IBM Patches Pair of Security Flaws in iAccess for Windows 7.1
December 2, 2015 Alex Woodie
IBM last month revealed the presence of a pair of security vulnerabilities in iAccess for Windows 7.1, including one that could allow a local cybercriminal to take control of the Windows PC running the iAccess software, and another that could be used to launch a denial of service attack. Big Blue patched both flaws with a PTF.
IBM provided some details of the security flaws with a Security Bulletin N1020996 published November 18, which is the same day it released PTF number SI57907 to fix the flaws in iAccess for Windows 7.1.
The buffer overflow flaw that was given the name CVE-2015-2023 is the more severe of the two flaws. According to John Page of hyp3rlinx, the firm that’s been given credit for first finding the vulnerabilities. The CVE-2015-2023 flaw carries a “high” severity level.
This specific buffer overflow flaw exists in iAccess’s “Cwbrxd.exe” service, according to Page’s hyp3rlinx’s webpage. That service utilizes the Incoming Remote Command (IRC) function for submitting remote commands from an IBM i server to execute on a PC, he says. “A local attacker could overflow a buffer and execute arbitrary code on the Windows PC,” Page writes.
It’s important to note that, while the Windows PC running iAccess (not the IBM i server itself) is the target of this buffer overflow flaw, that doesn’t necessarily mean there is no threat to the IBM i server. The hodge-podge of various equipment and computers surrounding an IBM i server–rather than flaws in IBM i system software itself–usually pose the biggest security vulnerabilities for any given installation, IBM i security pros tell IT Jungle.
The second vulnerability, which is referred to as CVE-2015-7422, is another buffer overflow that could lead an attacker to execute a denial of service (DOS) attack. This flaw, which was caused by improper bounds checking, could enable a local attacker to overflow a buffer and cause the program to crash. It was assigned a “medium” severity level by Page.
Curiously, the Common Vulnerabilities and Exposure (CVE) database has no details for either CVE-2015-2023 or CVE-2015-7422. In both cases, the website says “this candidate has been reserved by an organization or individual that will use it when announcing a new security problem.”
IBM was notified about the flaws in iAccess for Windows 7.1 on May 21, according to the details of the flaws on Page’s hyp3rlinx webpage. That means IBM i shops were exposed to the vulnerability for 181 days after IBM first knew about the problem. That’s significantly longer than the average number of days it takes a vendor to respond, according to a recent study by NopeSec that found the average was 103 days.
It’s worth noting that IBM is in the process of depreciating the iAccess product line, which traces its roots back to the Client Access days and Operations Navigator. On its iAccess webpage, IBM notes that it has no plans to support iAccess for Windows on operating systems beyond Windows 8.1.
IBM encourages users to replace iAccess for Windows with the IBM i Access Client Solutions. The ACS product was developed in Java, runs anywhere a JVM can be installed (including Android devices), and includes 5250 emulation, data transfer, printer output, and console support.