Four zero-day vulnerabilities were discovered in IBM’s Data Risk Manager (IDRM). While the zero-day vulnerabilities are concerning, more so is IBM’s response when addressed. The company simply stated, “It’s out of scope” – meaning it had no intention to rectify or address the issue.
Research Director Pedro Ribeiro at Agile Information Security published his findings on GitHub after IBM initially decided to refuse to accept his report. The bugs directly affect IBM’s vulnerability management platform in four major ways that allow for:
These vulnerabilities in the IDRM are especially troubling because of the access that IDRM has on the entire network. IDRM contains credentials to access other tools and even specific vulnerabilities that the enterprise is facing. By exploiting one of these four vulnerabilities, a hacker can open the door of an enterprise, making it especially susceptible to future attacks. These exploits can create a domino effect within the security network of the company, collapsing the entire system by chaining the vulnerabilities together to achieve full remote access as root. So why, if these vulnerabilities are so serious, did IBM refuse to patch them?
Ribeiro disclosed the four vulnerabilities to IBM as part of the organization’s bug disclosure program. In response to his advisory, IBM gave Ribeiro the following response:
“We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for “enhanced” support paid for by our customers. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report.”
Oddly, IBM initially refused a detailed report from a reputable research facility on vulnerabilities. IBM's initial response is also puzzling, as it asks more questions than it answers, and does not address any of Ribeiro’s findings. Because of IBM’s lack of interest in moving forward, Ribeiro was forced to publish his findings on GitHub to make the vulnerabilities known to the public. The response by IBM is bewildering. Why would one of the largest computer hardware companies in the world not only refuse to act but also knowingly place its customers at risk of exposure?
Initially, IBM only admitted to several flaws within the IDRM and denied any major vulnerabilities. Since then, IBM has reneged its position, acknowledging that three of the vulnerabilities exist. In a follow-up email to ZDNet, IBM responded, calling the incident, “a process error that resulted in an improper response to the researcher who reported this situation to IBM.” IBM has also stated that it will release a patch addressing the vulnerabilities, mitigation tips, and a security advisory as follow-up to the event. Regardless of IBM’s revised response, it still begs the question, why did IBM not agree with Ribeiro’s assessment and move to fix it right away? Only after Ribeiro published his findings on GitHub did IBM move to do anything.
While the circumstances seem unusual, IBM is now taking steps to address the problem. However, Ribeiro’s report should have been taken seriously from the beginning, not casually dismissed. Zero-day vulnerabilities of this scale that allow for a complete remote takeover of a network are an extreme security risk to any enterprise. More troubling is that these vulnerabilities originate from IBM, who not only should know to act as soon as possible in these situations but also should do so with its customers’ safety in mind. IBM currently has a single patch that addresses the arbitrary file download and command injection vulnerabilities. Anyone using IBM’s IDRM should seek immediate remediation efforts to partition sections of their network and remain hypervigilant for anything suspicious until IBM’s full patch to address all additional vulnerabilities goes live.
The Department of Justice is looking to acquire a GRC tool for the Office of the CIO within the FBI’s Enterprise Information Security Section.
Google has identified “unsafe” code in the Chromium web browser engine. This flaw introduces a potential vulnerability that effects Google Chrome, as well as all Chromium-based web browsers.
The International Association of Privacy Professionals (IAPP) has released its 2020 Privacy Tech Vendor report, reviewing key software solution vendors within the space. This year’s report highlighted the recent addition of Data Subject Request (DSR) to the feature categories.
Among the full set of features available in Zecurion’s new DLP product is the ability to perform user behavior analytics to help spot data loss events before they occur.
Zecurion has one of the most robust DLP products on the market and this fact was recently recognized by SC Magazine, who placed the product in its “pick-of-the-litter" category for DLP.
In early March, Titus released Titus Illuminate 2020, which was the company’s answer to the question of analyzing data at rest. This latest version of Illuminate leverages machine learning and AI in an effort to manage data that contains potentially sensitive or high-risk personal information.
More than ever, cybersecurity solutions are core to any MSPs offering. No longer should technology service providers be farming this out to dedicated security providers. Trust and peace of mind are the core tenets of what they are selling and solutions like Acronis Cyber Protect Cloud can provide the platform upon which to deliver on those promises.
PHEMI is a data privacy solution focused on keeping data-processing activities secure by redacting information based on the role of the accessor. Thus, allowing such data to be used for multiple use cases without compromising privacy.
Kenna Security deployed their new data driven vulnerability management program, Kenna.VM and accessory program, Kenna.VI. Released on April 28th, Kenna.VM was created with the purpose to set service-level agreements (SLAs) with risk tolerance in mind.