• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches Pair of Security Flaws in iAccess for Windows 7.1

    December 2, 2015 Alex Woodie

    IBM last month revealed the presence of a pair of security vulnerabilities in iAccess for Windows 7.1, including one that could allow a local cybercriminal to take control of the Windows PC running the iAccess software, and another that could be used to launch a denial of service attack. Big Blue patched both flaws with a PTF.

    IBM provided some details of the security flaws with a Security Bulletin N1020996 published November 18, which is the same day it released PTF number SI57907 to fix the flaws in iAccess for Windows 7.1.

    The buffer overflow flaw that was given the name CVE-2015-2023 is the more severe of the two flaws. According to John Page of hyp3rlinx, the firm that’s been given credit for first finding the vulnerabilities. The CVE-2015-2023 flaw carries a “high” severity level.

    This specific buffer overflow flaw exists in iAccess’s “Cwbrxd.exe” service, according to Page’s hyp3rlinx’s webpage. That service utilizes the Incoming Remote Command (IRC) function for submitting remote commands from an IBM i server to execute on a PC, he says. “A local attacker could overflow a buffer and execute arbitrary code on the Windows PC,” Page writes.

    It’s important to note that, while the Windows PC running iAccess (not the IBM i server itself) is the target of this buffer overflow flaw, that doesn’t necessarily mean there is no threat to the IBM i server. The hodge-podge of various equipment and computers surrounding an IBM i server–rather than flaws in IBM i system software itself–usually pose the biggest security vulnerabilities for any given installation, IBM i security pros tell IT Jungle.

    The second vulnerability, which is referred to as CVE-2015-7422, is another buffer overflow that could lead an attacker to execute a denial of service (DOS) attack. This flaw, which was caused by improper bounds checking, could enable a local attacker to overflow a buffer and cause the program to crash. It was assigned a “medium” severity level by Page.

    Curiously, the Common Vulnerabilities and Exposure (CVE) database has no details for either CVE-2015-2023 or CVE-2015-7422. In both cases, the website says “this candidate has been reserved by an organization or individual that will use it when announcing a new security problem.”

    IBM was notified about the flaws in iAccess for Windows 7.1 on May 21, according to the details of the flaws on Page’s hyp3rlinx webpage. That means IBM i shops were exposed to the vulnerability for 181 days after IBM first knew about the problem. That’s significantly longer than the average number of days it takes a vendor to respond, according to a recent study by NopeSec that found the average was 103 days.

    It’s worth noting that IBM is in the process of depreciating the iAccess product line, which traces its roots back to the Client Access days and Operations Navigator. On its iAccess webpage, IBM notes that it has no plans to support iAccess for Windows on operating systems beyond Windows 8.1.

    IBM encourages users to replace iAccess for Windows with the IBM i Access Client Solutions. The ACS product was developed in Java, runs anywhere a JVM can be installed (including Android devices), and includes 5250 emulation, data transfer, printer output, and console support.

    RELATED STORIES

    IBM Tops List of Security Vulnerabilities, But What Does It Mean?

    IBM Patches More OpenSSL Flaws In IBM i

    Keeping Up With Security Threats To IBM i

    State of IBM i Security? Still Horrible, After All These Years

    An IBM i Client for Every Administrative Occasion

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Krengeltech

    When it comes to consuming web APIs on your IBM i, your options often boil down to one of two things:

    First, you end up having to rely on a variety of open source and non-RPG solutions. This adds developer complexity, taking away time that could have been better spent invested in other projects. Of course, open source software is free, but generally comes at the cost of no professional support, which adds an element of risk in your production environment. RXS is completely professionally supported, and is complemented by a staff of trained IBM i developers who can address your nuanced development challenges, head on.

    Second, if you choose not to pursue an open-source solution, you’re often left having to shake up your current program architecture with proprietary software, external dependencies, and partial RPG implementations – many of which are sub-par compared to RPG-XML Suite’s wide range of features. RXS aims to simplify the efforts of developers with tools like code generators, useful commands, and subprocedures written in 100% RPG – no Java. Because they are entirely RPG, the RXS subprocedures are easy to add to new or existing ILE programs and architecture, helping to cut your development time. RPG-XML Suite offers powerful capabilities in an accessible, easy-to-implement format.

    With RPG-XML Suite, you can accomplish a variety of complex tasks, such as:

    • Calling REST and SOAP web services from your IBM i
    • Offering APIs from your IBM i
    • Creating JSON & XML
    • Parsing JSON & XML
    • Text manipulation, Base64 encoding/decoding, CCSID handling, hashing and encryption functions, and more.

    To try RXS for yourself, we recommend a free proof of concept, which not only gives you access to all of RPG-XML Suite’s subprocedures and utilities but also includes a tailor-made software demonstration that can be used as a starting point for your future API implementations.

    For a free proof of concept, contact us at sales@krengeltech.com, or visit our website for more information.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    Connectria:  Need help managing your IBM i? Trust us as an extension of your IT department.
    United Computer Group:  VAULT400 BaaS delivers secure cloud backup and DR solutions
    Cilasoft:  Stay on top of your most difficult IBM i security challenges with our Auditing and Security Suite.

    Detecting A “Job End” Condition in DB2 for i A Rising Tide

    Leave a Reply Cancel reply

Volume 25, Number 60 -- December 2, 2015
THIS ISSUE SPONSORED BY:

ProData Computer Services
HelpSystems
United Computer Group, Inc.
Midrange Dynamics
Manta Technologies

Table of Contents

  • IBM Patches Pair of Security Flaws in iAccess for Windows 7.1
  • Urgent Need for Application Modernization Seen at the Federal Level
  • Remain Taps JIRA to Heighten Change Management Collaboration
  • Quadrant Doubles Down on Simplicity with Formtastic 10
  • HATS Now Hooked Into BlueMix Cloud

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • Guild Mortgage Takes The 20-Year Option For Modernization
  • IBM i Licensing, Part 3: Can The Hardware Bundle Be Cheaper Than A Smartphone?
  • Guru: The Finer Points of Exit Points
  • Big Blue Tweaks IBM i Pricing Ahead Of Subscription Model
  • We Still Want IBM i On The Impending Power E1050
  • DRV Brings More Automation to IBM i Message Monitoring
  • Managed Cloud Saves Money By Cutting System And People Overprovisioning
  • Multiple Security Vulnerabilities Patched on IBM i
  • Four Hundred Monitor, June 22
  • IBM i PTF Guide, Volume 24, Number 25

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.