• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Patches Samba Vulnerabilities In IBM i

    April 16, 2018 Alex Woodie

    Big Blue has issued two patches for serious flaws in IBM i’s implementation of Samba, flaws that could result in an attacker launching a denial of service attack or changing user’s passwords. The company patched IBM i 7.2 and 7.3, as support for IBM i 7.1 wanes.

    On April 3, IBM published a security bulletin informing users of the existence of two flaws in IBM i, as well as the existence of two program temporary fixes (PTFs) to patch the problems. Both of the flaws involve Samba, a free and open source implementation of the SMB/CIFS protocol to provide interoperability among different operating systems for file and print operations.

    The first flaw, identified as CVE-2018-1050, identifies missing null pointer checks when the remote procedure call (RPC) “spools” service in Samba 4.0 and later is configured to run as an external daemon. According to the Common Vulnerabilities and Exposures (CVE) database entry, this flaw could allow a hacker to cause the print spooler service to crash by sending malicious RPC messages.

    This denial of service (DOS) attack was first identified to IBM on March 13, according to the IBM X-Force report. Thanks to its network-based attack vector, lack of required privileges and user interaction, and its low complexity, it carries a CVSS Base Score of 7.5, making it a serious vulnerability.

    The second flaw, CVE-2018-1057, also impacts Samba 4.0, but in a different way. According to security researchers, a problem with the validation of permissions when Samba is used as an Active Directory (AD) domain controller (DC) could allow an authenticated user to change the passwords of any other users managed in an LDAP network, including administrative users and privileged service accounts.

    IBM first identified this vulnerability on March 13, according to IBM’s X-Force report. While it has a network origin, a low complexity level, and a high potential for impact the integrity of a server, the fact that a user must first be authenticated mitigates the impact somewhat, so it was given a CVSS Base Score of 6.5, making it a moderately serious threat.

    The fix for both flaws is to upgrade to a newer version of Samba that doesn’t suffer from the flaws. According to IBM, that means users should be on Samba version 4.5.16, 4.6.14, or 4.7.6. Luckily, IBM is making it easy for IBM i users by packaging a newer version of Samba that’s not impacted by the flaws into handy-dandy PTFS, including PTF number SI67329 for IBM i 7.2 and PTF number SI67330 for IBM i 7.3.

    It’s unclear if older releases of IBM i, including IBM i 7.1, 6.1, and i5/OS V5R4, are impacted by the Samba flaw. In any event, those releases are no longer supported by IBM, so there will be no patches forthcoming from IBM to fix any potential problems in those operating systems.

    While security flaws in core IBM i operating system components or Power Systems firmware components are rare (but not unheard of), the IBM i platform today is composed of many bits that are sourced from the open computing community. Over the past few years, there have been many vulnerabilities discovered in open source components that IBM incorporates into the IBM i and Power System platform.

    RELATED STORIES

    The Performance Impact Of Spectre And Meltdown

    IBM Patches ‘ROBOT’ Flaw in IBM i Crypto Library

    IBM Patches Another BIND Flaw In IBM i

    IBM Patches 28 More Security Vulns In JDK

    Have You Patched Those 35 Java Vulns on IBM i?

    IBM Patches 13 Security Vulnerabilities in IBM i JDK

    Keeping Up With Security Threats To IBM i

    IBM Patches OpenSSH Security Flaws That Impact IBM i

    IBM And ISVs Fight POODLE Vulnerability In SSL 3.0

    IBM Patches Heartbleed Vulnerability in Power Systems Firmware

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: 6.1, Common Vulnerabilities and Exposures, Denial of Service, i5/OS V5R4, IBM i, IBM i 7.1, IBM i 7.2, IBM i 7.3, LDAP, Power Systems, PTFs, Samba, SMB/CIFS

    Sponsored by
    LaserVault

    Integrate Virtual Tape For Better Backups, Faster Recovery, And More Flexibility

    Virtual tape and virtual tape libraries offer a way to both simplify and strengthen backup and recovery operations. By incorporating virtual tape technology, automation of backups becomes possible resulting in hundreds of hours saved annually for IT departments and personnel.

    LaserVault ViTL is a virtual tape and tape library solution developed specifically for use with IBM Power Systems (from AS/400 to iSeries to Power 9s). See a demo and get a $50 gift card.

    With ViTL you can:

    • Replace physical tape and tape libraries and associated delays
    • Automate backup operations, including the ability to purge or archive backups
    • Remotely manage your backups – no need to be onsite with your server
    • Save backups to a dedupe appliance and the cloud
    • Recover your data at lightspeed greatly improving your ability to recover from cyberattacks
    • And so much more

    “The ViTL tapeless solution has truly made my job easier. It has given me more confidence in our full system recovery ability – but at the same time I hope it is never needed.” IBM i Administrator at a financial services company

    Sign-up now to see a ViTL online demo and get a $50 Amazon e-gift card when the demo is complete as our way of saying thanks for your time. Plus when you sign-up you’ll receive a free facts comparison sheet on using virtual tape vs tape so you can compare the functionality for yourself.

    LaserVault.com

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Guru: RDi and Refactoring The Platform Matters More Than Ever, The Operating System Less So

    One thought on “IBM Patches Samba Vulnerabilities In IBM i”

    • Tony says:
      April 17, 2018 at 3:21 am

      Interesting near the end of the article, you say “It’s unclear if older releases of IBM i, including IBM i 7.1, 6.1, and i5/OS V5R4, are impacted by the Samba flaw. In any event, those releases are no longer supported by IBM, so there will be no patches forthcoming from IBM to fix any potential problems in those operating systems”.
      If I was paying for extended support, I would expect any known security problems to be fixed as this would surely come under defect support, which is being paid for and, to quote IBM regarding IBM Software Support Services – Service extension, “We also provide fixes for both new and existing defects”.

      Reply

    Leave a Reply Cancel reply

TFH Volume: 28 Issue: 29

This Issue Sponsored By

  • ProData Computer Services
  • Maxava
  • Software Concepts
  • COMMON
  • Manta Technologies

Table of Contents

  • The Platform Matters More Than Ever, The Operating System Less So
  • IBM Patches Samba Vulnerabilities In IBM i
  • Guru: RDi and Refactoring
  • As I See It: The Curse Of The Clever
  • Tesla Teases IBM i Software Vendor Into Some Experimental Coding

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • COMMON Set for First Annual Conference in Three Years
  • API Operations Management for Safe, Powerful, and High Performance APIs
  • What’s New in IBM i Services and Networking
  • Four Hundred Monitor, May 18
  • IBM i PTF Guide, Volume 24, Number 20
  • IBM i 7.3 TR12: The Non-TR Tech Refresh
  • IBM i Integration Elevates Operational Query and Analytics
  • Simplified IBM i Stack Bundling Ahead Of Subscription Pricing
  • More Price Hikes From IBM, Now For High End Storage
  • Big Blue Readies Power10 And IBM i 7.5 Training for Partners

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2022 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.