New “High Priority” DDM Vulnerability Affects IBM i
July 10, 2023 Alex Woodie
Unauthenticated users can remotely run CL or PASE commands on IBM i as a result of a newly discovered vulnerability in the operating system’s Distributed Data Management (DDM) architecture. IBM issued a patch for the flaw, which it classified as moderate. However, the Hungary-based ethical hacking group that discovered the flaw, Silent Signal, recommends treating it as a high priority.
IBM disclosed the DDM security flaw and availability of program temporary fixes (PTFs) for IBM i version 7.2 through 7.5 via a security bulletin on June 30. The flaw was assigned CVE-2023-30990 by the Common Vulnerability Scoring System, and given a CVSS Base score of 5.6, which is moderate.
IBM didn’t provide many details about the flaw, which exists in a native component of the IBM i operating system as opposed to open source add-ons that run in PASE. The vast majority of security flaws reported in IBM i in recent years have arrived via open source software, making this DDM flaw a bit of a rarity.
DDM is a network architecture in IBM i that enables users or applications to retrieve data sitting on remote systems. It also allows remote systems to access data sitting on a local IBM i server. “Any system that supports the DDM architecture as a client system can access data (if authorized to do so) on any other system to which it is attached,” IBM says in its DDM overview webpage.
However, that appears to not be the case, as discovered by Zoltan Panczel, the Silent Signal researcher who discovered the flaw. In a July 3 blog post, Panczel described how he used a “dumb fuzzing” technique to discover that he could submit CL commands via a DDM client while signed in as QUSER.
Panczel started by using jt400.jar library to create a simple DDM client that allowed him to authenticate to the DDM service. Once that client was created and the connection was established, he used a “slightly modified” version of Blaze Information Security’s PCAP fuzzer to generate fuzzed traffic.
“After running the fuzzer for a couple of minutes, the QGPL/DDMSPLOIT file appeared on our test server,” the security researcher wrote. “Checking the authority of the DDMSPLOIT source file object reveals that the owner is not my test user, but QUSER.”
Once he realized that unauthenticated CL command execution was possible, Panczel looked to find out why and how.
“Upon investigating the modified traffic, I noticed that if the username or password fields are corrupted, the DDM server still handles the command request,” he wrote. “The DDM server responds with a SECCHKRM packet with ERROR 0x17 (Invalid GSS-API server credential) but the command sent by the client still gets executed.”
At that point, Panczel decided to send the original PCAP fuzzed traffic without modifications, to see what would happen. The authentication attempt is rejected by the server, which indicates “the presence of replay protection.”
“When we send the replayed request to DDM, the same error condition is observed, but again, the CL command is executed,” he continued. “We suspect that the root cause of the vulnerability is a ‘GOTO fail’-style bug in the error handling code of the service, allowing replay attacks. We are working on improving the reverse engineering tooling for the Power architecture (especially regarding its AS extensions) to gain a better understanding of the patch and support our future research.”
Silent Signal submitted the bug to IBM’s Product Security Incident Response Team (PSIRT) on April 25. On the same day, IBM PSIRT assigned the flaw a number. About two months later, the flaw was patched with PTF numbers SI83472 (IBM i 7.5), SI83473 (7.4), SI83474 (7.3), and SI83475 (7.2). Older releases of the operating system likely suffer from the same flaw, but IBM won’t be patching them.
Panczel took issue with IBM’s assigned CVSS Base score for this flaw, which was 5.6.
“This score is unusually low for an unauthenticated RCE [remote code execution], so what’s going on here?” he wrote. “As we see, most of the vector is reasonable, however we don’t know on what basis was Access Complexity scored to High. The exploit is 100 percent reliable, and we successfully demonstrated it against multiple systems without any further work.”
There may be some configurations that prevent exploitation, he wrote. However, according to CVSS 3.1 rules, that can’t be used to increase the complexity component, Panczel wrote. “Our work was also based on default configuration.”
Remote code execution isn’t the only threat. While QUSER doesn’t possess special authorities, there are several jobs that run under QUSER, including the database, job queue server, file server, printer server, remote command server, sign-on server, network drive server, transfer function server, and virtual print server. Any of these services can be ended by exploiting this flaw.
“Based on this information we can generally recommend IBM i system owners to consider the installation of official patches as high priority,” Panczel wrote. “The risk can be mitigated by attack surface reduction, for example via strict firewall restrictions. It should be noted that DDM service exit programs don’t seem to be effective against this particular exploit.”
Silent Signal is a Budapest-based company that provides penetration testing services for clients. The company was founded in 2009 by three security experts, and started exploring security vulnerabilities in the IBM i server in 2021, the company told IT Jungle in an interview last year. Interest among IBM i clients was “immediate,’ co-founder Balint Varga-Perke told us, and so the company decided to set up an IBM i lab and make it a major focus.
“The discovery and resolution of this vulnerability is an important milestone in our efforts to direct more public security research to the IBM i platform,” Panczel wrote.
The results of more IBM i security research will be published soon, he wrote.
Editor’s note: The PTF numbers to fix the DDN flaw in various releases of IBM i were incorrect. IT Jungle regrets the error.