Four dangerous vulnerabilities have been found in IBM Data Risk Manager solution (IDRM) that can lead to unauthenticated remote code execution (RCE) as root. IBM Data Risk Manager (IDRM) is a tool that aggregates and provides a full view of all the enterprise security risks.
During the analysis of IDRM Linux virtual appliance the security researcher Pedro Ribeiro has discovered several vulnerabilities - an authentication bypass, a command injection, an insecure default password, and an arbitrary file download.
According to the researcher, by chaining the first three flaws a remote attacker can achieve unauthenticated remote code execution as root on vulnerable systems. Also, by combining the first and fourth vulnerabilities, unauthenticated attackers can download arbitrary files.
While Ribeiro tested the flaws against only IBM Data Risk Manager version 2.0.1 to 2.0.3, he believes that the latest version 2.0.6 is likely vulnerable, as “there is no mention of fixed vulnerabilities in any changelog.”
“IDRM is an enterprise security product that handles very sensitive information,” Ribeiro wrote in a report.
“The hacking of an IDRM appliance might lead to a full-scale company compromise, as it stores credentials to access other security tools, not to mention it contains information about critical vulnerabilities that affect the company.”
The authentication bypass issue exists in the appliance’s API endpoint, /albatross/user/login and can be exploited to retrieve a valid Bearer administrative token, which can then be used to access various APIs.
The command injection flaw exists because IDRM exposes an API at /albatross/restAPI/v2/nmap/run/scan that allows an authenticated user to perform nmap scans.
“Having access to nmap allows running arbitrary commands, if we can upload a script file and then pass that as an argument to nmap with –script=,” the researcher explained.
“However, to achieve code execution in this way, we still need to upload a file. Luckily, there is a method that processes patch files and accepts arbitrary file data, saving it to /home/a3user/agile3/patches/.”
In order to exploit this vulnerability, an attacker would need to have an authenticated session as an administrator, which can be achieved by using the authentication bypass bug.
The third issue stems from the presence of a built-in administrative user with username "a3user" and default password of "idrm," and the fourth vulnerability is a path traversal bug that comes from an improper limitation of a pathname to a restricted directory.
IBM has already addressed two of the four vulnerabilities (the command injection vulnerability and the arbitrary file download bug) by releasing version 2.0.4. To remediate the reported vulnerabilities, the vendor recommends users to upgrade to the most current IDRM version 2.0.6.