ARN

Remote code execution risks found in IBM’s Data Risk Manager

Two of the four vulnerabilities are fixed in version 2.0.4

Numerous vulnerabilities have been found in IBM’s Data Risk Manager which pave the way for remote code execution, with some of the vulnerabilities still present in the most recent version.

Identified by Agile Information Security’s founder and director of research Pedro Ribeiro, the four vulnerabilities found in the Linux-based Data Risk Manager allow for authentication bypass and command injection as well as containing an insecure default password and arbitrary file download capabilities.

The combination of the first three vulnerabilities can allow an unauthenticated user to achieve remote code execution, Ribeiro claimed.

Since the discovery of the vulnerabilities, IBM has disclosed that the command injection and arbitrary file download vulnerabilities, which were found in versions 2.01, 2.0.2 and 2.03 and 2.0.2 and 2.03, respectively, have been fixed in version 2.0.4, and recommends users update to version 2.0.6.

Additionally, the default password was referred to as a “known configuration” by Big Blue and recommends users to reset it during initial installation.

However, this means the authentication bypass vulnerability currently has no fix, with IBM saying it is “investigating this report and will provide further information on fix action as appropriate.”

When Ribeiro attempted to submit these vulnerabilities to IBM via CERT/CC, the report was rejected, according to a post published on GitHub.

As per Ribeiro’s post, IBM allegedly claimed that the report was out of the scope of its vulnerability disclosure program since Data Risk Manager is only for enhanced support paid for by its customers.

“This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products,” Ribeiro wrote.

IBM has been contacted for comment.

The discovery of these vulnerabilities comes one week after Big Blue claimed how it’s securing its Linux-based z15 mainframe models with IBM Secure Execution for Linux.