A security researcher recently uncovered four vulnerabilities in IBM Data Risk Manager and publicly disclosed them following a refusal from the tech giant to act on the same. These Zero-Day vulnerabilities, which have not been assigned any CVEs yet, comprise 3 critical and 1 high severity bugs.
The IBM Data Risk Manager is an enterprise security product that aims at collecting the data obtained from various security systems and uses it to analyze and visualize business risks. IDRM contains sensitive information, including access to other security tools. Hence, the compromise of an IDMR appliance may lead to the compromise of a company on a full scale.
The four vulnerabilities which are described below were published in an advisory by Pedro Rebeiro.
1. Authentication Bypass
This vulnerability resides in the /albatross/user/login API endpoint of IDRM. In his advisory, Pedro demonstrated how an attacker can leverage the flaw associated with the API to trick the application into accepting an arbitrary session ID and username. A new password is then generated for that username by sending another command. This can be used to obtain a Bearer administrative token which allows an attacker to gain access to different APIs. The /albatross/login endpoint can also be abused by any web user to gain access to the web administration console.
2. Command Injection
This bug lies in an API at /albatross/restAPI/v2/nmap/run/scan/ that enables authenticated users to run nmap scripts for performing network scans. IDRM also contains a bug wherein the file being uploaded is placed on disk despite failure to process the file. With the help of a method that accepts and processes patch files, an attacker may be able to execute arbitrary commands in a malicious file with the help of ‘nmap –script=<FILE>’.
3. Insecure Default Password
The IDRM contains a default administrative user ‘a3user’ with the password set as ‘idrm’. This user is capable of logging in via SSH and can run Sudo commands. If the password is left unchanged, this bug can be used along with the first two bugs by an unauthenticated attacker to execute remote code as root on the IDRM virtual appliance.
4. Arbitrary File Download
An attacker can abuse a directory traversal flaw in the logFileNameList parameter of an API at /albatross/eurekaservice/fetchLogFiles to be able to download any file from the system.
Proof of concept
The researcher has publicly released two Metasploit modules that can be used to bypass authentication and exploit the remote code execution and arbitrary file download. Video demonstrations are also available for the remote code execution and arbitrary file download exploits.
IBM Data Risk Manager 2.0.1 through 2.0.3 have been tested by the researcher and 2.0.4 through 2.0.6 are deemed likely to be vulnerable.
A successful attempt to combine the first three vulnerabilities can result in remote code execution and take over of the vulnerable system.
No patch or solution is available from the vendor to address these vulnerabilities as of now. However, though IBM initially refused to review the report citing its HackerOne policy, reports claim that IBM later issued a statement claiming that they have been working on mitigation steps and they will be discussed and issued in a security advisory.