By 
As per a security researcher, IBM would not fix numerous flaws discovered in its Data Risk Manager product, in spite of showing that a distant, unauthenticated attacker can exploit them to perform arbitrary code with root privileges.
Pedro Ribeiro of Agile Information Security has revealed technical information for as many as 4 zero-day flaws impacting IBM Data Risk Manager, an enterprise security solution that “provides executives and their teams a business-consumable data risk control center that helps to uncover, analyze, and visualize data-related business risks so they can take action to protect their business.”
The flaws include verification bypass, command injection, default password, and arbitrary file download issues. The security maven cautioned that a remote hacker could chain the first three flaws to perform random code as root. Furthermore, a cybercriminal could integrate the verification bypass and random file download faults to download files from the targeted system.
IBM was apprised of the security flaws through CERT/CC, but the vendor said it had evaluated the report and shut it for being out of scope for its flaw revelation program “since this product is only for ‘enhanced’ support paid for by our customers.”
Ribeiro says he does not comprehend the company’s clarification for not accepting his report and he is puzzled by the decision.
“This is an unbelievable response by IBM, a multi billion dollar company that is selling security enterprise products and security consultancy to huge corporations worldwide. They refused to accept a free high quality vulnerability report on one of their products ” the researcher noted.
As well as the technical information, Ribeiro issued two Metasploit modules that exploit the susceptibilities for remote code implementation and arbitrary file downloading.
