Serious Security Vulns Patched In IBM i
September 19, 2018 Alex Woodie
No good deed goes unpunished. Such as it is with cybersecurity, which demands unceasing attention paid to a never-ending stream of flaws and patches as the cost of remaining off the front page. To that end, IBM patched several more security flaws in IBM i last week, including two serious flaws in Node.js, five critical vulnerabilities in Samba, and one moderate flaw in OpenSSH.
It’s easy to get lulled into a false state of security on the IBM i server, thanks to its unique architecture, cryptic file names, and reputation for strong security. It’s hard enough to find programmers, administrators, and operators who are fluent in the ways of IBM i, so how could hackers know their way around?
If you’re clinging to the “security through obscurity” blanket, you’re living on borrowed time. Don’t underestimate the amount of free time cybercriminals have on their hands. One only has to look back 12 months, to the massive Equifax hack to see how quickly an unpatched security vulnerability in an obscure piece of technology (Apache Struts) can do lasting damage do the reputation of a Fortune 500 firm.
Ironically, IBM yesterday patched another serious Struts flaw, this time in IBM Connections, a social media tool that plays in the Notes/Domino space and can connect to IBM i servers. But that’s the least of the worries for IBM i professionals, who have several more critical flaws to fix for software running directly on their servers.
The fun starts with the security flaws in Node.js, which is quickly become a popular tool for developing Web applications on the IBM i. This IBM security bulletin from September 12 describes the two flaws impacting Node.js on IBM i 7.1 through 7.3, including a denial of service (DOS) attack caused by an out-of-bounds write to a buffer, and the risk of losing sensitive data due to the return of uninitiated memory by the buffer function.
Both risks are serious, but the first flaw, described in CVE-2018-12115, carries a CVSS base score of 8.2, while the second flaw, described in CVE-2018-7166, carries a CVSS base score of 7.5. IBM encourages IBM i users who get their Node.JS through the 5733-OPS product to apply PTF number SI68287, while those using the new RPM delivery method are encouraged to download Node.JS version 10.
On Monday, IBM patched five security flaws in Samba, which is a free re-implementation of the SMB/CIFS networking protocol. According to the IBM security bulletin, the flaws range in severity from 4.3 to 6.5 and carry a variety of risks, ranging from crashing the Samba service and launching a DOS attack to allowing an attacker to obtain confidential attribute values.
The Samba flaws impact IBM i 7.2 and 7.3, and can be patched by applying PTF number SI68291 (for 7.2) and SI68292 (for 7.3).
IBM issued another security bulletin Monday for newly patched flaws in the IBM i’s OpenSSH implementation, which is used to enable people to securely log-in to machines remotely. According to IBM, an attacker could obtain sensitive information by sending a specially crafted request to obtain valid user names. The flaw brings a CVSS Base score of 5.3.
The OpenSSH flaw impacts IBM i 7.1 through 7.3. The PTF number for 7.1 is SI68325, while the PTF number of versions 7.2 and 7.3 is SI68326. As with all security patches, IBM i shops are encouraged to apply the PTFs immediately to minimize their exposure to hackers.
As always, IT Jungle encourages you to keep up to date with security flaws by reading Doug Bidwell’s PTF Guide, which is published periodically on these Web pages.