IBM confirms four new zero-day vulnerabilities

News
By published

IBM accepts security vulnerabilities after initially rejecting reports

(Image credit: IBM)

IBM has admitted to several flaws in one of its security products after initially denying reports of any vulnerabilities.

The vulnerabilities impacted the IBM Data Risk Manager (IDRM) that aggregates feeds from vulnerability scanning tools and other risk management apparatus so that admins could continuously investigate and isolate security issues. 

IBM acknowledged three out of four serious vulnerabilities reported by Pedro Ribeiro of Agile Information Security as part of disclosures to the US Computer Emergency Response Team (CERT)

Three of the four bugs could be chained together to execute remote code without authentication by using root superuser rights. 

Zero-day vulnerabilities

The IRDM is an enterprise security product that handles sensitive information and any compromise on such a product could lead to a full-scale company compromise as the tool has credentials to access other security tools, besides containing information about critical vulnerabilities that impact IBM, Ribeiro said. 

The researcher added he found the bugs in IDRM and worked with the CERT team to report the issues to IBM through the official bug vulnerability disclosure program. However, despite the severity of the bugs, IBM did not accept the disclosure attempt. 

IBM’s response suggested that the vulnerability report was out of the scope of the company’s vulnerability disclosure program since the product was only for enhanced support of customers. For his part, Ribiero says he isn’t sure of what the answer means in terms of whether the report was accepted or if the product was out of support. 

"This is an unbelievable response by IBM, a multibillion-dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide," Ribeiro said.

In an emailed response to ZDNet, IBM expressed regret over how the incident panned out and claimed that it was a process error that caused an improper response to the researcher. "We have been working on mitigation steps and they will be discussed in a security advisory to be issued," the email said. 

Via: ZDNet

Jitendra Soni
Jitendra Soni

Jitendra has been working in the Internet Industry for the last 7 years now and has written about a wide range of topics including gadgets, smartphones, reviews, games, software, apps, deep tech, AI, and consumer electronics.  

Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments
More about security
A graphic showing someone on a tablet working through a supply chain.

Security issue in open source software leaves businesses concerned for systems
person at a computer

Infamous ransomware hackers reveal new tool to brute-force VPNs
ViewSonic VP2788-5K Display

Viewsonic's 5K monitor finally goes on sale, but is it already too little too late to make a splash?

See more latest
Most Popular
ViewSonic VP2788-5K Display
Viewsonic's 5K monitor finally goes on sale, but is it already too little too late to make a splash?
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Maxtang SXRL-20 mini pc
This fanless PC looks like a giant heatsink and has one incredible feature: five, yes five, 4K-capable HDMI ports
Aoostar G-flip 370
There's no need for a monitor with this Ryzen AI-powered mini PC
The Ryzen AI Max+ 395 could power the latest generation of powerful mini PCs
This prototype mini PC demonstrates a massive leap forward for integrated graphics in a console form factor
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Minisforum AI X1 mini PC
Tiny Mac Mini rival can power four 8K monitors, and is the first mini PC to receive AMD's powerful Ryzen 7 260 APU
AOOSTAR G-FLIP mini PC
AMD powers the world's fastest all-in-one PC, and yes, I've probably overstretched the definition of AIO PC just a tiny bit
26TB WD Red Pro HDD
Western Digital introduces 26TB WD Red Pro HDDs for RAID and NAS systems at a surprisingly low price