A security researcher says IBM has told him that it would not be patching several vulnerabilities found in its Data Risk Manager product, despite demonstrating that they can be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges. [UPDATE BELOW]
Pedro Ribeiro of Agile Information Security has disclosed technical information for a total of four zero-day vulnerabilities affecting IBM Data Risk Manager, an enterprise security solution that “provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business.”
The vulnerabilities include authentication bypass, command injection, default password, and arbitrary file download issues. Ribeiro warned that a remote, unauthenticated attacker could chain the first three vulnerabilities to execute arbitrary code as root. Moreover, an attacker could combine the authentication bypass and arbitrary file download flaws to download files from the targeted system.
The security holes were reported to IBM through CERT/CC, but the vendor said it had assessed the report and closed it for being out of scope for its vulnerability disclosure program “since this product is only for ‘enhanced’ support paid for by our customers.”
Ribeiro says he does not understand the company’s explanation for not accepting his report and he is baffled by the decision.
“This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products [...],” the researcher noted.
SecurityWeek has reached out to IBM for comment and will update this article if the company responds. IBM has a bug bounty program, but currently it’s ..
Support the originator by clicking the read the rest link below.
