Cybersecurity Alert: Unpatched Zero-Day Vulnerabilities Found in IBM Data Risk Manager
A prominent cybersecurity researcher has unveiled technical details and proof of concept for four unpatched zero-day vulnerabilities in IBM’s enterprise security software, IBM Data Risk Manager (IDRM). This disclosure comes after IBM reportedly declined to acknowledge the responsibly submitted findings, raising significant concerns regarding the product’s security.
IBM Data Risk Manager is designed to assess sensitive business information and evaluate associated risks within organizations. According to Pedro Ribeiro from Agile Information Security, these vulnerabilities—three categorized as critical severity and one as high impact—could potentially be exploited by unauthenticated attackers over the network. When combined, these vulnerabilities may enable remote code execution with root privileges, posing a severe security threat.
The vulnerabilities include an authentication bypass that allows attackers to reset passwords for existing accounts, including administrative ones, exploiting a flaw in the session ID management. The second vulnerability is a command injection risk linked to the way IDRM utilizes Nmap scripts for network scanning. Attackers could inject malicious commands through this mechanism. Furthermore, the software’s virtual appliance includes a default administrative user with a username of “a3user” and a preset password of “idrm,” which, if unchanged, provides an entry point for remote attackers seeking full control of the affected systems.
Another critical vulnerability resides in an API endpoint enabling authenticated users to download log files. Ribeiro identified a directory traversal flaw that could permit malicious individuals to access and download arbitrary files from the system, further compromising its integrity.
Ribeiro has also made available two Metasploit modules addressing the authentication bypass and arbitrary file download vulnerabilities, highlighting the immediate risk posed to users of IDRM. Despite attempts to report these security issues through CERT/CC, IBM’s response indicated that the report was deemed outside the scope of their vulnerability disclosure program, as the product is considered to only support “enhanced” customer services. This raises questions about IBM’s responsibility in securing its products, particularly given the sensitive nature of the information managed by IDRM.
In light of these incidents, the implications for organizations using IBM Data Risk Manager are significant. A breach of this software could lead not only to the compromise of proprietary company information but also to security credentials used across various tools, amplifying the attack’s potential impact.
The vulnerabilities are particularly concerning when analyzed through the lens of the MITRE ATT&CK framework. Initial access might be facilitated through the authentication bypass, while privilege escalation could stem from the exploitation of the insecure default password. The directory traversal flaw provides potential persistence opportunities, enabling attackers to establish a foothold within the compromised system.
IBM representatives have since indicated that a process error led to the inadequate response to Ribeiro’s findings. They are reportedly working on mitigation strategies, to be detailed in an upcoming security advisory.
As cybersecurity threats continue to evolve, this incident underscores the necessity for vigilance and proactive risk management among business owners. Organizations relying on the IBM Data Risk Manager must reassess their security posture and closely monitor IBM’s forthcoming advisories to mitigate potential threats arising from these unaddressed vulnerabilities.
Stay updated on this developing situation as The Hacker News follows up with IBM for more details on their response to these vulnerabilities.
