Security Awareness: Eight More Patches For IBM i Vulns
February 27, 2017 Alex Woodie
National security awareness month isn’t until October, but that didn’t stop IBM from issuing a torrent of patches this month to address all kinds of security problems in its products. For IBM i specifically, Big Blue patched eight flaws found across the OpenSSH and OpenSSL libraries for the three IBM i OSes under support. The Power HMC also received numerous security patches, as did dozens of other IBM products.
OpenSSL and OpenSSH have been the source of numerous security vulnerabilities over the past three years, ever since the Heartbleed flaw was found in OpenSSL. As more flaws are found in those open source encryption libraries, IBM engineers work to write patches that address the underlying problems in the IBM i implementations.
The harvest of February’s security crop starts with OpenSSL, which IBM patched four times this month, and a number of times in 2016.
First, a NULL pointer dereference flaw in OpenSSL could lead an attacker to crash an application. The flaw, identified in CVE-2017-3730, carries a CVSS base score of 5.3, which makes it a medium threat. Another flaw, identified as CVE-2017-3731, could enable an attacker to execute a remote denial of service (DOS) attack by sending truncated packets when using a specific cipher. It also carries a CVSS base score of 5.3.
Another flaw in OpenSSL identified as CVE-2017-3732, and also baring a CVSS score of 5.3, could allow an attacker to obtain sensitive information about the private key. Finally, IBM patched another flaw in OpenSSL that could lead to a DOS attack, identified as CVE-2016-7055.
On the same day that IBM patched four flaws in the OpenSSL implementation for IBM i, it also patched four flaws in the IBM i implementation of OpenSSH, the open source version of the original Secure Shell (SSH) software, which is proprietary. The SSH/OpenSSH encryption technology is often considered superior to SSL/OpenSSL, although it’s not as widely used.
The first patched bug, identified as CVE-2016-10009, could allow an authenticated attacker to execute arbitrary code on the system by loading a specially crafted module across a forwarded agent channel. The flaw carries a CVSS base score of 6.3. An attacker could gain root privileges on an IBM i server (sorry for the Unix term, but that’s how IBM used it) by exploiting CVE-2016-10010, which carries a CVSS base score of 8.4, making it a severe threat.
The other two OpenSSH fixes include one for CVE-2016-10011, a privilege separation flaw with a CVSS base score of 5.5 that could allow an authenticated attacker to obtain sensitive information, and CVE-2016-10012, which carries a CVSS base score of 5.9 and could allow an attacker to obtain privileges on the system through by improper bounds checking.
IBM i users can patch all four OpenSSL flaws and all four OpenSSH by implementing a single PTF. They include SI63657 for IBM i 7.1 and SI63656 for IBM i 7.2 and 7.3. For more information on the OpenSSL flaws, see IBM Security Bulletin N1021845. For more information on the OpenSSH flaws see IBM Security Bulletin N1021846.
Older releases of the IBM i OS, including version 6.1 and i5/OS V5R4, may also have the vulnerable bits of software. However, they’re not under support, and IBM did not issue patches for them (although it has issued security patches for unsupported versions of the operating system before).
These were the first security patches that IBM issued for IBM i so far in 2017, according to the IBM Product Security Incident Response (PSIRT) blog. IBM patched OpenSSL and OpenSSH several times in 2016. Also in February, IBM issued several bulletins regarding flaws found in the Linux-based firmware powering the Power Hardware Management Console (HMC) used by many IBM i shops.
First, a problem with the Linux Kernel, identified by CVE-2016-3134 could enable users to execute arbitrary commands on Power HMC version 8.8.6, according to the security bulletin. A problem with Apache Tomcat also led IBM to issue a string of patches for Power HMC version 7.9.0 to version 8.8.6. IBM also batched a BIND flaw in Power HMC earlier in the month. A problem with the util-linux library in the Power HMC was also identified. And finally a Kerberos flaw that could led to a DOS attack led to yet another patch in Power HMC version 8.8.6.
Other IBM products getting patched up this month include: WebSphere Application Server, WebSphere Application Liberty Server, IBM Security Manager, Security Key Lifecycle Manager, the HTTP Server, WebSphere Message Broker, AIX, IBM Integration Buss, Rational Team Concert, Rational DOORS Next Generation, Jazz Team Server, Flex System Manager, IBM SDK for Node.js, Mobile Connect, InfoSphere Information Server, eDiscovery Manager.
IBM issues thousands of patches a year for its various products. In fact, IBM issues so many patches that it’s been identified as the software company with the most number of security vulnerabilities in the industry. However, that 2015 title from Secunia may be a bit skewed due to the fact that IBM uses so many open source components in its software, and issues separate patches for each implementation, such as the OpenSSH and OpenSSL security libraries on IBM i.
And consider the contrary: If IBM didn’t patch so many security vulnerabilities, where would that leave customers? It is much better to get security problems out into the daylight than to keep them locked in the dark. Not ever vendor is as good as IBM about admitting that it has fixed security flaws in its software.