Security Bulletin
Summary
Multiple vulnerabilities were reported to exist in IBM Data Risk Manager (IDRM) V2.0.1 and greater. Two issues were already fixed in V2.0.4.1, and the rest are fixed in V2.0.6.2 and later.
Vulnerability Details
DESCRIPTION: IBM Data Risk Manager could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180532 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2020-4428
DESCRIPTION: IBM Data Risk Manager could allow a remote authenticated attacker to execute arbitrary commands on the system.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180533 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2020-4429
DESCRIPTION: IBM Data Risk Manager contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180534 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
CVEID: CVE-2020-4430
DESCRIPTION: IBM Data Risk Manager could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180535 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
Product | Issue | Versions |
IBM Data Risk Manager | Authentication Bypass | 2.0.6.1 and earlier |
IBM Data Risk Manager | Command Injection | 2.0.4 and earlier |
IBM Data Risk Manager | Default Password | 2.0.6.1 and earlier |
IBM Data Risk Manager | Path Traversal | 2.0.4 and earlier |
Remediation/Fixes
To obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6, and then to apply the most recent fix packs (2.0.6.2 is not cumulative -- it must be applied on top of 2.0.6.1). Existing customers can download the version 2.0.6 from IBM Passport Advantage at https://www.ibm.com/software/passportadvantage/pacustomers.html.
Product | VRMF | APAR | Remediation / First Fix |
IBM Data Risk Manager | 2.0.4.1 or earlier |
GA17223 |
1) Upgrade to version 2.0.6 (download from Passport Advantage) 2) Apply IDRM_2.0.6.1_Fixpack 3) Apply DRM_2.0.6.2_Fixpack |
IBM Data Risk Manager | 2.0.6 |
GA17223 |
1) Apply IDRM_2.0.6.1_Fixpack 2) Apply DRM_2.0.6.2_Fixpack |
IBM Data Risk Manager | 2.0.6.1 |
GA17223 |
Apply DRM_2.0.6.2_Fixpack |
Workarounds and Mitigations
The Authentication Bypass issue only exists if SAML authentication is enabled. The issue does not occur when using LDAP authentication, for example. SAML authentication is not enabled by default. Customers can upgrade to the fixed version or disable SAML authentication.
To address the default password issue, customers can upgrade to the fixed version, which requires a password reset on initial login. Alternatively, customers can follow the product documentation and use the passwd command to change the default password for the IDRM administrative account.
Get Notified about Future Security Bulletins
References
Acknowledgement
The vulnerabilities were reported to IBM by Pedro Ribeiro, of Agile Information Security.
Change History
07 May 2020: Initial Publication
27 May 2020: Add link to troubleshooting document
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
28 May 2020
UID
ibm16206875