Four new zero day vulnerabilities reported in IBM’s security software

Security researcher ‘Pedro Ribeiro’ has disclosed a PoC for four zero-day vulnerabilities in IBM’s enterprise security software. The researcher has reported the same with IBM, but since they had refused to accept the disclosure, the zero-day vulnerabilities were made public.

The enterprise security software from IBM is Data Risk Manager, which is used for managing sensitive business information assets and detect the risks related to it. Pedro had identified four critical vulnerabilities, and a high impact bug, that can be exploited by hackers. The four vulnerabilities are authentication bypass, command injection, insecure default password, and arbitrary file download. The vulnerabilities were identified in the version 2.0.1 to 2.0.3, which is however not the latest version of the IBM’s software. Albeit, Pedro tested them in the previous version, the new versions are no exception as the vulnerabilities are not fixed until this article was published.

Considering IBM’s security software has the vulnerabilities, this could facilitate hackers with other business vulnerabilities, as the Data Risk Manager takes care of full-scale compromises of the business sensitive information. Authentication bypass allows hackers to reset the password of the accounts, including the administrator account. Hackers can execute malicious commands if the Nmap scripts can be exploited by them using the command injection flaw. Also, the vulnerability disclosure of shell and sudo commands has a default password which could be breached by the hackers if left unchanged. The next vulnerability in the endpoints API allows users to access the log files, and if breached by the attackers then not just log files but any files can be downloaded. Furthermore, the researcher has also disclosed two other issues, remote code execution and arbitrary file download.

IBM Bug Bounty programs does not provide bounties

The above image was posted by Pedro in Github in a way of showing his disappointment with IBM.

Bug Bounty programs are a way to use external penetration testers and researchers analyze the security issues in your software and offer them some bounty based on the criticality of the flaws that they have identified and reported. Also, this way vendors can ensure the vulnerabilities are identified and fixed before hackers take advantage of them in the wild. However, when Pedro reported these three zero day vulnerabilities to IBM via CERT/CC, the company had refused to accept the vulnerability report and had mentioned the product is only for ‘enhanced’ tech support paid by their clients. 

However, Pedro had mentioned that he has disclosed the vulnerabilities for the security reasons and did not expect a bounty as he doesn’t own a HackerOne account. IBM is yet to confirm the vulnerabilities, and release a security advisory regarding the same.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit.