https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md
By Pedro Ribeiro ([email protected] | @pedrib1337) from Agile Information
Security
Disclosure Date: 21/04/2020 | Last Updated: 22/04/2020
Introduction
From the vendor's website:
What you don’t know can hurt you. Identify and help prevent risks to sensitive
business data that may impact business processes, operations, and competitive
position. IBM Data Risk Manager provides executives and their teams a
business-consumable data risk control center that helps to uncover, analyze,
and visualize data-related business risks so they can take action to protect
their business.
Summary
tl;dr scroll to the bottom to see videos of the exploits in action
IBM Data Risk Manager (IDRM) is an enterprise security software by IBM that
aggregates and provides a full view of all the enterprise security risks, akin
to an electronic risk register.
The product receives information feeds from vulnerability scanning tools and
other risk management tools, aggregates them and allows a user to investigate
them and perform comprehensive analysis.
The IDRM Linux virtual appliance was analysed and it was found to contain four
vulnerabilities, three critical risk and one high risk:
* Authentication Bypass
* Command Injection
* Insecure Default Password
* Arbitrary File Download
This advisory describes the four vulnerabilities and the steps necessary to
chain the first three to achieve unauthenticated remote code execution as root.
In addition, two Metasploit modules that bypass authentication and exploit the
remote code execution and arbitrary file download are being released to the
public.
At the time of disclosure, it is unclear if the latest version 2.0.6 is
affected by these, but most likely it is, as there is no mention of fixed
vulnerabilities in any changelog, and it was released before the attempt to
report these vulnerabilities to IBM. The latest version Agile InfoSec has
access to is 2.0.3, and that one is certainly vulnerable. The status of version
2.0.0 is unknown, but that version is out-of-support anyway.
Here's a bunch of 0 days!
At the time of disclosure these vulnerabilities are "0 days". An attempt was
made to contact CERT/CC to coordinate disclosure with IBM, but IBM REFUSED to
accept the vulnerability report, and responded to CERT/CC with:
we have assessed this report and closed as being out of scope for our
vulnerability disclosure program since this product is only for "enhanced"
support paid for by our customers. This is outlined in our policy
https://hackerone.com/ibm. To be eligible to participate in this program, you
must not be under contract to perform security testing for IBM Corporation, or
an IBM subsidiary, or IBM client within 6 months prior to submitting a report.
This is an unbelievable response by IBM, a multi billion dollar company that is
selling security enterprise products and security consultancy to huge
corporations worldwide. They refused to accept a free high quality
vulnerability report on one of their products, while putting ludicrous quotes
like the following on their website:
When every second counts, you need a unified defense to identify, orchestrate
and automate your response to threats. IBM Security Threat Management solutions
help you thrive in the face of cyber uncertainty.
Building a custom security plan that is both industry-specific and aligned to
your security maturity demands a partner with deep expertise and global reach.
The IBM Security Strategy and Risk services team is that valued partner.
It should be noted that IBM offers no bounties on their "bug bounty program",
just kudos:
[...]
--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_
