IBM confirms four new zero-day vulnerabilities

(Image credit: IBM)

IBM has admitted to several flaws in one of its security products after initially denying reports of any vulnerabilities.

The vulnerabilities impacted the IBM Data Risk Manager (IDRM) that aggregates feeds from vulnerability scanning tools and other risk management apparatus so that admins could continuously investigate and isolate security issues. 

IBM acknowledged three out of four serious vulnerabilities reported by Pedro Ribeiro of Agile Information Security as part of disclosures to the US Computer Emergency Response Team (CERT)

Three of the four bugs could be chained together to execute remote code without authentication by using root superuser rights. 

Zero-day vulnerabilities

The IRDM is an enterprise security product that handles sensitive information and any compromise on such a product could lead to a full-scale company compromise as the tool has credentials to access other security tools, besides containing information about critical vulnerabilities that impact IBM, Ribeiro said. 

The researcher added he found the bugs in IDRM and worked with the CERT team to report the issues to IBM through the official bug vulnerability disclosure program. However, despite the severity of the bugs, IBM did not accept the disclosure attempt. 

IBM’s response suggested that the vulnerability report was out of the scope of the company’s vulnerability disclosure program since the product was only for enhanced support of customers. For his part, Ribiero says he isn’t sure of what the answer means in terms of whether the report was accepted or if the product was out of support. 

"This is an unbelievable response by IBM, a multibillion-dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide," Ribeiro said.

In an emailed response to ZDNet, IBM expressed regret over how the incident panned out and claimed that it was a process error that caused an improper response to the researcher. "We have been working on mitigation steps and they will be discussed in a security advisory to be issued," the email said. 

Via: ZDNet

Jitendra Soni

Jitendra has been working in the Internet Industry for the last 7 years now and has written about a wide range of topics including gadgets, smartphones, reviews, games, software, apps, deep tech, AI, and consumer electronics.  

Latest in Security
A graphic showing someone on a tablet working through a supply chain.
Security issue in open source software leaves businesses concerned for systems
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
Latest in News
Panos Panay and Alexa Plus
Amazon's Panos Panay teases future Alexa+ devices from speakers to possible wearables
Metroid Prime 4
I reckon the Nintendo Switch 2 could launch with Metroid Prime 4 – here’s why
Samsung Galaxy Z Fold 6
New rumors predict a foldable iPhone will launch next year – and cost almost twice as much as the iPhone 16 Pro Max
Pebble smartwatch countdown
Pebble confirms its smartwatch announcement is just hours away
Logo of YouTube Shorts
Is YouTube auto-playing Shorts when you open the app? Well, you’re not alone - here’s how to fix it
Google DeepMind panel discussion
“More sovereignty and protection” - Google goes all-in on UK AI with data residency, upskilling projects, and startup investments