IBM i Vulns Spotted in Node, BIND and HTTP Server
September 6, 2017 Alex Woodie
IBM last month moved to patch several critical security vulnerabilities related to the BIND service in IBM i that could allow attackers unauthorized access to IBM i servers running any release of the OS from IBM 6.1 to 7.3. Security glitches were also patched for the IBM i implementation of Node.js, the HTTP Server bundled with IBM i, the hardware management console (HMC), and WebSphere.
Both ISC BIND vulnerabilities work in a similar way and enabled similar paths into affected systems – namely by allowing an attacker to craft a specially crafted request packet to bypass authentication and therefore gain some degree of control over the impacted server. The difference is in severity. The first BIND vulnerability, CVE-2017-3142, carried a CVSS base score of 5.3, while the second ISC BIND vulnerability, CVE-2017-3143, carried a CVSS base score of 7.5, which is nothing you want to fool around with.
There is no workaround for these flaws, according to this August 21 security bulletin. But the good news is IBM has patched them going all the way back to IBM i 6.1, which is under extended support. IBM issued four PTFs to fix the ISC BIND flaws, including SI65339 for IBM i 6.1, SI65338 for IBM i 7.1, SI65337 for IBM i 7.2, and SI65336 for IBM i 7.3. The chances are good that this flaw also exists in i5/OS V5R4, but IBM will be issuing no patches for this unsupported operating system.
The BIND vulnerabilities also extend to IBM’s Power Hardware Management Console (HMC). Six security glitches are revealed to have been patched in this August 28 security bulletin, while 10 more show up in this security bulletin posted on August 29. It appears there could be several more security flaws impacting the HMC, which runs Linux.
IBM also patched a pair of security holes in the Node.js implementations for IBM i 7.1 through 7.3. The pair of denial of service (DOS) vulnerabilities, identified as CVE-2017-1000381and CVE-2017-11499, carry CVSS base scores of 6.5 and 7.5, respectively, indicating moderate to severe risks for IBM i shops running Node.js.
IBM bundled patches for both flaws into a single PTF for all releases of IBM i. However, because IBM offers support for two versions of Node.js, including 4.8.4 (in 5733OPS Option 5) and version 6.11.2 (in 5733OPS Option 10) there are two patches. If you’re running 5733OPS Option 5, get PTF number SI65492, while if you’re running (in 5733OPS Option 10, get PTF number SI65493. See this August 21 security bulletin for more details.
In late July, IBM patched five more security vulnerabilities in the HTTP Server. The security flaws, which are detailed in this July 28 security bulletin, could enable attackers to launch DOS attacks, obtain sensitive information, or bypass authentication requirements to get access to the server. All of the vulnerabilities carry a CVSS base score of 5.3, indicating a medium severity level. IBM issued PTF numbers SI65281 and SI65282 to fix the issues on IBM i 7.1; SI65279 and SI65280 to fix the issues on IBM i 7.2; and SI65194 and SI65201 to fix the issues on IBM i 7.3.
IBM also revealed multiple vulnerabilities discovered in the Java SDK that impact WebSphere Application Server running on multiple platforms, including IBM i. The three vulnerabilities, which are disclosed in this security bulletin posted on August 30, range in severity from 7.5 on the CVSS score up to 9.6, indicating that an unauthenticated attacker could take complete control of the system.
According to an IT Jungle review of the IBM Product Security Incident Response (PSIRT) blog, these were the only security issues directly affecting IBM i since mid-July, which is when we told you about those 35 Java vulnerabilities impacting IBM i, among other security problems.