Multiple Vulnerabilities in IBM Data Risk Manager

[InfoSec News <alerts () infosecnews org>]

https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md

By Pedro Ribeiro (pedrib () gmail com | @pedrib1337) from Agile Information 
Security

Disclosure Date: 21/04/2020 | Last Updated: 22/04/2020

Introduction

 From the vendor's website:
What you don’t know can hurt you. Identify and help prevent risks to sensitive 
business data that may impact business processes, operations, and competitive 
position. IBM Data Risk Manager provides executives and their teams a 
business-consumable data risk control center that helps to uncover, analyze, 
and visualize data-related business risks so they can take action to protect 
their business.

Summary

tl;dr scroll to the bottom to see videos of the exploits in action

IBM Data Risk Manager (IDRM) is an enterprise security software by IBM that 
aggregates and provides a full view of all the enterprise security risks, akin 
to an electronic risk register.

The product receives information feeds from vulnerability scanning tools and 
other risk management tools, aggregates them and allows a user to investigate 
them and perform comprehensive analysis.

The IDRM Linux virtual appliance was analysed and it was found to contain four 
vulnerabilities, three critical risk and one high risk:

* Authentication Bypass

* Command Injection

* Insecure Default Password

* Arbitrary File Download

This advisory describes the four vulnerabilities and the steps necessary to 
chain the first three to achieve unauthenticated remote code execution as root. 
In addition, two Metasploit modules that bypass authentication and exploit the 
remote code execution and arbitrary file download are being released to the 
public.

At the time of disclosure, it is unclear if the latest version 2.0.6 is 
affected by these, but most likely it is, as there is no mention of fixed 
vulnerabilities in any changelog, and it was released before the attempt to 
report these vulnerabilities to IBM. The latest version Agile InfoSec has 
access to is 2.0.3, and that one is certainly vulnerable. The status of version 
2.0.0 is unknown, but that version is out-of-support anyway.

Here's a bunch of 0 days!
At the time of disclosure these vulnerabilities are "0 days". An attempt was 
made to contact CERT/CC to coordinate disclosure with IBM, but IBM REFUSED to 
accept the vulnerability report, and responded to CERT/CC with:

we have assessed this report and closed as being out of scope for our 
vulnerability disclosure program since this product is only for "enhanced" 
support paid for by our customers. This is outlined in our policy 
https://hackerone.com/ibm. To be eligible to participate in this program, you 
must not be under contract to perform security testing for IBM Corporation, or 
an IBM subsidiary, or IBM client within 6 months prior to submitting a report.

This is an unbelievable response by IBM, a multi billion dollar company that is 
selling security enterprise products and security consultancy to huge 
corporations worldwide. They refused to accept a free high quality 
vulnerability report on one of their products, while putting ludicrous quotes 
like the following on their website:

When every second counts, you need a unified defense to identify, orchestrate 
and automate your response to threats. IBM Security Threat Management solutions 
help you thrive in the face of cyber uncertainty.

Building a custom security plan that is both industry-specific and aligned to 
your security maturity demands a partner with deep expertise and global reach. 
The IBM Security Strategy and Risk services team is that valued partner.

It should be noted that IBM offers no bounties on their "bug bounty program", 
just kudos:

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_