CVE-2020-4427
published 2020-05-07CVE-2020-4427: IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
70.03%
99.3th percentile
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | 2.0.1 – 2.0.6.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherLocation header contains: localhost:8765
sigma
HTTP GET /albatross/saml/idpSelection with response HTTP 302 redirect to localhost:8765
- →Authentication bypass is triggered via a crafted GET request to /albatross/saml/idpSelection with userName=admin parameter. A successful bypass results in an HTTP 302 redirect whose Location header contains both 'localhost:8765' and 'saml/idpSelection'.
- →Post-bypass exploitation chains to SSH login using hardcoded credentials (a3user / idrm) on port 22 to achieve root-level remote code execution.
- →The authentication bypass works on versions <= 2.0.6.1, but the command injection should only work on versions <= 2.0.4 according to IBM. ↗
- →Shodan query 'title:"IBM Data Risk Manager"' can be used to identify exposed IDRM instances for proactive scanning.
- →A chained exploit path exists: unauthenticated SAML bypass → command injection as server user → SSH login with default a3user/idrm credentials → root shell. Monitor for all three stages. ↗
- →A separate file-download chain (auth bypass + path traversal) targets Tomcat's application.properties, which contains the database password. Versions 2.0.2 to 2.0.4 are vulnerable to this variant. ↗
- ·The SAML authentication bypass (CVE-2020-4427) is only exploitable when the IDRM instance is configured to use SAML authentication. Instances using other authentication methods are not affected by this specific bypass vector. ↗
- ·The command injection component of the RCE chain is only confirmed to work on versions <= 2.0.4, while the auth bypass affects up to 2.0.6.1. Detection rules should account for this version split. ↗
- ·The arbitrary file download chain (path traversal) affects versions 2.0.2 to 2.0.4 only; version 2.0.1 is not vulnerable to that specific variant. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.0CRITICALCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-24c2-gvwg-5p45: IBM Data Risk Manager 2
ghsa_unreviewed·2022-05-24
CVE-2020-4427 [HIGH] CWE-287 GHSA-24c2-gvwg-5p45: IBM Data Risk Manager 2
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system. IBM X-Force ID: 180532.
VulnCheck
IBM Data Risk Manager Security Bypass Vulnerability
vulncheck·2020·CVSS 9.8
CVE-2020-4427 [CRITICAL] IBM Data Risk Manager Security Bypass Vulnerability
IBM Data Risk Manager Security Bypass Vulnerability
IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system.
Affected: IBM Data Risk Manager
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://app.crowdsec.net/cti/cve-explorer/CVE-2020-4427; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2026-03-12&host_type=src&vulnerability=cve-2020-4427; https:/
CISA
IBM Data Risk Manager Security Bypass Vulnerability
cisa·2021-11-03·CVSS 9.8
CVE-2020-4427 [CRITICAL] IBM Data Risk Manager Security Bypass Vulnerability
Vulnerability: IBM Data Risk Manager Security Bypass Vulnerability
Affected: IBM Data Risk Manager
IBM Data Risk Manager contains a security bypass vulnerability that could allow a remote attacker to bypass security restrictions when configured with SAML authentication. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to bypass the authentication process and gain full administrative access to the system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-4427
Remediation Due Date: 2022-05-03
No detection rules found.
Nuclei
IBM Data Risk Manager - Hardcoded Credentials
nuclei·CVSS 9.8
CVE-2020-4429 [CRITICAL] IBM Data Risk Manager - Hardcoded Credentials
IBM Data Risk Manager - Hardcoded Credentials
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID- 180534.
Template:
id: CVE-2020-4429
info:
name: IBM Data Risk Manager - Hardcoded Credentials
author: Kazgangap
severity: critical
description: |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID- 180534.
impact: |
Remote attackers can gain root access and exec
Nuclei
IBM Data Risk Manager - Authentication Bypass via SAML
nuclei·CVSS 9.8
CVE-2020-4427 [CRITICAL] IBM Data Risk Manager - Authentication Bypass via SAML
IBM Data Risk Manager - Authentication Bypass via SAML
IBM Data Risk Manager versions 2.0.1 through 2.0.6 are vulnerable to authentication bypass when configured with SAML authentication. A remote attacker can bypass security restrictions by sending a specially crafted HTTP request to the SAML idpSelection endpoint, allowing them to bypass the authentication process and gain full administrative access to the system.
Template:
id: CVE-2020-4427
info:
name: IBM Data Risk Manager - Authentication Bypass via SAML
author: ritikchaddha
severity: critical
description: |
IBM Data Risk Manager versions 2.0.1 through 2.0.6 are vulnerable to authentication bypass when configured with SAML authentication. A remote attacker can bypass security restrictions by sending a specially crafted HTTP reques
Metasploit
IBM Data Risk Manager Unauthenticated Remote Code Execution
metasploit
IBM Data Risk Manager Unauthenticated Remote Code Execution
IBM Data Risk Manager Unauthenticated Remote Code Execution
IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. This module exploits all three vulnerabilities, giving the attacker a root shell. At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. The authentication bypass works on versions <= 2.0.6.1, but the command injection should only work on versions <= 2.0.4 according to IBM.
Metasploit
IBM Data Risk Manager Arbitrary File Download
metasploit
IBM Data Risk Manager Arbitrary File Download
IBM Data Risk Manager Arbitrary File Download
IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by an unauthenticated attacker to download arbitrary files off the system. The first is an unauthenticated bypass, followed by a path traversal. This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files. A downloaded file is zipped, and this module also unzips it before storing it in the database. By default this module downloads Tomcat's application.properties files, which contains the database password, amongst other sensitive data. At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory. Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.
No writeups or analysis indexed.
https://exchange.xforce.ibmcloud.com/vulnerabilities/180532https://www.ibm.com/support/pages/node/6206875http://seclists.org/fulldisclosure/2024/Nov/0http://seclists.org/fulldisclosure/2024/Nov/1https://exchange.xforce.ibmcloud.com/vulnerabilities/180532https://www.ibm.com/support/pages/node/6206875https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-4427
2020-05-07
Published
2021-11-03
Added to CISA KEV
Exploited in the wild