IBM Looking to Change How It Responds to Security Vulnerabilities

by Alex Woodie

When news of the SNMP security vulnerability was making the rounds in February, there was concern among some iSeries users that the OS/400 platform could be vulnerable to it. However, IBM did not widely circulate any kind of official statement concerning the effect that the SNMP flaw could have on the iSeries. In The Four Hundred's initial story on the problem, we explained that IBM had made some tweaks to SNMP and other networking software in OS/400 with PTFs that were deemed vital, and we even went so far as to suggest that this may have been a reaction to the SNMP vulnerabilities that were reported on other platforms. But IBM never confirmed or denied our suspicions.

For some iSeries professionals, the silence from IBM exacerbated the situation. They just didn't know whether there was a problem or not, and IBM wouldn't publicly say. James Franz, an iSeries consultant from North Carolina, aired these concerns to IBM during the iSeries Nation Town Hall meeting at the recent COMMON conference in Nashville. Franz said that when CNN broke the story, he was concerned that his clients might be susceptible to the vulnerability.

"People were really scared about it," Franz told IBM. "CEOs were calling me and asking, 'Am I OK?' For many days, all I could say was, 'I'm researching it.' . . . There has to be a normal way to respond to security exposures on the Web."

Most of the iSeries executives were present at the iSeries Nation meeting, including Patrick Botz, the iSeries security architect, Buell Duncan, the general manager, and John Reed, the iSeries product manager. Reed responded to Franz's concerns. "The scope of the attack was so narrow, we didn't want to alarm the community," he said. Then he acknowledged that IBM should have done better, when he said, "We screwed it up."

In fact, IBM's iSeries team had done better. IBM did issue a statement concerning the iSeries susceptibility to SNMP attacks, said Botz, who wrote the statement. The OS/400 statement was sent to the CERT Coordination Center site, along with the SNMP statement from the pSeries group, and both were posted to the CERT Web site, along with responses from a number of other major equipment manufacturers, Botz said. This was the very first time IBM had issued an OS/400 security statement to CERT.

However, IBM's OS/400 statement was only on the CERT page for about an hour before IBM asked that it be pulled down. Executives in IBM's marketing and legal divisions were concerned that posting an iSeries security advisory was not consistent with its existing policy for reacting to potential security risks with the OS/400 platform, and so they asked to rescind the original statement.

The concern within IBM was that, by responding to CERT's SNMP advisory, IBM's iSeries Division would be setting a precedent for responding to all security threats, both seen and unseen. Botz says that that concern was the subject of some misunderstanding within IBM because the advisory didn't include any new information; it just addressed the information that was already out there.

"It has always been our policy since late 1970s to never describe exposures publicly," Botz said. "The number-one issue we had in mind was, we don't want to create a larger problem for our customers than if we just keep quiet and put out fixes, and talk to them on the phone when they call."

When IBM does find a potential security problem with a release of OS/400--which occurs anywhere from five to 10 times per year for more recent releases, Botz said--IBM issues a fix that it calls an "integrity" PTF. AS/400 and iSeries customers aren't told what the security vulnerability is; they're just asked to load the integrity PTF to fix it, which most customers are glad to do.

This version of security through obscurity has worked well for IBM and its customers for decades. Although unverifiable, it is widely circulated that the OS/400 platform has never been hacked, and it has never been the victim of a virus. In an age when other operating system manufacturers--notably Microsoft--seem to issue security patches on a weekly basis, this nearly flawless security record is nothing short of remarkable.

But can it last? As IBM has opened up the OS/400 platform to support industry standards, such as SNMP, it also creates the potential that OS/400 can be susceptible to flaws in those protocols. Botz is rightfully concerned about this.

Botz and his team of engineers in Rochester, Minnesota, found that OS/400 was, in fact, not susceptible to the SNMP flaw, insofar as it would allow a hacker to run arbitrary commands on the system. This was what his CERT advisory stated. Botz said OS/400's SNMP servers were susceptible to a denial-of-service attack, in which the server is flooded with so many commands that it crashes or shuts itself down. This potential susceptibility to DOS attacks was later the subject of a PTF. Botz said that PTF did not meet the criteria for an integrity PTF.

While it turned out that the SNMP flaw didn't pose a huge threat to AS/400 and iSeries users, the OS/400 platform is not inherently immune from future vulnerabilities that might be found in open-source technologies used in the platform. When that happens, the consensus so far is that the iSeries Division needs to be free to issue statements without going through the cloak-and-dagger route of the usual integrity PTF issuances.

One product manager with a well-known OS/400 security tool vendor agreed that IBM should improve the way it responds to security vulnerabilities such as the SNMP flaw. "I'm not confident with it right now," the product manager said. "Technologically, IBM has done a splendid job of staying in the game. Now the support end has to grow with it."

Botz is doing just that. He's trying to build support for a new iSeries security policy that would allow IBM's iSeries Division to issue statements about security vulnerabilities that have already been made public. This would keep the details of all unknown security vulnerabilities secret while giving IBM the freedom to address security flaws brought up by CERT. At this point, Botz is only looking for permission to respond to flaws made public by CERT.

"If there is code on the iSeries that is directly related to a CERT advisory, I would like to have an iSeries position for that advisory," Botz said. "We would not be disclosing anything new. If an exploit is already publicly documented, we would not be adding to the risk by describing the iSeries position with respect to that exploit."

This is not yet a done deal, and there are details to work out. Before implementing this new proposal, IBM may seek input from influential groups within the iSeries community, including IBM's large OS/400 customers and iSeries Nation, Botz said. "If these groups say 'we don't want this,' that would pretty much guarantee we wouldn't do it," he said.