fhs
Volume 7, Number 2 -- January 16, 2007

IBM Patches Security Flaw in OS/400 V5R3

Corrected: January 16, 2007

by Alex Woodie

IBM issued several integrity PTFs last September to fix a security vulnerability in OS/400 and i5/OS V5R3 and V5R3M5. The problem, called the OS/400 Connection Reset Denial of Service Vulnerability, can be exploited by hackers to reset established TCP connections on iSeries and System i servers, according to security firm Secunia, which gave the vulnerability a "less critical" rating.

IBM issued four Program Temporary Fixes (PTFs) on September 26 to fix the problem, in which an established TCP connection can be reset by sending a specially crafted TCP packet. It appears that a hacker could potentially use this technique to launch a denial of service (DoS) attack by repeatedly resetting the connection, thereby forcing a user to disconnect the server's network connection before the DoS attack causes the server to overload and crash.

IBM first included the fix in OS/400 V5R4, Jim Herring, director of System i product management and business operations, said today. "Our guys said it would take an awful lot of work to be able to exploit this exposure, so we decided to fix it first in the V5R4 base code, which was in development at the time, because it would get the highest amount of testing," he said. IBM then applied the fix to V5R3 and V5R3M5 and released the integrity PTFs.

IBM released two Authorized Program Analysis Reports (APARs) including MA33860 and MA33861, which referenced four patches: R530 MF39879 7016 and R530 MF39880 7016 for OS/400 (i5/OS) V5R3, and R535 MF39909 7016 and 535 MF39910 7016 for V5R3M5. MF39879 has since been superceded by MF40178, and MF39909 has been superceded by MF40861.

According to the Secunia advisory posted Monday, the OS/400 security vulnerability is related to the TCP Reset Vulnerability that was first reported by security researcher Paul Watson in April 2004. At the time, there was great concern that the vulnerability could be exploited to launch a massive attack that would cripple the Internet. As it turns out, those fears were largely unfounded. Network equipment vendors, led by Cisco Systems, updated their wares to fix the problem.

Apparently, the problem went unpatched in OS/400 and the new i5/OS operating system for more than two and a half years. Herring said IBM was notified that OS/400's TCP/IP stack was at risk to the exposure, but it's unclear if any iSeries or System i users were hit by DoS attacks. In any event, iSeries and System i users should take the problem seriously and apply the integrity PTFs as soon as possible, if they haven't already done so.

Herring said there are no plans to issue PTFs to fix the problem in previous releases of OS/400.

Security vulnerabilities like this are a rare occurrence for OS/400, which is widely regarded to be one of the most--if not the most--secure operating systems in use. While it's not in any danger of becoming like every hackers' favorite target, Microsoft Windows, anytime soon, IBM OS/400 does occasionally make news with a vulnerability.

Also in November, Secunia reports IBM issued MF33249 to fix the "osp-cert Fix ASN.1" vulnerabilities in its ASN.1 parser for OS/400 V5R3. Secunia gave the vulnerabilities a "moderately critical" rating, one step above the rating it gave the Connection Reset DoS vulnerability.

OS/400 is not without its weaknesses--especially when it comes to implementing standards-based protocols that turn out to have security holes. But when properly configured, OS/400 is practically hacker proof. Its highly regimented access controls make it very difficult for a hacker who's unfamiliar with the system to break it, and its object oriented design make it highly resistant to conventional viruses. In fact, there has never been a documented virus afflicting OS/400 (although security researchers say it's not impossible to create one).

Unfortunately, while security is one of OS/400's strengths, many companies don't take the time to properly configure their server's security settings--either from lack of time and knowledge or a mistaken reliance on the box's security capabilities--leaving them open to problems down the road. For a sobering look at the slipshod approach to security at many OS/400 shops, check out our story on security software developer PowerTech's most recent state of OS/400 security report.


This story has been corrected. IBM issued the integrity PTF in September 2006, not on January 13, 2007, as the story first stated. On January 13, IBM updated the advisory concerning the PTF and the vulnerability it fixed. IT Jungle regrets the error.

                     Post this story to del.icio.us
               Post this story to Digg
    Post this story to Slashdot

Sponsored By
MKS

You're at Bat, and It's Time for a "Change Up".
Change Up to MKS Implementer and MKS Integrity
for Application Lifecycle Management - Move to MKS NOW and SAVE!

Has the recent acquisition of your change management provider thrown you a curve ball?
Is your vendor offering you loosely coupled tools, leaving you with information gaps and a technical headache? Can your current change management solution meet your needs
today - and tomorrow?

This isn't slow pitch.

The world of software development is moving at a rapid pace and you need to be ready to meet new demands. Change management is a vital component of your business -- the foundation for compliance, for modernization, for process control and risk management. You need a vendor that can keep up with these business demands.

A winning team, less risk, more advantages.

Join a team that is reliable, steadfast and dedicated to delivering tangible business results to System i5 customers as well as cross-platform teams. MKS is firmly dedicated to the change management market and has a clear product roadmap. MKS's Implementer for software change management and deployment has a reputation of technical excellence with large and small customers across every industry.

Make the change up - move to MKS NOW and SAVE!

For a limited time MKS will help you make the move with special pricing when you purchase Implementer with MKS Integrity - giving you integrated workflow, complete audit trails and
coverage of the application lifecycle as well as a platform to manage both System i5 and
cross-platform development.

Visit the Products section of the MKS website for more information on
Implementer and MKS Integrity.

Click here to request more information on our time limited "change up" offer.

Download the white paper:
"Managing iSeries Development in the Application Modernization Era."

The time is now to make the switch.

Call MKS today at 1-800-613-7535 to discuss your options, and while you're at it, request a
FREE change management process assessment by our team of experts with over 40 years of experience in the midrange market.

Contact MKS Sales at 1-800-613-7535 or sales@mks.com
For more information, visit www.mks.com/solutions
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

BCD:  Try WebSmart - the easiest and most complete iSeries Web development tool
COMMON:  Join us at the Spring 2007 conference, April 29 – May 3, in Anaheim, California
New Generation Software:  Leading provider of iSeries BI and financial management software

The Four Hundred
Zend Core for i5/OS Ships for OS/400 V5R3

Why the Number of Women in IT Is Decreasing

Next Generation ERP and the Rise of the Agile Organization

Mad Dog 21/21: Between y o u and i

The Linux Beacon
Red Hat Unaffected By Oracle Unbreakable Linux in Fiscal Q3

OpenVZ Project Supports Virtualized Linux on Sun's Sparc T1 Chips

The IT Analysts Make Their 2007 Predictions

Arrow Buys Agilysys' IT Distribution Business for $485 Million

Big Iron
The IT Analysts Make Their 2007 Predictions

Top Mainframe Stories From Around the Web

Chats, Webinars, Seminars, Shows, and Other Happenings

Four Hundred Guru
Exporting DB2/400 Dates to Excel

Resetting Your QSECOFR Service Tools Password

Admin Alert: Combating Cross-Server Failures for the i5 Manager

System i PTF Guide
January 6, 2007: Volume 9, Number 1

December 30, 2006: Volume 8, Number 50

December 23, 2006: Volume 8, Number 49

December 16, 2006: Volume 8, Number 48

December 9, 2006: Volume 8, Number 47

December 2, 2006: Volume 8, Number 46

The Windows Observer
Microsoft Unveils Windows Home Server

Patch Tuesday Yields Four Patches for 10 Vulnerabilities

Microsoft Refreshes 'Longhorn,' Delivers First 'Centro' Beta and 'Cougar' CTP

As I See It: Predictions and Poetry

The Unix Guardian
HP Readies HP-UX 11i v3 For Launch

Arrow Buys Agilysys' IT Distribution Business for $485 Million

Sun Adds Opteron Rev F Blade Server, Sets Utility Pricing

As I See It: Sweating the Little Stuff

Four Hundred Monitor
Four Hundred Monitor's
Full iSeries Events Calendar

THIS ISSUE SPONSORED BY:

MKS
IBS
Profound Logic Software
Computer Keyes
Affirmative Computer



TABLE OF CONTENTS
IBM Patches Security Flaw in OS/400 V5R3

LXI Partners with FalconStor for VTL

Lawson Brings EMEA EAM App to the U.S.

Seagull Relaunches Farabi Tool Under BlueZone Name

News Briefs and Product Shorts:

Group 1 Unveils New Tax Software . . . CommercialWare Goes Java for Multi-Channel MMS . . . Cybele Software Unveils z/Scope Classic Version 6 . . . CA Fixes Security Flaws in Backup Software . . . SOA Software Joins SAP's 'ES Community' . . . IBM to Open Eight SOA Centers Worldwide . . .

Four Hundred Stuff

BACK ISSUES





 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement