Researcher publishes IBM software zero-days after IBM refused to make patch patch
A security researcher has published four zero days that are in IBM security products. He did so after the company refused to patch the leaks. According to IBM, the investigator’s report fell outside the scope of the responsible disclosure policy.
The leaks are in the IBM Data Risk Manager. This is a tool for companies that has various functions to regulate security. Security researcher Pedro Ribeiro found four vulnerabilities in the software. He classifies three of these as ‘critical’, another as ‘high risk’.
It involves an authentication bypass, a command injection, a weak default password that was used somewhere, and the ability to download arbitrary files. All four attacks can be carried out not only locally but also from a distance, provided the IDRM is connected to the internet. Ribeiro adds that this is often not the case.
The researcher has published information about the leaks on GitHub. The leak is in IDRM versions up to at least 2.0.3. Version 2.0.6 of the software is now out. Ribeiro says he has not been able to test whether the leaks also work on that. Since he didn’t report the vulnerabilities until after 2.0.6 came out and IBM didn’t include information about the specific bugs in the release notes, it doesn’t seem like they’ve been fixed yet.
The researcher says he has contacted IBM to report them about the leaks. He did this through CERT/CC, the body that categorizes and coordinates vulnerabilities in software. IBM declined the disclosure. The company refers to its terms on HackerOne. “These bugs are out of scope for our responsible disclosure program because this product is only intended to provide additional support for paying customers,” the company wrote to CERT/CC.
The company tells ZDnet that it regrets the course of events and that it is still working on a solution to the problem.