Spooky New Security Vulns Lurking on IBM i
November 1, 2023 Alex Woodie
Halloween has come and gone, but the scares will stick around for a while for IBM i administrators, who have been given more than a dozen fixes by IBM to address some pretty serious security vulnerabilities recently revealed in the heart of the operating system, including in spooky old friends Java and OpenSSL.
On October 27, IBM issued a security bulletin for two CVEs, including CVE-2023-40685 and CVE-2023-40686, which describe two separate but related security flaws in the Management Central component of IBM i Navigator in IBM i versions 7.2 through 7.5.
The first privilege escalation vulnerability, CVE-2023-40685, could enable a bad actor with command line access to gain root access to the operating system, and carries a CVSS Base score of 7.4, which is a serious vulnerability. The second vulnerability could let the bad person gain component access to the OS, and carries a CVSS Base score of 4.9. IBM has issued eight new PTFs to fix the two vulns impacting the four OS releases.
These flaws were both spotted by Zoltan Panczel, the security researcher with Silent Signal, the Hungarian security firm. Panczel is also credited with discovering some other recent flaws in the IBM i operating system earlier this year, including the Performance Tools, Facsimile Support for i, and Distributed Data Management (DDM), which carried BVSS Base scores of 8.4, 8.4, and 8.6, respectively. Panczel spotted some other spooky vulns (see below).
Moving along in reverse chronological order brings us to October 20, the day IBM issued a security bulletin for CVE-2023-3341, which is a denial of service (DOS) vulnerability impacting all versions of IBM i, from version 7.2 to 7.5. The DOS vulnerability exists in the IBM i implementation of ISC BIND, a software component used to interact with Domain Name System (DNS).
According to IBM, a stack exhaustion flaw in the control channel code could enable an attacker to send a specially crafted message over the control channel, thereby causing the DNS service to terminate. The flaw carries a CVSS Base score of 7.5, which is a severe vulnerability. IBM patched it with a series of PTFs for IBM i versions 7.2 through 7.5.
Also on October 20, IBM issued a security bulletin for CVE-2022-39161, which is a man-in-the-middle spoofing attack impacting IBM i 7.3 through 7.5. The spoofing vulnerability exists in IBM WebSphere Application Server Liberty for IBM i, the lightweight Java application server.
IBM says the flaw could enable an authenticated user to conduct a spoofing attack and possibly obtain sensitive information when WebSphere Liberty is configured to work with the Web Server Plug-ins for IBM WebSphere Application Server. It carries a CVSS Base score of 4.8, which is a moderate security risk. IBM has patched the flaw with separate PTFs for each impacted OS.
On October 7, IBM issued a security bulletin for CVE-2023-40377, a local privilege escalation vulnerability due to a flaw in IBM Backup, Recovery & Media Services (BRMS). “A malicious actor with command line access to the host operating system can elevate privileges to gain component access to the host operating system,” IBM says. The flaw, which carries a CVSS Base score of 4.9, was spotted by Silent Signal’s Panczel.
Silent Signal and Panczel are also credited with discovering CVE-2023-40375, which is another local privilege escalation vulnerability, this time due to a flaw in the IBM i’s “Integrated application server,” according to the IBM security bulletin first issued September 25 and updated October 7.
CVE-2023-40375 impacts IBM i version 7.2 through 7.5 and carries a CVSS Base score of 7.4, which makes it a fairly serious security flaw. IBM has issued separate PTFs to address the problem on each impacted operating system.
Panczel also gets credit for CVE-2023-40378, another local privilege escalation vulnerability, this time for a flaw in the IBM Directory Server for i. According to the IBM security bulletin first issued October 5, a malicious actor with command line access can elevate privileges to gain component access to IBM i.
This flaw carries a CVSS Base score of 4.9, making it a moderate threat. IBM has issued separate PTFs for each of the impacted releases of the operating system. The first batch of fixes for this flaw were defective. On October 18, IBM re-published the security bulletin with new fix numbers.
But perhaps the scariest security vulnerability to hit IBM i recently is CVE-2022-40609, a flaw in the Java SDK and runtime that could enable an attacker to execute arbitrary code on the IBM i server. IBM originally issued a security bulletin for the “unsafe deserialization flaw” on August 25, and updated the bulletin on October 7.
The flaw in IBM SDK, Java Technology Edition 126.96.36.199 and 188.8.131.52 could enable an attacker take control over the server by sending specially crafted data. This flaw carries a CVSS Base score of 8.1. IBM patched it with a single group PTF for IBM i versions 7.3 through 7.5.
It wouldn’t be right to discuss a batch of security vulns without including the latest flaws in OpenSSL and OpenSSH, the open source encryption libraries that are the subjects of endless fascination of hackers and codebreakers.
IBM’s September 7 security bulletin (updated October 10) details four specific flaws, three in OpenSSL and one in OpenSSH. The Open SSH flaw, CVE-2023-38408, is the worst of the bunch, as it could enable arbitrary code execution and carries a CVSS Base score of 8.1.
CVE-2023-2650, a DOS flaw in OpenSSL, is right behind it with a CVSS Base score of 7.5. CVE-2023-0465 describes an OpenSSL flaw that could allow a bad person to bypass policy checking and carries a CVSS Base score of 3.7, while CVE-2023-3817 is another DOS flaw in OpenSSL that also carries a CVSS Base score of 3.7.
As always, you can stay up to date (some might say should stay up to date) with the latest PTFs by reading Doug Bidwell’s IBM i PTF Guide, which IT Jungle publishes every week (or so). You can access Bidwell’s latest guide here.