cbcvebase.
CVE-2020-4427
published 2020-05-07

CVE-2020-4427: IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
70.03%
99.3th percentile
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.

Affected

7 ranges
VendorProductVersion rangeFixed in
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager
ibmdata_risk_manager2.0.1 – 2.0.6.1

Detection & IOCsextracted from sources · hover to see the quote

url/albatross/saml/idpSelection?id={{randstr}}&userName=admin
path/albatross/saml/idpSelection
otherLocation header contains: localhost:8765
sigma
HTTP GET /albatross/saml/idpSelection with response HTTP 302 redirect to localhost:8765
  • Authentication bypass is triggered via a crafted GET request to /albatross/saml/idpSelection with userName=admin parameter. A successful bypass results in an HTTP 302 redirect whose Location header contains both 'localhost:8765' and 'saml/idpSelection'.
  • Post-bypass exploitation chains to SSH login using hardcoded credentials (a3user / idrm) on port 22 to achieve root-level remote code execution.
  • The authentication bypass works on versions <= 2.0.6.1, but the command injection should only work on versions <= 2.0.4 according to IBM.
  • Shodan query 'title:"IBM Data Risk Manager"' can be used to identify exposed IDRM instances for proactive scanning.
  • A chained exploit path exists: unauthenticated SAML bypass → command injection as server user → SSH login with default a3user/idrm credentials → root shell. Monitor for all three stages.
  • A separate file-download chain (auth bypass + path traversal) targets Tomcat's application.properties, which contains the database password. Versions 2.0.2 to 2.0.4 are vulnerable to this variant.
  • ·The SAML authentication bypass (CVE-2020-4427) is only exploitable when the IDRM instance is configured to use SAML authentication. Instances using other authentication methods are not affected by this specific bypass vector.
  • ·The command injection component of the RCE chain is only confirmed to work on versions <= 2.0.4, while the auth bypass affects up to 2.0.6.1. Detection rules should account for this version split.
  • ·The arbitrary file download chain (path traversal) affects versions 2.0.2 to 2.0.4 only; version 2.0.1 is not vulnerable to that specific variant.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.0CRITICALCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.