Multiple vulnerabilities were reported to exist in IBM Data Risk Manager (IDRM) V2.0.1 and greater. Two issues were already fixed in V126.96.36.199, and the rest are fixed in V188.8.131.52 and later.
DESCRIPTION: IBM Data Risk Manager could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180532 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)
DESCRIPTION: IBM Data Risk Manager could allow a remote authenticated attacker to execute arbitrary commands on the system.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180533 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
DESCRIPTION: IBM Data Risk Manager contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180534 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
DESCRIPTION: IBM Data Risk Manager could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180535 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
|IBM Data Risk Manager||Authentication Bypass||184.108.40.206 and earlier|
|IBM Data Risk Manager||Command Injection||2.0.4 and earlier|
|IBM Data Risk Manager||Default Password||220.127.116.11 and earlier|
|IBM Data Risk Manager||Path Traversal||2.0.4 and earlier|
To obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6, and then to apply the most recent fix packs (18.104.22.168 is not cumulative -- it must be applied on top of 22.214.171.124). Existing customers can download the version 2.0.6 from IBM Passport Advantage at https://www.ibm.com/software/passportadvantage/pacustomers.html.
|Product||VRMF||APAR||Remediation / First Fix|
|IBM Data Risk Manager||126.96.36.199 or earlier||
1) Upgrade to version 2.0.6 (download from Passport Advantage)
2) Apply IDRM_188.8.131.52_Fixpack
3) Apply DRM_184.108.40.206_Fixpack
|IBM Data Risk Manager||2.0.6||
1) Apply IDRM_220.127.116.11_Fixpack
2) Apply DRM_18.104.22.168_Fixpack
|IBM Data Risk Manager||22.214.171.124||
Workarounds and Mitigations
The Authentication Bypass issue only exists if SAML authentication is enabled. The issue does not occur when using LDAP authentication, for example. SAML authentication is not enabled by default. Customers can upgrade to the fixed version or disable SAML authentication.
To address the default password issue, customers can upgrade to the fixed version, which requires a password reset on initial login. Alternatively, customers can follow the product documentation and use the passwd command to change the default password for the IDRM administrative account.
Get Notified about Future Security Bulletins
The vulnerabilities were reported to IBM by Pedro Ribeiro, of Agile Information Security.
07 May 2020: Initial Publication
27 May 2020: Add link to troubleshooting document
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
28 May 2020