IBM Has Reportedly Refused to Fix Four Zero-Days Deeming Them “Out of Scope”
- A researcher has tried to report four severe zero-days to IBM concerning their IDRM product.
- The company ignored the report, so the researcher decided to publish the full technical details on GitHub.
- The exploitation of the vulnerabilities can happen remotely and lead to a full system/network compromise.
Security researcher Pedro Ribeiro of Agile Security has found four zero-days on IBM's Data Risk Manager (IDRM) enterprise security tool and is reporting that the American technology colossus has blatantly ignored him. When he discovered the bugs, he figured that the implications were dire, since they could very easily lead to full-scale compromise on the networks of large organizations that trust and use IBM's solutions. However, when he reported the issues through IBM's official bug bounty program, he got the following bewildering response:
"We have assessed this report and closed as being out of scope for our vulnerability disclosure program since this product is only for "enhanced" support paid for by our customers. This is outlined in our policy https://hackerone.com/ibm. To be eligible to participate in this program, you must not be under contract to perform security testing for IBM Corporation, or an IBM subsidiary, or IBM client within 6 months prior to submitting a report."
The researcher notes that he offered the reports for free, and didn't expect the payment of a bounty in return. Moreover, the claim that IBM is only accepting vulnerability reports from those who are participating in their security testing programs is an entirely novel one for this researcher, for us, and everyone else out there. As the researcher correctly points out, since the product is still sold to new customers, the case can't be that the tool is no longer supported. And finally, no matter who discovered the zero-day bugs and how exactly they reported it, shouldn't IBM have taken note of their content? Aren't the implications that arise from the existence of the discovered flaws more important than following the established reporting policies without deviation?
With none of the above having been answered via an official announcement by IBM yet, it is very likely that the whole case is a misunderstanding that will clear up soon. Until then, though, the researcher has already published his findings on GitHub, so that companies that deploy IDRM can implement effective mitigations until fixing patch lands. The researcher doesn't believe that IBM will fix the zero-days, and suggests that users should uninstall the product. For the record, the flaws concern an authentication bypass (critical), a command injection (critical), an insecure default password (critical), and an arbitrary file download (high). All of these affect IDRM 2.0.2 and 2.0.3, and, likely, versions up to 2.0.6 are also vulnerable.