IBM Patches Privilege Escalation Flaw In Db2 Mirror
September 18, 2019 Alex Woodie
Much of the Western World may take August off, but apparently not hackers and other off-book computer enthusiasts, as IBM addressed several security problems across its IBM i software family last month. The list of security flaws include a privilege escalation flaw in Db2 Mirror and OpenSSL and BIND vulnerabilities in IBM i itself. Power Systems firmware and Sterling data integration products also saw patches.
The lowlight of the month’s security news arguably goes to Db2 Mirror, the new database clustering technology that IBM released in June with the delivery of IBM i 7.4. The software is designed to provide continuous availability by allowing organizations to point application servers to an alternative local database when the primary database server goes down.
IBM explained the Db2 Mirror flaw in this X-Force Vulnerability Report:
“IBM i 7.4 users who have done a Restore User Profile (RSTUSRPRF) on a system which has been configured with Db2 Mirror for i might have user profiles with elevated privileges caused by incorrect processing during a restore of multiple user profiles. A user with restore privileges could exploit this vulnerability to obtain elevated privileges on the restored system.”
The flaw, identified as CVE-2019-4536, was given a CVSS 3.0 base score of 6.7, which reflects the potential for an unauthorized individual to access information or application that violate the organization’s security policy. However, the high complexity of the attack somewhat mitigates the danger.
IBM issued PTF number SI70767 to fix the problem. Since Db2 Mirror is only available with IBM i 7.4, other releases of the operating system are not impacted. IBM provided additional instructions to deal with the problem in its August 23 security bulletin for this flaw.
The new OpenSSL and BIND vulnerabilities impacted all current release of the operating system, including IBM i 7.1, which isn’t actually current, but is still being patched by IBM anyway.
A flaw in OpenSSL could allow a remote attacker to obtain sensitive information from an IBM i server, according to an August 28 security bulletin issued by IBM. The flaw, which is identified as CVE-2019-1543, is caused by an error in the ChaCha20-Poly1305 AEAD cipher. An attacker could exploit the flaw by sending a message encrypted “using a reused overly long nonce,” the bulletin says. IBM patched the OpenSSL problem (CVSS base score: 4.8) with PTF number SI70818 for IBM i 7.1, and PTF number SI70819 for IBM i 7.2, 7.3, and 7.4.
The ISC BIND vulnerability that IBM warned us about with a security bulletin on August 15 is slightly more serious, carrying a CVSS Base Score of 5.9. The flaw, identified as CVE-2019-6471, could apparently allow a hacker to launch a denial of service (DOS) attack on a vulnerable server by sending malformed packets. IBM patched the problem for IBM i with four PTFs: SI70734 for IBM i 7.4; SI70733 for 7.3; SI70732 for 7.2; and SI70723 for 7.1.
IBM also patched a pair of flaws in Power Systems firmware, but the flaws only appear to impact OpenPower systems, not Power Systems servers. One of the security bulletins for the firmware problems, issued on August 16, warns users that a hacker could get access to an Open Baseboard Management Controller (OpenBMC) password on OpenPower machine running Power9 processors. The other security bulletin, issued on July 11, highlights a potential issue with validation checking of IBM firmware in the BMC software.
Companies running version 5.x releases of IBM’s Sterling B2B Integrator software on IBM i, Windows, Linux, Solaris, HP-UX, and AIX should take notice of this August 14 security bulletin, which highlights an array of vulnerabilities in the underlying IBM MQ and IBM WebSphere software. IBM has addressed the flaws, which range from DOS vulnerabilities to privilege escalation to the ability to execute random code (which earned an 8.8 on the CVSS scale).
And companies running IBM Sterling File Gateway will want to check out the August 2 security bulletin. That bulletin details a moderately dangerous SQL injection attack that could impact users of the software on all the same operating systems.