IBM is under fire for refusing to patch critical vulnerabilities in its Data Risk Manager product until exploit code was publicly disclosed.
In what seems a shortsighted move, when a proactive approach may have been better, Big Blue turned down a privately disclosed report of flaws in its enterprise security software – only to issue fixes after details of the holes emerged online.
Three of the four vulnerabilities – CVE-2020-4427, CVE-2020-4428, and CVE-2020-4429 – can be combined to potentially achieve unauthenticated remote code execution as root on vulnerable installations. This is possible if the user account a3user's default password of idrm has not been changed, and administrators are not prompted to do so. The fourth vulnerability, CVE-2020-4430, can be abused to download arbitrary files from the system.
They were discovered by Pedro Ribeiro of Agile Information Security, who privately tipped off IBM of the weaknesses. When Big Blue snubbed his report, he went public with the details on April 21, and his exploit code was added to the popular Metasploit framework a few days later for anyone to use. About a week later, on May 7, the IT titan issued versions 2.0.4.1 and 2.0.6.2 of Data Risk Manager said to add ..
Support the originator by clicking the read the rest link below.
