Comprehensive software reviews to make better IT decisions
IBM Zero-Day Vulnerabilities Leave Enterprises Open to Remote Execution Attacks
Four zero-day vulnerabilities were discovered in IBM’s Data Risk Manager (IDRM). While the zero-day vulnerabilities are concerning, more so is IBM’s response when addressed. The company simply stated, “It’s out of scope” – meaning it had no intention to rectify or address the issue.
Research Director Pedro Ribeiro at Agile Information Security published his findings on GitHub after IBM initially decided to refuse to accept his report. The bugs directly affect IBM’s vulnerability management platform in four major ways that allow for:
- A bypass of the IDRM authentication mechanism.
- A command injection point in one of the IDRM APIs that lets attackers run their commands on the app.
- A hardcoded username and password combo: a3user/idrm.
- A vulnerability in the IDRM API that can allow remote hackers to download files from the IDRM appliance.
These vulnerabilities in the IDRM are especially troubling because of the access that IDRM has on the entire network. IDRM contains credentials to access other tools and even specific vulnerabilities that the enterprise is facing. By exploiting one of these four vulnerabilities, a hacker can open the door of an enterprise, making it especially susceptible to future attacks. These exploits can create a domino effect within the security network of the company, collapsing the entire system by chaining the vulnerabilities together to achieve full remote access as root. So why, if these vulnerabilities are so serious, did IBM refuse to patch them?
Ribeiro disclosed the four vulnerabilities to IBM as part of the organization’s bug disclosure program. In response to his advisory, IBM gave Ribeiro the following response:
“We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.”
Oddly, IBM initially refused a detailed report from a reputable research facility on vulnerabilities. IBM's initial response is also puzzling, as it asks more questions than it answers, and does not address any of Ribeiro’s findings. Because of IBM’s lack of interest in moving forward, Ribeiro was forced to publish his findings on GitHub to make the vulnerabilities known to the public. The response by IBM is bewildering. Why would one of the largest computer hardware companies in the world not only refuse to act but also knowingly place its customers at risk of exposure?
Initially, IBM only admitted to several flaws within the IDRM and denied any major vulnerabilities. Since then, IBM has reneged its position, acknowledging that three of the vulnerabilities exist. In a follow-up email to ZDNet, IBM responded, calling the incident, “a process error that resulted in an improper response to the researcher who reported this situation to IBM.” IBM has also stated that it will release a patch addressing the vulnerabilities, mitigation tips, and a security advisory as follow-up to the event. Regardless of IBM’s revised response, it still begs the question, why did IBM not agree with Ribeiro’s assessment and move to fix it right away? Only after Ribeiro published his findings on GitHub did IBM move to do anything.
While the circumstances seem unusual, IBM is now taking steps to address the problem. However, Ribeiro’s report should have been taken seriously from the beginning, not casually dismissed. Zero-day vulnerabilities of this scale that allow for a complete remote takeover of a network are an extreme security risk to any enterprise. More troubling is that these vulnerabilities originate from IBM, who not only should know to act as soon as possible in these situations but also should do so with its customers’ safety in mind. IBM currently has a single patch that addresses the arbitrary file download and command injection vulnerabilities. Anyone using IBM’s IDRM should seek immediate remediation efforts to partition sections of their network and remain hypervigilant for anything suspicious until IBM’s full patch to address all additional vulnerabilities goes live.
Want to Know More?
More than ever, cybersecurity solutions are core to any MSPs offering. No longer should technology service providers be farming this out to dedicated security providers. Trust and peace of mind are the core tenets of what they are selling and solutions like Acronis Cyber Protect Cloud can provide the platform upon which to deliver on those promises.
PHEMI is a data privacy solution focused on keeping data-processing activities secure by redacting information based on the role of the accessor. Thus, allowing such data to be used for multiple use cases without compromising privacy.
Kenna Security deployed their new data driven vulnerability management program, Kenna.VM and accessory program, Kenna.VI. Released on April 28th, Kenna.VM was created with the purpose to set service-level agreements (SLAs) with risk tolerance in mind.
“Connected reporting capabilities, control testing, real-time collaboration, cloud-based access, stringent security measure and permissions controls” are considered the leading factors behind CFGI offering Workiva to its clients.
We often hear that businesses are continually cyber insecure or under attack. However, recent penetration testing from Rapid7 shows that businesses are getting better at securing their networks against cyberattacks. While organizations continue to have exploitable weaknesses, attackers are having greater difficulty penetrating deeper into businesses’ networks.
Will New IoT Security Frameworks Push Compliance Obligations to the Forefront of Security Discussions?
The Internet of Things is increasingly embedded with our daily lives. While these devices make life more accessible, for every new device, a new attack vector for cyberattackers is created.
Qualys VMDR Is Now Live: Increasing Security Threats Requires Strong Vulnerability Management Software
Qualys VMDR has hit the live market. Originally unveiled in February 2020 at Qualys Security Conference, VMDR is now publicly available as of April 16, 2020. Partnering with both large and small MSSPs, VMDR is designed to be scalable to any business enterprise and to automate the entire management cycle on all endpoints.
In March 2020, ZA Bank, Hong Kong’s first virtual bank, selected the OneSumX solution from Wolters Kluwer for regulatory reporting.
In a move to better respond to digital risk resulting from digital transformation and innovation priorities, RSA has updated the RSA Archer and NetWitness Platforms.