Security bugs bite IBM's Data Risk Manager

IBM has acknowledged three out of four serious vulnerabilities in its Data Risk Manager Linux virtual appliance, after initially rejecting a researcher's bug report coordinated through the United States Computer Emergency Response Team (CERT).

Pedro Ribeiro of Agile Information Security disclosed four vulnerabilities to IBM, three of which can be chained together to achieve unauthenticated remote code execution with the rights of the root superuser that has full system access.

The vulnerabilities disclosed by Ribeiro cover authentication bypass; command injection; Data Risk Manager having a default and insecure password; and attackers being able to arbitrarily download files.

IBM's response to the bug report was to close it, with the company initially saying it was "out of scope for our vulnerability disclosure program since this product is only for "enhanced" support paid for by our customers."

"This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide," Ribeiro wrote.

IBM has since advised users to upgrade to version 2.0.6 of Data Risk Manager, but this does not appear to take care of the authentication bypass vulnerability, which the IT giant said is currently being investigated.

Ribeiro believes that Data Risk Manager 2.0.4 to 2.0.6 are likely to be vulnerable to all the bugs he discovered, despite IBM's claims to the opposite, as the new version was released before his disclosure report to the company.

IBM Data Risk Manager is an enterprise security product that handles very sensitive information, Ribeiro noted.

It stores credentials to access other security tools, and if an appliance was hacked, it could lead to a full scale company compromise, Ribeiro speculated.

Ribeiro remains unconvinced that IBM will fix the vulnerabilities.

"IBM refused to acknowledge this vulnerability report, so most likely won't fix this vulnerability. Make sure you uninstall the product so it does not endanger your network / company," he advised.