Friday, February 26, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Security researcher discloses four IBM zero-days after company refused to patch

April 21, 2020
in Internet Security
Security researcher discloses four IBM zero-days after company refused to patch
585
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Image: IBM

A security researcher has published today details about four zero-day vulnerabilities impacting an IBM security product after the company refused to patch bugs following a private bug disclosure attempt.

The bugs impact the IBM Data Risk Manager (IDRM), an enterprise security tool that aggregates feeds from vulnerability scanning tools and other risk management tools to let admins investigate security issues.

You might also like

Spy agency: Artificial intelligence is already a vital part of our missions

Chinese cyberspies targeted Tibetans with a malicious Firefox add-on

SolarWinds cybersecurity spending tops $3 million in Q4, sees $20 million to $25 million in 2021

“IDRM is an enterprise security product that handles very sensitive information,” said Pedro Ribeiro, Director of Research at Agile Information Security, and the one who discovered the four bugs.

“A compromise of such [a] product might lead to a full scale company compromise, as the tool has credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company,” he added.

IBM refused to patch the reported issues

Ribeiro said he found four bugs in IDRM and worked with the CERT/CC team to report the issues to IBM through its official bug bounty program.

The security researcher said that despite of the severity of four bugs he reported, IBM refused to accept the bug disclosure answering with what appears to be a non-sensical response:

we have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.

The researcher said that to this day, he has yet to understand what the response actually meant, and still has questions, such as:

  • “Why did IBM refuse to accept a FREE detailed vulnerability report?
  • “What does their answer mean? Are the only accepting vulnerability reports from customers?
  • “Or is the product out of support? If so, why is still being offered for sale to new customers?
  • “How can they be so irreponsible while selling an enterprise security product?”

“This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” Ribeiro said.

ZDNet has reached out to IBM to clarify its response and see if this was only a misunderstanding, rather than an intentional decision to let IDRM unpatched, despite the severity of the four issues. We’ll update this article if we hear back from the company.

Details published today on GitHub

Seeing that IBM was not interested in patching the bugs, the researcher has published today details on GitHub about the four issues, so that companies that use the product can put mitigations in place to prevent any attacks.

The four issues, as reported, are:

  • A bypass of the IDRM authentication mechanism
  • A command injection point in one of the IDRM APIs that lets attacks run their own commands on the app
  • A hardcoded username and password combo of a3user/idrm
  • A vulnerability in the IDRM API that can allow remote hackers to download files from the IDRM appliance

“This advisory describes the four vulnerabilities and the steps necessary to chain the first three to achieve unauthenticated remote code execution as root,” Ribeiro said.

“In addition, two Metasploit modules that bypass authentication and exploit the remote code execution and arbitrary file download are being released to the public.”

All four bugs are remotely exploitable, Ribeiro added. If the IDRM appliance is exposed online, attacks can be carried out over the internet. Normally these systems aren’t accessible on the internet, which reduces the impact to organizations running IDRM.

However, even if the IDRM is not exposed online, an attacker who has access to a workstation on a company’s internal network can chain the four bugs together to take over the IDRM appliance, extract credentials for other systems, and move laterally to other systems on the company’s network.

Credit: Zdnet

Previous Post

Researcher Discloses 4 Zero-Day Bugs in IBM's Enterprise Security Software

Next Post

Don’t block the news: Tips to balance brand safety and corporate responsibility

Related Posts

Spy agency: Artificial intelligence is already a vital part of our missions
Internet Security

Spy agency: Artificial intelligence is already a vital part of our missions

February 26, 2021
Chinese cyberspies targeted Tibetans with a malicious Firefox add-on
Internet Security

Chinese cyberspies targeted Tibetans with a malicious Firefox add-on

February 26, 2021
SolarWinds cybersecurity spending tops $3 million in Q4, sees $20 million to $25 million in 2021
Internet Security

SolarWinds cybersecurity spending tops $3 million in Q4, sees $20 million to $25 million in 2021

February 26, 2021
Facebook bans Myanmar military-controlled accounts from its platforms
Internet Security

Facebook bans Myanmar military-controlled accounts from its platforms

February 25, 2021
Cloud, data amongst APAC digital skills most needed
Internet Security

Cloud, data amongst APAC digital skills most needed

February 25, 2021
Next Post
Don’t block the news: Tips to balance brand safety and corporate responsibility

Don’t block the news: Tips to balance brand safety and corporate responsibility

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

Basic laws of physics spruce up machine learning
Machine Learning

New machine learning tool facilitates analysis of health information, clinical forecasting

February 26, 2021
Creative Destruction and Godlike Technology in the 21st Century | by Madhav Kunal
Neural Networks

Creative Destruction and Godlike Technology in the 21st Century | by Madhav Kunal

February 26, 2021
Spy agency: Artificial intelligence is already a vital part of our missions
Internet Security

Spy agency: Artificial intelligence is already a vital part of our missions

February 26, 2021
Blockchain lags behind other technologies in finance adoption for now, says Broadridge
Blockchain

Blockchain lags behind other technologies in finance adoption for now, says Broadridge

February 26, 2021
Supercomputer-Powered Machine Learning Supports Fusion Energy Reactor Design
Machine Learning

Supercomputer-Powered Machine Learning Supports Fusion Energy Reactor Design

February 26, 2021
How 3D Cuboid Annotation Service is better than free Tool? | by ANOLYTICS
Neural Networks

How 3D Cuboid Annotation Service is better than free Tool? | by ANOLYTICS

February 26, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • New machine learning tool facilitates analysis of health information, clinical forecasting February 26, 2021
  • Creative Destruction and Godlike Technology in the 21st Century | by Madhav Kunal February 26, 2021
  • Spy agency: Artificial intelligence is already a vital part of our missions February 26, 2021
  • Blockchain lags behind other technologies in finance adoption for now, says Broadridge February 26, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates