Samba Patch Caps Busy Year for IBM i Security
December 4, 2019 Alex Woodie
IBM last week patched a moderately severe security flaw in IBM i’s Samba implementation that could enable hackers to access data they really shouldn’t be able to access. The disclosure caps a rather busy second half of the year for security patches on IBM i that saw 26 emergency PTFs and Yum updates for Node.js, Python, the Apache HTTP Server, OpenSSL, ISC Bind, IBM Navigator, and even Db2 Mirror for IBM i.
On November 26, IBM issued this security bulletin to let people know about the new flaw in the Samba client. The flaw could allow a hacker to not only access files and folders on the affected server that are outside of the SMB network pathnames, but to also create files outside of the working directory, according to IBM’s description. The flaw, which carries a CVSS Base Score of 5.3, was fixed with a series of PTFs for IBM i 7.2, 7.3, and 7.4.
It was the second patch that month, with the first coming on November 4, when IBM issued a security bulletin that discussed four separate vulnerabilities in Python that impact IBM i versions 7.2 through 7.4. All of the Python vulnerabilities are in the open source programing language, which runs on IBM i via the PASE Unix runtime, and not in any code that’s unique to IBM i.
A more serious Python problem is CVE-2019-10160, which could allow an attacker to obtain sign-in information, cookies, and other sensitive data by sending a specially crafted URL. The flaw, which impacts Python version 2 and 3 releases, carries a CVSS Base Score of 7.5, making it a severe flaw.
Another nasty bugger is CVE-2019-9948, which is a Python 2 flaw that could allow an attacker to bypass a protection scheme and allow a blacklisted website to be opened. This little darling carries a CVSS Base Score of 5.3.
The final Python flaw, CVE-2019-9947, is a new twist on an old Python 2 and 3 bugger (CVE-2019-9740) that could allow an attacker to carry out a Carriage Return Line Feed (CFLF) injection attack using a malformed website. This flaw carries a CVSS Base Score of 6.1.
All four Python flaws have been fixed on IBM i 7.2 through 7.4. The fix is to upgrade to the latest versions of Python version 2 or 3, either via the Yum command line tool or via the GUI in ACS Package Management.
Good IT Jungle readers who read Doug Bidwell’s weekly IBM i PTF Guide will have already received word of the patches and (hopefully) applied them, but we are repeating them here just in case.
The CVE-2019-4450 vulnerability was given a CVSS Base Score of 6.1, which is a moderate vulnerability. On the same day, IBM issued three patches for the flaw, one each for IBM i 7.2, 7.3, and 7.4, according to this security bulletin. There are no work arounds and IBM recommended applying the PTF immediately.
On October 24, IBM issued this security bulletin to let customers know about six security vulnerabilities discovered in the IBM i HTTP Server (the one that’s powered by Apache). The most serious, CVE-2019-9517, describes a DOS attack that could be undertaken by sending a stream of requests of a large response object. It has a CVSS Base Score of 7.5.
Also concerning is CVE-2019-10081, which is another DOS attack caused by memory corruption that carries a CVSS Base Score of 5.3. With CVE-2019-10082, which also carries a CVSS Base Score of 5.3, remote attackers could obtain sensitive information. A cross-site scripting vulnerability with a CVSS Base Score of 4.7 is at the heart of CVE-2019-10092, while a phishing attack could be executed via the flaws described in CVE-2019-10098, which carries a CVSS Base Score of 3.7. The HTTP Server (powered by Apache) fun wraps up with CVE-2019-10097, which carries a DOS threat with a CVSS Base Score of 5.6.
IBM fixed these six HTTP Server flaws with a series of PTFs. Check out the security bulletin for the exact PTFs that apply to IBM i 7.2 through 7.4. (Note: Not all of the OSes are impacted by all of the flaws.)
On September 26, when IBM issued this security alert to let IBM i customers know about a eight security flaws that were fixed in Node.js. All eight of the flaws – which were identified by the Common Vulnerably and Exposure (CVE) database with numbers CVE-2019-9511 to CVE-2019-9518 – are a denial of service (DOS) attacks that carry a Common Vulnerability Scoring System (CVSS) Base Score of 7.5. The patches impact IBM i 7.2 through 7.4.
On August 28, IBM issued this security alert to alert customer of a new vulnerability that’s been fixed in OpenSSL on IBM i versions 7.1 through 7.4. The flaw, which is due to an error in a cipher, could let attackers access protected resources. It carries a CVSS Base Score of 4.8.
On August 24, IBM issued this security alert to address CVE-2019-4536, which describes a flaw in Db2 Mirror for IBM i that could allow an attacker to gain access to elevated privileges upon the restoration of a user profile. The flaw carried a CVSS Base Score of 6.7; the fix applies only to IBM i 7.4, which is required for Db2 Mirror.
On August 15, IBM issued this security alert to address CVE-2019-6471, which is tied to an ISC BIND vulnerability in IBM i that could allow an attacker to carry out a DOS attack. It features a CVSS Base Score of 5.9 and was patched on every OS from IBM i 7.1 to 7.4.
On July 10, IBM issued this security alert to address three security vulnerabilities in the IBM i HTTP Server. The flaws, including CVE-2019-0220, CVE-2019-0196, and CVE-2019-0197, could allow attackers to launch DOS attacks. All three sport a CVSS Base Score of 5.3 and impact IBM i 7.2, 7.3, and 7.4.
IBM issued hundreds of patches for vulnerabilities in dozens of products, from WebSphere and Java runtimes to Rational products and MQ, but none of the other security bulletins going back to July 1, 2019, featured the phrase “IBM i” in the headline, according to the IBM PSIRT Blog.