A quartet of zero-days impacting IBM’s enterprise security software landed on GitHub yesterday
A security researcher has publicly disclosed multiple zero-day vulnerabilities impacting IBM’s Data Risk Manager (DRM) product after the vendor “refused to accept” his initial advisory.
In a write-up posted on GitHub yesterday (April 21), Agile Information Security’s Pedro Ribeiro flagged up “three critical risk and one high risk” vulnerabilities impacting DRM, enterprise security software from IBM.
According to Ribeiro, three vulnerabilities in the DRM Linux virtual appliance – authentication bypass, command injection, and insecure default password – could be chained together to achieve unauthenticated remote code execution.
The fourth vulnerability is a path traversal flaw that could allow an authenticated user to download log files from the DRM system, according to Ribeiro.
“At the time of disclosure, it is unclear if the latest version 2.0.6 is affected by these, but most likely it is, as there is no mention of fixed vulnerabilities in any changelog, and it was released before the attempt to report these vulnerabilities to IBM,” he said.
In his post, Ribeiro said that he attempted to make contact with CERT/CC to coordinate disclosure with IBM, but that “IBM refused to accept the vulnerability report”.
Instead, IBM was said to have responded with a somewhat confusing statement explaining, among other things, that the vulnerabilities were out-of-scope of its vulnerability program.
In the wake of Ribeiro’s public disclosure, IBM has apparently conceded that the vulnerabilities are indeed valid, admitting that it had mishandled his initial advisory.
“A process error resulted in an improper response to the researcher who reported this situation to IBM,” a spokesperson told The Daily Swig.
The spokesperson did not respond to our request for clarification on whether these vulnerabilities impact the latest version of DRM (2.0.6), but said: “We have been working on mitigation steps and they will be discussed in a security advisory to be issued.”
In lieu of any further clarification, we reverted to the researcher, who told us that since the publication of his disclosure, “IBM have not contacted me, so I don’t know anything besides [what] is written in the advisory”.
This article will be updated as and when IBM releases its full DRM security advisory.