CVE-2020-4429
published 2020-05-07CVE-2020-4429: IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.36%
99.3th percentile
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID: 180534.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
| ibm | data_risk_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSH login attempts using the hardcoded credential pair a3user/idrm against IBM Data Risk Manager appliances on port 22. ↗
- →Monitor for successful SSH authentication by the 'a3user' account on IDRM appliances, especially followed by sudo/root escalation activity. ↗
- →Detect exploitation chains involving unauthenticated bypass + command injection + default credential abuse targeting IDRM HTTP endpoints, as all three are chained for unauthenticated RCE as root. ↗
- →Alert on unauthenticated HTTP requests exhibiting path traversal patterns against IDRM (versions 2.0.2–2.0.4), particularly those resulting in download of application.properties or other sensitive files. ↗
- ·The authentication bypass (unauthenticated) works on a broader version range than the command injection component; scope detection rules accordingly. ↗
- ·The arbitrary file download vulnerability (path traversal) affects versions 2.0.2–2.0.4 only; version 2.0.1 is not vulnerable to this specific vector. ↗
- ·The default SSH credential (a3user/idrm) vulnerability is confirmed across all listed versions up to and including 2.0.6.1. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.010.0CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5634-wp84-cm8x: IBM Data Risk Manager 2
ghsa_unreviewed·2022-05-24
CVE-2020-4429 [HIGH] CWE-798 GHSA-5634-wp84-cm8x: IBM Data Risk Manager 2
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID: 180534.
VulnCheck
IBM data_risk_manager Use of Hard-coded Credentials
vulncheck·2020·CVSS 9.8
CVE-2020-4429 [CRITICAL] IBM data_risk_manager Use of Hard-coded Credentials
IBM data_risk_manager Use of Hard-coded Credentials
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID: 180534.
Affected: IBM data_risk_manager
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://8813571.fs1.hubspotusercontent-na1.net/hubfs/8813571/PERISCOPE_VULNINTEL_20250812.pdf
No detection rules found.
Nuclei
IBM Data Risk Manager - Hardcoded Credentials
nuclei·CVSS 9.8
CVE-2020-4429 [CRITICAL] IBM Data Risk Manager - Hardcoded Credentials
IBM Data Risk Manager - Hardcoded Credentials
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID- 180534.
Template:
id: CVE-2020-4429
info:
name: IBM Data Risk Manager - Hardcoded Credentials
author: Kazgangap
severity: critical
description: |
IBM Data Risk Manager 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, and 2.0.6 contains a default password for an IDRM administrative account. A remote attacker could exploit this vulnerability to login and execute arbitrary code on the system with root privileges. IBM X-Force ID- 180534.
impact: |
Remote attackers can gain root access and exec
Metasploit
IBM Data Risk Manager Unauthenticated Remote Code Execution
metasploit
IBM Data Risk Manager Unauthenticated Remote Code Execution
IBM Data Risk Manager Unauthenticated Remote Code Execution
IBM Data Risk Manager (IDRM) contains three vulnerabilities that can be chained by an unauthenticated attacker to achieve remote code execution as root. The first is an unauthenticated bypass, followed by a command injection as the server user, and finally abuse of an insecure default password. This module exploits all three vulnerabilities, giving the attacker a root shell. At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. The authentication bypass works on versions <= 2.0.6.1, but the command injection should only work on versions <= 2.0.4 according to IBM.
Metasploit
IBM Data Risk Manager a3user Default Password
metasploit
IBM Data Risk Manager a3user Default Password
IBM Data Risk Manager a3user Default Password
This module abuses a known default password in IBM Data Risk Manager. The 'a3user' has the default password 'idrm' and allows an attacker to log in to the virtual appliance via SSH. This can be escalate to full root access, as 'a3user' has sudo access with the default password. At the time of disclosure this was an 0day, but it was later confirmed and patched by IBM. Versions <= 2.0.6.1 are confirmed to be vulnerable.
Metasploit
IBM Data Risk Manager Arbitrary File Download
metasploit
IBM Data Risk Manager Arbitrary File Download
IBM Data Risk Manager Arbitrary File Download
IBM Data Risk Manager (IDRM) contains two vulnerabilities that can be chained by an unauthenticated attacker to download arbitrary files off the system. The first is an unauthenticated bypass, followed by a path traversal. This module exploits both vulnerabilities, giving an attacker the ability to download (non-root) files. A downloaded file is zipped, and this module also unzips it before storing it in the database. By default this module downloads Tomcat's application.properties files, which contains the database password, amongst other sensitive data. At the time of disclosure, this is was a 0 day, but IBM later patched it and released their advisory. Versions 2.0.2 to 2.0.4 are vulnerable, version 2.0.1 is not.
No writeups or analysis indexed.
https://exchange.xforce.ibmcloud.com/vulnerabilities/180534https://www.ibm.com/support/pages/node/6206875http://seclists.org/fulldisclosure/2024/Nov/0http://seclists.org/fulldisclosure/2024/Nov/1https://exchange.xforce.ibmcloud.com/vulnerabilities/180534https://www.ibm.com/support/pages/node/6206875
2020-05-07
Published
Exploited in the wild