• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches OpenSSH Security Flaws That Impact IBM i

    February 8, 2016 Alex Woodie

    IBM last week patched another pair of security vulnerabilities in the OpenSSH client for IBM i. The security flaws, which impact all current releases of IBM i–and very likely older releases that are no longer under maintenance–carry a moderate to severe risk, and could be used to execute arbitrary code on an IBM i server, obtain private cryptographic security keys, or execute a denial of service attack, IBM says.

    On February 1, IBM issued a security bulletin to address the two flaws in its OpenSSH implementation for IBM i. Both flaws stem from a poor design in the OpenSSH client roaming feature that makes it susceptible to leaking information and buffer overflow attacks.

    The first flaw, which is identified as CVE-2016-0777, by the Common Vulnerabilities and Exposures database, carries a CVSS base score of 6.5, which makes it a medium-to-severe threat. The fact that this vulnerability can come across the network, requires no privileges, and is relatively uncouple make this vulnerability potentially dangerous, according to IBM’s X-Force report on the flaw.

    This flaw is susceptible to “information leakage” when the contents of a buffer are requested for retransmission. “OpenSSH could allow a remote attacker to obtain sensitive information, caused by a client information leak from using the roaming connection feature,” IBM says. “By persuading a victim to connect to a malicious server, an attacker could exploit this vulnerability to retrieve private cryptographic keys or other sensitive information.”

    The second flaw, which is identified as CVE-2016-0778 by the CVE database, carries a CVSS base score of 5, which makes it a medium threat. This score is lower than the first flaw because while this attack does come over the network and doesn’t require privileges on the part of the attacker, it is a relatively complex attack mechanism, according to the X-Force report.

    IBM says this flaw makes OpenSSH vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the API. “By persuading a victim to connect to a malicious server, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash,” IBM says.

    Like most enterprise IT companies, IBM announced security flaws publicly only after it has patched them, and this time is no different. Big Blue has issued three emergency PTFs to address the problems with the OpenSSH client. The PTF for IBM i version 6.1, 7.1., and 7.2 are SI59305, SI59213, and SI59204, respectively.

    OpenSSH was created by the OpenBSD team as an alternative to the original Secure Shell (SSH) software, which is proprietary. OpenSSH and SSH provide encrypted protocols to enable people to remotely log in to servers over unsecured networks. SSH and OpenSSH are often viewed as more secure than SSL (Secure Sockets Layer) and TLS (Transport Layer Security) encryption protocols, and have been widely adopted in recent years. SSL, and in particular OpenSSL, have suffered from security problems recently, in particular the infamous Heartbleed vulnerability that afflicted OpenSSL in 2014 that potentially exposed millions of passwords.

    The new OpenSSH flaws impact OpenSSH version 7.1p2, which was released January 14 and addresses the two security flaws in the roaming feature. Apparently, the roaming feature was not a fully supported feature, but somebody found a way to hack it anyway.

    To read the IBM security vulnerability, see www-01.ibm.com/support/docview.wss?uid=nas8N1021109.

    RELATED STORIES

    IBM Tops List of Security Vulnerabilities, But What Does It Mean?

    Keeping Up With Security Threats To IBM i

    State of IBM i Security? Still Horrible, After All These Years

    Heartbleed, OpenSSL, and IBM i: What You Need to Know

    IBM And ISVs Fight POODLE Vulnerability In SSL 3.0

    Heartbleed Exposes The Vulnerability Of An IBM i Mentality

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored by
    Krengeltech

    When it comes to consuming web APIs on your IBM i, your options often boil down to one of two things:

    First, you end up having to rely on a variety of open source and non-RPG solutions. This adds developer complexity, taking away time that could have been better spent invested in other projects. Of course, open source software is free, but generally comes at the cost of no professional support, which adds an element of risk in your production environment. RXS is completely professionally supported, and is complemented by a staff of trained IBM i developers who can address your nuanced development challenges, head on.

    Second, if you choose not to pursue an open-source solution, you’re often left having to shake up your current program architecture with proprietary software, external dependencies, and partial RPG implementations – many of which are sub-par compared to RPG-XML Suite’s wide range of features. RXS aims to simplify the efforts of developers with tools like code generators, useful commands, and subprocedures written in 100% RPG – no Java. Because they are entirely RPG, the RXS subprocedures are easy to add to new or existing ILE programs and architecture, helping to cut your development time. RPG-XML Suite offers powerful capabilities in an accessible, easy-to-implement format.

    With RPG-XML Suite, you can accomplish a variety of complex tasks, such as:

    • Calling REST and SOAP web services from your IBM i
    • Offering APIs from your IBM i
    • Creating JSON & XML
    • Parsing JSON & XML
    • Text manipulation, Base64 encoding/decoding, CCSID handling, hashing and encryption functions, and more.

    To try RXS for yourself, we recommend a free proof of concept, which not only gives you access to all of RPG-XML Suite’s subprocedures and utilities but also includes a tailor-made software demonstration that can be used as a starting point for your future API implementations.

    For a free proof of concept, contact us at sales@krengeltech.com, or visit our website for more information.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Sponsored Links

    COMMON:  2016 Annual Meeting & Expo, May 15 - 18, in New Orleans! Great Power Systems event!
    System i Developer:  RPG & DB2 Summit - March 22-24 in Dallas. Register by Feb 12 and save $300!
    BCD:  IBM i eBook: Top 10 Reasons to Choose PHP. Download now »

    Coding Is Never Without A Reason; PHP Has 10 IBM i and .Net Connectivity With XMLSERVICE

    Leave a Reply Cancel reply

Volume 26, Number 06 -- February 8, 2016
THIS ISSUE SPONSORED BY:

New Generation Software
Fresche Legacy
System i Developer
Linoma Software
Storagepipe

Table of Contents

  • Where’s MKS Implementer? Alive and Well At PTC
  • The Jobs Of The People Who Make IBM i Platforms Work
  • From Green Screens To Web Services: An ROI Story
  • App Dev Evolution Opens Doors For Midrange Dynamics
  • IBM Patches OpenSSH Security Flaws That Impact IBM i

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • The Cloud’s Future Is So Bright, So Why Are You So Glum?
  • Most App Modernization Projects a Struggle, Survey Finds
  • COMMON Launches IBM i Security Conference
  • Four Hundred Monitor, August 17
  • A Slew Of Add-On Services For Power10 Systems
  • Power10 Midrange Machine: The Power E1050
  • IBM Puts The Finishing Touches On PowerHA For IBM i 7.5
  • Guru: Regular Expressions, Part 2
  • Get Your Security Education, And Not From The School Of Hard Knocks
  • IBM i PTF Guide, Volume 24, Number 33

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.