IBM Patches BIND and OpenSSL Flaws in IBM i

March 18, 2015 Alex Woodie

IBM has patched several security vulnerabilities in the IBM i OS recently, including some lingering problems with OpenSSL, as well as new ISC BIND Delegation Handling vulnerability. The vulnerabilities affect multiple releases of the IBM i OS, and could enable an attacker to successfully crash impacted servers, so go get your PTFs applied as soon as possible.

The more critical vulnerabilities are related to the ISC BIND Delegation Handling vulnerabilities, which impact the Berkeley Internet Name Domain (BIND) software, specifically the Domain Name Service (DNS). Two BIND-related flaws were discovered in December 2014, according to the Internet Systems Consortium, which oversees the BIND and DNS standards and operates one of the Internet’s 13 DNS root servers.

The first flaw, known as CVE-2014 8500, could allow an attacker to exploit an oversight in BIND version 9 that causes BIND to issue an unlimited number of queries, which can lead to resource exhaustion and a crash. ISC gave CVE-2014-8500 a severity rating of “critical,” while the National Institutes of Standards and Technology gave it a 7.8, on the Common Vulnerability Scoring System, owing to the ease at which an attacker can exploit the vulnerability.

A second set of BIND security flaws, which are collectively known as CVE-2014-8680, affects the GeoIP features of BIND version 9.10, and can also lead to DoS attacks on affected servers. The NIST gives these flaws a CVSS score of 5.4, as they are not nearly as exploitable.

The first BIND flaw affects IBM i, but the second one does not, IBM said March 4 on a post on its Product Security Incident Response (PSIRT) blog.

The first BIND flaw, CVE-2014-8500, impacts i5/OS V5R4 through IBM i 7.2. IBM has issued three PTFs to patch the problem in IBM i, including SI55895 for IBM i 6.1, SI55748 for IBM i 7.1, and SI55866 for IBM i 7.2, IBM says in its security advisory. V5R4 will not be patched, as it is no longer supported by IBM.

Meanwhile, IBM patched a slew of new OpenSSL flaws that were discovered in January, including:

CVE-2014-3569, the “ssl23_get_client_hello denial of service” vulnerability, which has a CVSS rating of 5
CVE-2014-3570, the Bignum unspecified vulnerability, which has a CVSS rating of 2.6
CVE-2014-3571, the DTLS denial of service vulnerability, which has a CVSS rating of 5
CVE-2014-3572, the ECDH weak security flaw, which has a CVSS rating of 1.2
CVE-2014-8275, the fingerprints security bypass vulnerability, which has a CVSS rating of 2.1
CVE-2015-0204, the ssl3_get_key_exchange RSA-to-EXPORT_RSA downgrade” vulnerability, which has a CVSS score of 4.3
CVE-2015-0205, the DH certificate security bypass, which has a CVSS score of 2.1;
and CVE-2015-0206, the dtls1_buffer_record denial of service vulnerability, which carries a CVSS rating of 5

These flaws impact every release of the OS from i5/OS V5R3 through IBM i 7.2, according to IBM’s PSIRT blog. However, only IBM i 6.1 through 7.2 have been patched, with PTFs SI56063 (for IBM i 6.1), SI55950 (for IBM i 7.1), and SI55951 (for IBM i 7.2); the old releases of i5/OS will not be patched.

The new batch of OpenSSL patches are not nearly as bad as the Heartbleed flaw that led millions of people to change their passwords last April, and which impacted IBM i, Power Systems firmware, and applications. But it’s still a potent reminder about the potential pitfalls that open source software can bring, and the vigilance that all IBM i shops must take to ensure they’re not caught unknowingly making themselves more vulnerable.

Heartbleed Exposes The Vulnerability Of An IBM i Mentality

IBM Patches Heartbleed Vulnerability in Power Systems Firmware

Heartbleed Postmortem: Time to Rethink Open Source Security?

Heartbleed, OpenSSL, and IBM i: What You Need to Know

Tags:

CYBER-ATTACKS ON THE RISE. PROTECT WITH THE TRIPLE PLAY.

COVID-19 has not only caused a global pandemic, but has sparked a “cyber pandemic” as well.

“Cybersecurity experts predict that in 2021, there will be a cyber-attack incident every 11 seconds. This is nearly twice what it was in 2019 (every 19 seconds), and four times the rate five years ago (every 40 seconds in 2016). It is expected that cybercrime will cost the global economy $6.1 trillion annually, making it the third-largest economy in the world, right behind those of the United States and China.”¹

Protecting an organization’s data is not a single-faceted approach, and companies need to do everything they can to both proactively prevent an attempted attack and reactively respond to a successful attack.

UCG Technologies’ VAULT400 subscription defends IBM i and Intel systems against cyber-attacks through comprehensive protection with the Triple Play Protection – Cloud Backup, DRaaS, & Enterprise Cybersecurity Training.

Cyber-attacks become more sophisticated every day. The dramatic rise of the remote workforce has accelerated this trend as cyber criminals aggressively target company employees with online social engineering attacks. It is crucial that employees have proper training on what NOT to click on. Cyber threats and social engineering are constantly evolving and UCG’s Enterprise Cybersecurity Training (powered by KnowBe4) is designed to educate employees on the current cutting-edge cyber-attacks and how to reduce and eliminate them.

A company is only as strong as its weakest link and prevention is just part of the story. Organizations need to have a quick response and actionable plan to implement should their data become compromised. This is the role of cloud backup and disaster-recovery-as-a-service (DRaaS).

Data is a company’s most valuable asset. UCG’s VAULT400 Cloud Backup provides 256-bit encrypted backups to two (2) remote locations for safe retrieval should a cyber-attack occur. This is a necessary component of any protection strategy. Whether a single click on a malicious link brings down the Windows environment or an infected SQL server feeds the IBM i, once the data is compromised, there is no going back unless you have your data readily available.

Recovery is not a trivial task, especially when you factor in the time sensitive nature of restoring from an active attack. This leads to the third play of the Triple Play Protection – DRaaS. Companies have myriad concerns once an attack is realized and a managed service disaster recovery allows employees to keep focus on running the business in a crisis state.

The combination of training employees with secure backup and disaster recovery offers companies the best chance at avoiding financial disruption in an age of stronger, more frequent cyber-attacks.

Reach out to UCG Technologies to discuss your company’s security needs and develop a data protection plan that fits you best.

ucgtechnologies.com/triple-play

800.211.8798 | info@ucgtechnologies.com

^{1. https://theconversation.com/cyberattacks-are-on-the-rise-amid-work-from-home-how-to-protect-your-business-151268}

A Ruby And RPG Conversation OpenPower Could Take IBM i To Hyperscale And Beyond

Table of Contents

Content archive

Recent Posts

Subscribe

Pages

Search