Menu
Remote code execution risks found in IBM’s Data Risk Manager

Remote code execution risks found in IBM’s Data Risk Manager

Two of the four vulnerabilities are fixed in version 2.0.4

Credit: Dreamstime

Numerous vulnerabilities have been found in IBM’s Data Risk Manager which pave the way for remote code execution, with some of the vulnerabilities still present in the most recent version.

Identified by Agile Information Security’s founder and director of research Pedro Ribeiro, the four vulnerabilities found in the Linux-based Data Risk Manager allow for authentication bypass and command injection as well as containing an insecure default password and arbitrary file download capabilities.

The combination of the first three vulnerabilities can allow an unauthenticated user to achieve remote code execution, Ribeiro claimed.

Since the discovery of the vulnerabilities, IBM has disclosed that the command injection and arbitrary file download vulnerabilities, which were found in versions 2.01, 2.0.2 and 2.03 and 2.0.2 and 2.03, respectively, have been fixed in version 2.0.4, and recommends users update to version 2.0.6.

Additionally, the default password was referred to as a “known configuration” by Big Blue and recommends users to reset it during initial installation.

However, this means the authentication bypass vulnerability currently has no fix, with IBM saying it is “investigating this report and will provide further information on fix action as appropriate.”

When Ribeiro attempted to submit these vulnerabilities to IBM via CERT/CC, the report was rejected, according to a post published on GitHub.

As per Ribeiro’s post, IBM allegedly claimed that the report was out of the scope of its vulnerability disclosure program since Data Risk Manager is only for enhanced support paid for by its customers.

“This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products,” Ribeiro wrote.

IBM has been contacted for comment.

The discovery of these vulnerabilities comes one week after Big Blue claimed how it’s securing its Linux-based z15 mainframe models with IBM Secure Execution for Linux.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags IBMGitHubCERT/CC

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments