Menu
Remote code execution risks found in IBM’s Data Risk Manager

Remote code execution risks found in IBM’s Data Risk Manager

Two of the four vulnerabilities are fixed in version 2.0.4

Credit: Dreamstime

Numerous vulnerabilities have been found in IBM’s Data Risk Manager which pave the way for remote code execution, with some of the vulnerabilities still present in the most recent version.

Identified by Agile Information Security’s founder and director of research Pedro Ribeiro, the four vulnerabilities found in the Linux-based Data Risk Manager allow for authentication bypass and command injection as well as containing an insecure default password and arbitrary file download capabilities.

The combination of the first three vulnerabilities can allow an unauthenticated user to achieve remote code execution, Ribeiro claimed.

Since the discovery of the vulnerabilities, IBM has disclosed that the command injection and arbitrary file download vulnerabilities, which were found in versions 2.01, 2.0.2 and 2.03 and 2.0.2 and 2.03, respectively, have been fixed in version 2.0.4, and recommends users update to version 2.0.6.

Additionally, the default password was referred to as a “known configuration” by Big Blue and recommends users to reset it during initial installation.

However, this means the authentication bypass vulnerability currently has no fix, with IBM saying it is “investigating this report and will provide further information on fix action as appropriate.”

When Ribeiro attempted to submit these vulnerabilities to IBM via CERT/CC, the report was rejected, according to a post published on GitHub.

As per Ribeiro’s post, IBM allegedly claimed that the report was out of the scope of its vulnerability disclosure program since Data Risk Manager is only for enhanced support paid for by its customers.

“This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products,” Ribeiro wrote.

IBM has been contacted for comment.

The discovery of these vulnerabilities comes one week after Big Blue claimed how it’s securing its Linux-based z15 mainframe models with IBM Secure Execution for Linux.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags GitHubCERT/CC

Events

Why experience is the new battleground for partners

Join us for an exclusive webinar, in association with Hewlett Packard Enterprise and Technology Services Industry Association (TSIA) and learn about the latest industry insights and how technology services continue to evolve to deliver differentiated value, and how partners can be successful in 2021 and beyond.

Featured

Slideshows

Channel kicks 2021 into gear as After Hours returns to Auckland

Channel kicks 2021 into gear as After Hours returns to Auckland

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Pantry at Park Hyatt in Auckland to kick-start 2021.

Channel kicks 2021 into gear as After Hours returns to Auckland
The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Show Comments