IBM has admitted to several flaws in one of its security products after initially denying reports of any vulnerabilities.
The vulnerabilities impacted the IBM Data Risk Manager (IDRM) that aggregates feeds from vulnerability scanning tools and other risk management apparatus so that admins could continuously investigate and isolate security issues.
IBM acknowledged three out of four serious vulnerabilities reported by Pedro Ribeiro of Agile Information Security as part of disclosures to the US Computer Emergency Response Team (CERT)
Three of the four bugs could be chained together to execute remote code without authentication by using root superuser rights.
The IRDM is an enterprise security product that handles sensitive information and any compromise on such a product could lead to a full-scale company compromise as the tool has credentials to access other security tools, besides containing information about critical vulnerabilities that impact IBM, Ribeiro said.
The researcher added he found the bugs in IDRM and worked with the CERT team to report the issues to IBM through the official bug vulnerability disclosure program. However, despite the severity of the bugs, IBM did not accept the disclosure attempt.
IBM’s response suggested that the vulnerability report was out of the scope of the company’s vulnerability disclosure program since the product was only for enhanced support of customers. For his part, Ribiero says he isn’t sure of what the answer means in terms of whether the report was accepted or if the product was out of support.
“This is an unbelievable response by IBM, a multibillion-dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide,” Ribeiro said.
In an emailed response to ZDNet, IBM expressed regret over how the incident panned out and claimed that it was a process error that caused an improper response to the researcher. “We have been working on mitigation steps and they will be discussed in a security advisory to be issued,” the email said.