Vulnerabilities > CVE-2020-4427 - Unspecified vulnerability in IBM Data Risk Manager
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Metasploit
description IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by an unauthenticated attacker to download arbitrary files off the system. The first is an unauthenticated bypass, followed by a path traversal. This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files. A downloaded file is zipped, and this module also unzips it before storing it in the database. By default this module downloads Tomcat's application.properties files, which contains the database password, amongst other sensitive data. At the time of disclosure, this is a 0 day. Versions 2.0.3 and 2.0.2 are confirmed to be affected, and the latest 2.0.6 is most likely affected too. Version 2.0.1 is not vulnerable. id MSF:AUXILIARY/ADMIN/HTTP/IBM_DRM_DOWNLOAD last seen 2020-06-12 modified 2020-05-07 published 2020-04-21 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/http/ibm_drm_download.rb title IBM Data Risk Manager Arbitrary File Download description IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. This module exploits all three vulnerabilities, giving the attacker a root shell. At the time of disclosure, this is a 0day. Versions 2.0.3 and below are confirmed to be affected, and the latest 2.0.6 is most likely affected too. id MSF:EXPLOIT/LINUX/HTTP/IBM_DRM_RCE last seen 2020-06-14 modified 2020-05-05 published 2020-04-21 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4427
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4428
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4429
- https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md
- https://seclists.org/fulldisclosure/2020/Apr/33
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/ibm_drm_rce.rb title IBM Data Risk Manager Unauthenticated Remote Code Execution
Packetstorm
| data source | https://packetstormsecurity.com/files/download/157567/ibm_drm_rce.rb.txt |
| id | PACKETSTORM:157567 |
| last seen | 2020-05-06 |
| published | 2020-05-05 |
| reporter | Pedro Ribeiro |
| source | https://packetstormsecurity.com/files/157567/IBM-Data-Risk-Manager-2.0.3-Remote-Code-Execution.html |
| title | IBM Data Risk Manager 2.0.3 Remote Code Execution |