IBM Support

Security Bulletin: Vulnerabilities exist in IBM Data Risk Manager (CVE-2020-4427, CVE-2020-4428, CVE-2020-4429, and CVE-2020-4430)

Security Bulletin


Summary

Multiple vulnerabilities were reported to exist in IBM Data Risk Manager (IDRM) V2.0.1 and greater. Two issues were already fixed in V2.0.4.1, and the rest are fixed in V2.0.6.2 and later.

Vulnerability Details

CVEID:   CVE-2020-4427
DESCRIPTION:   IBM Data Risk Manager could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180532 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2020-4428
DESCRIPTION:   IBM Data Risk Manager could allow a remote authenticated attacker to execute arbitrary commands on the system.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180533 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2020-4429
DESCRIPTION:   IBM Data Risk Manager contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180534 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

CVEID:   CVE-2020-4430
DESCRIPTION:   IBM Data Risk Manager could allow a remote authenticated attacker to traverse directories on the system. An attacker could send a specially-crafted URL request to download arbitrary files from the system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/180535 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Product Issue Versions
IBM Data Risk Manager Authentication Bypass 2.0.6.1 and earlier
IBM Data Risk Manager Command Injection 2.0.4 and earlier
IBM Data Risk Manager Default Password 2.0.6.1 and earlier
IBM Data Risk Manager Path Traversal 2.0.4 and earlier

Remediation/Fixes

To obtain fixes for all reported issues, customers are advised first to upgrade to v2.0.6, and then to apply the most recent fix packs (2.0.6.2 is not cumulative -- it must be applied on top of 2.0.6.1). Existing customers can download the version 2.0.6 from IBM Passport Advantage at https://www.ibm.com/software/passportadvantage/pacustomers.html.

Product VRMF APAR Remediation / First Fix
IBM Data Risk Manager 2.0.4.1 or earlier

GA17223

 1) Upgrade to version 2.0.6 (download from Passport Advantage)

 2) Apply IDRM_2.0.6.1_Fixpack 

 3) Apply DRM_2.0.6.2_Fixpack  
IBM Data Risk Manager 2.0.6

GA17223

 1) Apply IDRM_2.0.6.1_Fixpack 

 2) Apply DRM_2.0.6.2_Fixpack 
IBM Data Risk Manager 2.0.6.1

GA17223

 Apply DRM_2.0.6.2_Fixpack 

Workarounds and Mitigations

The Authentication Bypass issue only exists if SAML authentication is enabled. The issue does not occur when using LDAP authentication, for example.  SAML authentication is not enabled by default.  Customers can upgrade to the fixed version or disable SAML authentication.

To address the default password issue, customers can upgrade to the fixed version, which requires a password reset on initial login. Alternatively, customers can follow the product documentation and use the passwd command to change the default password for the IDRM administrative account.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerabilities were reported to IBM by Pedro Ribeiro, of Agile Information Security.

Change History

07 May 2020: Initial Publication
27 May 2020: Add link to troubleshooting document

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSJQ6V","label":"IBM Data Risk Manager"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
28 May 2020

UID

ibm16206875

Page Feedback