• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • New “High Priority” DDM Vulnerability Affects IBM i

    July 10, 2023 Alex Woodie

    Unauthenticated users can remotely run CL or PASE commands on IBM i as a result of a newly discovered vulnerability in the operating system’s Distributed Data Management (DDM) architecture. IBM issued a patch for the flaw, which it classified as moderate. However, the Hungary-based ethical hacking group that discovered the flaw, Silent Signal, recommends treating it as a high priority.

    IBM disclosed the DDM security flaw and availability of program temporary fixes (PTFs) for IBM i version 7.2 through 7.5 via a security bulletin on June 30. The flaw was assigned CVE-2023-30990 by the Common Vulnerability Scoring System, and given a CVSS Base score of 5.6, which is moderate.

    IBM didn’t provide many details about the flaw, which exists in a native component of the IBM i operating system as opposed to open source add-ons that run in PASE. The vast majority of security flaws reported in IBM i in recent years have arrived via open source software, making this DDM flaw a bit of a rarity.

    DDM is a network architecture in IBM i that enables users or applications to retrieve data sitting on remote systems. It also allows remote systems to access data sitting on a local IBM i server. “Any system that supports the DDM architecture as a client system can access data (if authorized to do so) on any other system to which it is attached,” IBM says in its DDM overview webpage.

    However, that appears to not be the case, as discovered by Zoltan Panczel, the Silent Signal researcher who discovered the flaw. In a July 3 blog post, Panczel described how he used a “dumb fuzzing” technique to discover that he could submit CL commands via a DDM client while signed in as QUSER.

    Panczel started by using jt400.jar library to create a simple DDM client that allowed him to authenticate to the DDM service. Once that client was created and the connection was established, he used a “slightly modified” version of Blaze Information Security’s PCAP fuzzer to generate fuzzed traffic.

    “After running the fuzzer for a couple of minutes, the QGPL/DDMSPLOIT file appeared on our test server,” the security researcher wrote. “Checking the authority of the DDMSPLOIT source file object reveals that the owner is not my test user, but QUSER.”

    Once he realized that unauthenticated CL command execution was possible, Panczel looked to find out why and how.

    “Upon investigating the modified traffic, I noticed that if the username or password fields are corrupted, the DDM server still handles the command request,” he wrote. “The DDM server responds with a SECCHKRM packet with ERROR 0x17 (Invalid GSS-API server credential) but the command sent by the client still gets executed.”

    At that point, Panczel decided to send the original PCAP fuzzed traffic without modifications, to see what would happen. The authentication attempt is rejected by the server, which indicates “the presence of replay protection.”

    “When we send the replayed request to DDM, the same error condition is observed, but again, the CL command is executed,” he continued. “We suspect that the root cause of the vulnerability is a ‘GOTO fail’-style bug in the error handling code of the service, allowing replay attacks. We are working on improving the reverse engineering tooling for the Power architecture (especially regarding its AS extensions) to gain a better understanding of the patch and support our future research.”

    Silent Signal submitted the bug to IBM’s Product Security Incident Response Team (PSIRT) on April 25. On the same day, IBM PSIRT assigned the flaw a number. About two months later, the flaw was patched with PTF numbers SI83472 (IBM i 7.5), SI83473 (7.4), SI83474 (7.3), and SI83475 (7.2). Older releases of the operating system likely suffer from the same flaw, but IBM won’t be patching them.

    Panczel took issue with IBM’s assigned CVSS Base score for this flaw, which was 5.6.

    “This score is unusually low for an unauthenticated RCE [remote code execution], so what’s going on here?” he wrote. “As we see, most of the vector is reasonable, however we don’t know on what basis was Access Complexity scored to High. The exploit is 100 percent reliable, and we successfully demonstrated it against multiple systems without any further work.”

    There may be some configurations that prevent exploitation, he wrote. However, according to CVSS 3.1 rules, that can’t be used to increase the complexity component, Panczel wrote. “Our work was also based on default configuration.”

    Remote code execution isn’t the only threat. While QUSER doesn’t possess special authorities, there are several jobs that run under QUSER, including the database, job queue server, file server, printer server, remote command server, sign-on server, network drive server, transfer function server, and virtual print server. Any of these services can be ended by exploiting this flaw.

    “Based on this information we can generally recommend IBM i system owners to consider the installation of official patches as high priority,” Panczel wrote. “The risk can be mitigated by attack surface reduction, for example via strict firewall restrictions. It should be noted that DDM service exit programs don’t seem to be effective against this particular exploit.”

    Silent Signal is a Budapest-based company that provides penetration testing services for clients. The company was founded in 2009 by three security experts, and started exploring security vulnerabilities in the IBM i server in 2021, the company told IT Jungle in an interview last year. Interest among IBM i clients was “immediate,’ co-founder Balint Varga-Perke told us, and so the company decided to set up an IBM i lab and make it a major focus.

    “The discovery and resolution of this vulnerability is an important milestone in our efforts to direct more public security research to the IBM i platform,” Panczel wrote.

    The results of more IBM i security research will be published soon, he wrote.

    Editor’s note: The PTF numbers to fix the DDN flaw in various releases of IBM i were incorrect. IT Jungle regrets the error.

    RELATED STORY

    Pen Tester Silent Signal Targets IBM i

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags: Tags: CL, DDM, IBM i, PASE, PCAP, QUSER, Silent Signal

    Sponsored by
    VISUAL LANSA 16 WEBINAR

    Trying to balance stability and agility in your IBM i environment?

    Join this webinar and explore Visual LANSA 16 – our enhanced professional low-code platform designed to help organizations running on IBM i evolve seamlessly for what’s next.

    🎙️VISUAL LANSA 16 WEBINAR

    Break Monolithic IBM i Applications and Unlock New Value

    Explore modernization without rewriting. Decouple monolithic applications and extend their value through integration with modern services, web frameworks, and cloud technologies.

    🗓️ July 10, 2025

    ⏰ 9 AM – 10 AM CDT (4 PM to 5 PM CEST)

    See the webinar schedule in your time zone

    Register to join the webinar now

    What to Expect

    • Get to know Visual LANSA 16, its core features, latest enhancements, and use cases
    • Understand how you can transition to a MACH-aligned architecture to enable faster innovation
    • Discover native REST APIs, WebView2 support, cloud-ready Azure licensing, and more to help transform and scale your IBM i applications

    Read more about V16 here.

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Thoroughly Modern: Remote Managed Services Fill In For Retiring And Overburdened IT Staff IBM i PTF Guide, Volume 25, Number 28

    3 thoughts on “New “High Priority” DDM Vulnerability Affects IBM i”

    • ken toole says:
      July 10, 2023 at 9:40 am

      PTF numbers tied to release numbers are not correct. Should be:
      IBM i Release 5770-SS1
      PTF Number PTF Download Link
      7.5 SI83472 https://www.ibm.com/support/pages/ptf/SI83472
      7.4 SI83473 https://www.ibm.com/support/pages/ptf/SI83473
      7.3 SI83474 https://www.ibm.com/support/pages/ptf/SI83474
      7.2 SI83475 https://www.ibm.com/support/pages/ptf/SI83475
      This is taken directly from the table from the IBM document.

      Reply
    • Matthias says:
      July 12, 2023 at 10:07 am

      After installing PTF SI83475 on IBM i 7.2 no DDM connection can be made. IBM has already superseded this PTF with SI84090.

      Reply
    • P.D. Cowand says:
      July 25, 2023 at 10:34 am

      After installing SI83473, our DRDA jobs started getting the following errors. Case open with IBM. Errors:

      Database connection started over TCP/IP on target system XXXXXX job
      839025/QUSER/QRWTSRVR.
      Connection to relational database XXXXX does not exist.
      Connection to relational database XXXXX does not exist.
      Connection to relational database XXXXX does not exist.
      Connection to relational database XXXXX does not exist.

      Reply

    Leave a Reply Cancel reply

TFH Volume: 33 Issue: 40

This Issue Sponsored By

  • TL Ashford
  • Fresche Solutions
  • Cozzi Research
  • Computer Keyes
  • Manta Technologies

Table of Contents

  • New “High Priority” DDM Vulnerability Affects IBM i
  • Thoroughly Modern: Remote Managed Services Fill In For Retiring And Overburdened IT Staff
  • Guru: Object Usage Statistics
  • Big Blue Offers Cheaper Standard Shipping For IBM i Systems
  • IBM i PTF Guide, Volume 25, Number 27

Content archive

  • The Four Hundred
  • Four Hundred Stuff
  • Four Hundred Guru

Recent Posts

  • With Power11, Power Systems “Go To Eleven”
  • With Subscription Price, IBM i P20 And P30 Tiers Get Bigger Bundles
  • Izzi Buys CNX, Eyes Valence Port To System Z
  • IBM i Shops “Attacking” Security Concerns, Study Shows
  • IBM i PTF Guide, Volume 27, Number 26
  • Liam Allan Shares What’s Coming Next With Code For IBM i
  • From Stable To Scalable: Visual LANSA 16 Powers IBM i Growth – Launching July 8
  • VS Code Will Be The Heart Of The Modern IBM i Platform
  • The AS/400: A 37-Year-Old Dog That Loves To Learn New Tricks
  • IBM i PTF Guide, Volume 27, Number 25

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2025 IT Jungle