#VU27085 Weak password requirements in IBM Data Risk Manager
Vulnerability identifier: #VU27085
Vulnerability risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-521
Exploitation vector: Network
Exploit availability: Yes
Vulnerable software:
IBM Data Risk Manager
Web applications /
Other software
Vendor: IBM Corporation
Description
The vulnerability allows an attacker to gain unauthorized access to the application.
The vulnerability exists due to application is using default credentials of "a3user:idrm" for user with access to SSH and sudo commands and does not require obligatory password change for this account upon first login.A remote attacker can abuse this account to gain unauthorized access to the application.
Note, despite the case being described in the IBM documentation this is a security vulnerability that should be addresses by forcing users to change default passwords rather than writing about it in manuals.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
IBM Data Risk Manager: 2.0.1 - 2.0.6
External links
http://seclists.org/fulldisclosure/2020/Apr/33
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
