Comprehensive software reviews to make better IT decisions
IBM Zero-Day Vulnerabilities Leave Enterprises Open to Remote Execution Attacks
Four zero-day vulnerabilities were discovered in IBM’s Data Risk Manager (IDRM). While the zero-day vulnerabilities are concerning, more so is IBM’s response when addressed. The company simply stated, “It’s out of scope” – meaning it had no intention to rectify or address the issue.
Research Director Pedro Ribeiro at Agile Information Security published his findings on GitHub after IBM initially decided to refuse to accept his report. The bugs directly affect IBM’s vulnerability management platform in four major ways that allow for:
- A bypass of the IDRM authentication mechanism.
- A command injection point in one of the IDRM APIs that lets attackers run their commands on the app.
- A hardcoded username and password combo: a3user/idrm.
- A vulnerability in the IDRM API that can allow remote hackers to download files from the IDRM appliance.
These vulnerabilities in the IDRM are especially troubling because of the access that IDRM has on the entire network. IDRM contains credentials to access other tools and even specific vulnerabilities that the enterprise is facing. By exploiting one of these four vulnerabilities, a hacker can open the door of an enterprise, making it especially susceptible to future attacks. These exploits can create a domino effect within the security network of the company, collapsing the entire system by chaining the vulnerabilities together to achieve full remote access as root. So why, if these vulnerabilities are so serious, did IBM refuse to patch them?
Ribeiro disclosed the four vulnerabilities to IBM as part of the organization’s bug disclosure program. In response to his advisory, IBM gave Ribeiro the following response:
“We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.”
Oddly, IBM initially refused a detailed report from a reputable research facility on vulnerabilities. IBM's initial response is also puzzling, as it asks more questions than it answers, and does not address any of Ribeiro’s findings. Because of IBM’s lack of interest in moving forward, Ribeiro was forced to publish his findings on GitHub to make the vulnerabilities known to the public. The response by IBM is bewildering. Why would one of the largest computer hardware companies in the world not only refuse to act but also knowingly place its customers at risk of exposure?
Initially, IBM only admitted to several flaws within the IDRM and denied any major vulnerabilities. Since then, IBM has reneged its position, acknowledging that three of the vulnerabilities exist. In a follow-up email to ZDNet, IBM responded, calling the incident, “a process error that resulted in an improper response to the researcher who reported this situation to IBM.” IBM has also stated that it will release a patch addressing the vulnerabilities, mitigation tips, and a security advisory as follow-up to the event. Regardless of IBM’s revised response, it still begs the question, why did IBM not agree with Ribeiro’s assessment and move to fix it right away? Only after Ribeiro published his findings on GitHub did IBM move to do anything.
While the circumstances seem unusual, IBM is now taking steps to address the problem. However, Ribeiro’s report should have been taken seriously from the beginning, not casually dismissed. Zero-day vulnerabilities of this scale that allow for a complete remote takeover of a network are an extreme security risk to any enterprise. More troubling is that these vulnerabilities originate from IBM, who not only should know to act as soon as possible in these situations but also should do so with its customers’ safety in mind. IBM currently has a single patch that addresses the arbitrary file download and command injection vulnerabilities. Anyone using IBM’s IDRM should seek immediate remediation efforts to partition sections of their network and remain hypervigilant for anything suspicious until IBM’s full patch to address all additional vulnerabilities goes live.
Want to Know More?
By exploiting a five-year-old configuration error, a hacker was able to access Amazon’s S3 cloud storage buckets on which Twilio’s code was loaded. As a result, customers were able to unknowingly download the modified code for twenty-four hours.
Qualys VMDR and Ivanti have announced a new partnership dedicated to improving the detection and patching of vulnerabilities. Announced July 30, the Qualys and Ivanti Partnership have already gone live as an integrated component of the VMDR solution.
Remote Work Landscape Pushes Microsoft to Releases Endpoint DLP and Double Key Encryption Features for Added Data Security
Microsoft recently previewed the specific features to tackle data security and risk management for end users with Microsoft Endpoint Data Loss Prevention (DLP) and Double Key Encryption. The reason for the launch? The increasing shift towards a remote work environment and a need to mitigate the accompanying risks.
IBM is changing the terms of its ubiquitous Passport Advantage agreement to remove entitled discounts on over 5,000 on-premises software products, resulting in an immediate price increase for IBM Software & Support (S&S) across its vast customer landscape.
RiskSense announced on July 13 its new version of the cloud-delivered RiskSense risk management platform. The main draw of the program is its holistic risk calculation across CVEs and CWEs.
To bolster and broaden its data privacy capabilities for end users, cyber and data protection vendor Acronis has acquired DLP player DeviceLock. The acquisition aligns with the increasingly prevalent role that data privacy plays in cybersecurity.
Cyberthreats are omnipresent for any enterprise. Monitoring ingress and egress points while still conducting business is a balance security professionals attempt to strike. Couple this with the continued security issues around remote work during the pandemic, and security teams have their hands full.
Navigating the vendor risk management space, particularly in the current environment that consists of a mix of cloud, managed services, and critical supply chain, is key to ensuring that you don’t inadvertently introduce new risks through this dynamic channel.
On May 26, Kenna Security released its new Prioritization to Prediction Benchmark Survey. This free tool provides organizations with the ability to compare their vulnerability management programs to industry averages Kenna Security has compiled over the years.