to the popular Metasploit framework a few days later for anyone to use. About a week later, on May 7, the IT titan issued versions 188.8.131.52 and 184.108.40.206 of Data Risk Manager said to address the reported flaws.
IBM also told customers that, for the exploit to work, SAML authentication needed to be enabled, and this is not enabled by default. Ribeiro said this claim was "total bull****" because, according to his research, the authentication method is enabled on production deployments.
When Ribeiro earlier tried to coordinate disclosure with IBM and the US govt-funded CERT Coordination Center, he said Big Blue responded by saying the software was out of scope for its HackerOne-hosted bug-bounty program, due to being in extended support mode:
We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for "enhanced" support paid for by our customers.
Ribeiro said he wasn't interested in a bounty – not that Big Blue pays out actual cash for reported flaws – rather, he just wanted IBM to take his findings seriously and address the programming blunders in its product.
"This is an unbelievable response by IBM, a multi-billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide," Ribeiro thundered this month. "They refused to accept a free high-quality vulnerability report on one of their products.
"I did not ask or expect a bounty since I do not have a HackerOne account and I don't agree with HackerOne's or IBM's disclosure terms there. I simply wanted to disclose these to IBM responsibly and let them fix it."
That refusal led to Ribeiro emitting, essentially, zero-day exploits for IBM's Data Risk Manager, which spurred the tech giant into addressing its flawed code.
"IBM's DRM is an enterprise security product that handles very sensitive information," he continued. "The hacking of an IDRM appliance might lead to a full-scale company compromise, as it stores credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.
"Why did IBM refuse to accept a free detailed vulnerability report?"
The Register has asked Big Blue for its side of the story, and we will let you know if it gets back to us. ®