A researcher has discovered three critical vulnerabilities in IBM’s Data Risk Manager security virtual appliance that, when combined, can lead to unauthenticated remote code execution. The vulnerabilities are unpatched at this time and the researcher who found them said that IBM refused to accept his vulnerability report.
The Data Risk Manager is an enterprise product that provides data discovery and classification and includes analytics about business risk based on the information assets inside the organization. Pedro Ribeiro of Agile Information Security in the UK decided to take a look at version 2.0.3 of the product and found a total of four vulnerabilities, three of which can be chained together to gain root privileges on the product. He has published the details of each of the vulnerabilities and also has released a pair of Metasploit modules that can bypass authentication, gain remote code execution and download an arbitrary file from the target system.
The three critical vulnerabilities that Ribeiro discovered include an authentication bypass, a command injection flaw, and an insecure default password. The authentication bypass allows an attacker to abuse an issue with an API to get the Data Risk Manager appliance to accept an arbitrary session ID and username and then send a separate command to generate a new password for that username.
“We now have a valid Bearer administrative token that can be used to access various API. It's also possible to login as a normal web user on the /albatross/login endpoint, which will yield an authenticated cookie instead of a token, allowing access to the web administration console. In any case, as this shows, authentication is now completely bypassed and we have full administrative access to IDRM,” Ribeiro said in his advisory.
With that admin access in hand, an attacker can then use the command injection vulnerability to upload an arbitrary file. Then it’s on to the default password issue.
“The administrative user in the IDRM virtual appliance is ‘a3user’. This user is allowed to login via SSH and run sudo commands, and it is set up with a default password of "’drm’. When combined with vulnerabilities #1 and #2, this allows an unauthenticated attacker to achieve remote code execution as root on the IDRM virtual appliance, leading to complete system compromise,” Ribeiro said in the advisory.
After confirming his discoveries, Ribeiro attempted coordinate disclosure to IBM through the CERT/CC at Carnegie Mellon University. IBM has a vulnerability disclosure program that is administered through the HackerOne platform, but Ribeiro is not a HackerOne user and didn’t want to join, so he tried going through CERT/CC. IBM did not accept the vulnerability report, for reasons that are slightly unclear.
"If they are able to reach the appliance and use my exploits, they can pretty much access all information and take over the company.”
“We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for ‘enhanced’ support paid for by our customers,” the response said.
Ribeiro said he had disclosed vulnerabilities to IBM in the past and it had not gone well, but he’s still confused about why the company would not accept this advisory.
“I'm not entirely sure. Their answer isn't clear, and CERT/CC told me themselves they don't really understand what they mean,” Ribeiro said in an email.
“My feeling is that someone was very hard headed inside IBM about receiving reports from HackerOne, and refuses to accept them from anywhere else. Since I didn't want to sign up to HackerOne, and just sent them the advisory through CERT/CC, they refused it.”
IBM officials said the refusal to accept Ribeiro's report was a mistake.
"A process error resulted in an improper response to the researcher who reported this situation to IBM. We have been working on mitigation steps and they will be discussed in a security advisory to be issued," the company said in an emailed statement.
Ribeiro said he was not able to find any Data Risk Manager appliances with a Shodan search, but said a broader Internet scan might turn up some.
“I suspect this product will be deep inside corporate networks, as it contains very critical and sensitive information about a company's vulnerabilities, so it should not be accessible from the outside,” he said.
“But precisely because it contains such sensitive information and credentials, it is a treasure trove for an attacker that is able to get a foothold inside the company's network through other means. If they are able to reach the appliance and use my exploits, they can pretty much access all information and take over the company.”