Serious New IBM i Vulns Exposed by Silent Signal – More On the Way
July 24, 2023 Alex Woodie
Two new vulnerabilities in core components of the IBM i operating system were disclosed by IBM last week, including one that impacts Performance Tools and another in Facsimile Support for i. Both vulnerabilities were discovered by Silent Signal, the Hungarian firm that discovered the recent DDM vulnerability, and both are considered high risk flaws that should be patched immediately.
More security flaws exist in IBM i that will be exposed in the months to come, the company says.
The first new flaw, CVE-2023-30988, pertains to a local privilege escalation vulnerability discovered in Facsimile Support for i, a native IBM i utility that allows customers to send and receive faxes on the platform. “A malicious actor with command line access to the host operating system can elevate privileges to gain root access to the host operating system,” it says in the NIST National Vulnerability Database description of the flaw.
IBM submitted a security bulletin for this flaw on July 16. IBM gave the flaw a CVSS Base score of 8.4, which is considered a high-risk flaw. There are no workarounds or mitigations, but emergency PTFs are available for IBM i versions 7.2 through 7.5, and customers are encouraged to apply them as soon as possible.
The second new flaw, CVE-2023-30989, is similar to the first one, but applies to IBM’s Performance Tools, which is a utility that collects performance data about customers’ IBM i environments over time. Just like the flaw in Facsimile Support for i, the flaw in Performance Tools could enable a malicious actor with command line access to the host operating system to obtain elevated privileges and gain “root access” to the host operating system (i.e., all Object Authority).
In its security bulletin for the Facsimile Support for i flaw, IBM gave the flaw a Base Score of 8.4, identical to first flaw. IBM also patched the flaw in all supported versions of the operating system, 7.2 through 7.5. Customers should apply the patches as soon as possible, as there are no workarounds or mitigations for this flaw.
Zoltan Panczel, a security researcher with Silent Signal, is credited with discovering both of these new vulnerabilities. Panczel also found the serious DDM vulnerability that was disclosed and patched on June 30. IBM originally gave that vulnerability CVSS Base score of 5.6, which is moderate. However, IBM updated its original security bulletin for the DDM flaw to give it a score of 8.6.
The change was made to reflect the relatively low level of complexity involved in exploiting that vulnerability, according to Silent Signal co-founder Bálint Varga-Perke. “Based on the CVSS 3.0/3.1 specifications we think Attack Complexity should have always been Low independently of the availability of vulnerability details, as this latter circumstance is captured in the Exploit Code Maturity scoring element,” he tells IT Jungle.
Silent Signal had been providing white hat hacking and penetration services for customers from its Budapest, Hungary headquarters. The company started taking an interest in IBM i a couple of years ago, and it has since become a major focus.
So far, the Silent Signal hackers have discovered a number of vulnerabilities in IBM i. According to Varga-Perke, the company is using a specific technique, which seems to be fruitful in spotting flaws that others have missed.
“We realized that typical vulnerability classes affect a wide range of common IBM i software, so we’ve been developing binary analysis tools that allow us to look for vulnerabilities in compiled program objects at scale,” he says. “This way finding similar vulnerabilities in different components (such as Facsimile and Performance Tools) became easy, and we also stumbled upon numerous issues affecting third party components too. This tells us that these vulnerability classes aren’t well-known among developers, which is why we think it’ll be important to share technical details publicly in August.”
More security vulnerabilities in IBM i and related components are forthcoming, he says. “The privilege escalation vulnerability demonstrated in our video was not fixed in this batch, and we have even more in the queue,” he says.