#VU27085 Weak password requirements in IBM Data Risk Manager - CVE-2020-4429
Published: April 22, 2020 / Updated: May 5, 2020
Vulnerability identifier: #VU27085
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2020-4429
CWE-ID: CWE-521
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
IBM Data Risk Manager
IBM Data Risk Manager
Software vendor:
IBM Corporation
IBM Corporation
Description
The vulnerability allows an attacker to gain unauthorized access to the application.
The vulnerability exists due to application is using default credentials of "a3user:idrm" for user with access to SSH and sudo commands and does not require obligatory password change for this account upon first login.A remote attacker can abuse this account to gain unauthorized access to the application.
Note, despite the case being described in the IBM documentation this is a security vulnerability that should be addresses by forcing users to change default passwords rather than writing about it in manuals.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.