More Critical Security Vulns Reported In IBM i Components
March 4, 2024 Alex Woodie
The run of serious security vulnerabilities in IBM i components continues in early 2024, as IBM reported 10 new flaws exist across OpenSSH, the Apache Web Server, ISC, and Facsimile Support for IBM i in February and early March. All of the flaws impact IBM i 7.2 through 7.5 and all have been patched by IBM via PTFs.
The most critical of the recent batch of security flaws exists in OpenSSH, the open source security utility for establishing encrypted communications between hosts and clients. As described by IBM in this February 23 security bulletin, the vulnerability (CVE-2023-51385) is caused by improper validation of shell metacharacters.
“By sending a specially crafted request using expansion tokens, an attacker could exploit this vulnerability to execute arbitrary commands on the system,” the report reads. The scary part is that this flaw carries a CVSS Base score of 9.8, putting it on par with one of the flaws uncovered in Db2 Web Query in January (although not quite the perfect 10 scored by the Log4j flaw in late 2021).
IBM patched another OpenSSH security issue on February 22. According to the IBM security bulletin, the vulnerability (CVE-2023-48795) is due to a flaw in the transport protocol SSH uses for certain extensions. A remote attackers could leverage the flaw to launch a man in the middle attack, rendering the connection unsecure. This flaw carried a CVSS Base score of 5.9.
IBM also patched a pair of serious security flaws in the HTTP Server (the one powered by Apache). According to this February 16 security bulletin, the vulnerabilities, CVE-2023-45802 and CVE-2023-31122, could allow remote attackers to upload a malicious files and to obtain sensitive information. Both of these flaws carry a CVSS Base score of 7.5, making them serious threats.
In Facsimile Support for i, an unqualified library call could allow an attacker to exploit a recently discovered security flaw. According to IBM’s updated February 10 security bulletin, the flaw–which goes by the name CVE-2023-43064 and which was originally disclosed on December 23 – could allow a cybercriminal to run arbitrary code with the privilege of the user invoking the product, which provides IBM i customers with fax capabilities. This flaw carries a CVSS Base score of 7, which makes it a serious threat.
Facsimile Support for i has suffered from multiple security flaws over the past year. In July, the Hungarian security hunters at Silent Signal discovered a flaw (CVE-2023-3098) in the fax component that was given a CVSS Base score of 8.4. Then in August, IBM reported another flaw in Facsimile Support for i (CVE-2023-38721) that also carried a CVSS Base score of 8.4.
Finally, on Friday, IBM reported five new security flaws in ISC BIND, the open source facility used by IBM i to manage Domain Name System (DNS) operations (and which is often the target of hackers). According to IBM’s March 1 security bulletin, all of the flaws – CVE-2023-5517, CVE-2023-50868, CVE-2023-6516, CVE-2023-5679, and CVE-2023-4408 – carry the threat of denial of service (DOS) attacks, although the individual flaws’ mechanisms all vary. All five carry an identical CVSS Base score of 7.5, making them serious threats.
IBM i security concerns remain at an all-time high, according to Fortra’s latest IBM i Marketplace report. According to the annual survey, security was picked as a top concern by 79 percent of Fortra’s survey respondents, an increase of 11 percentage points from last year and up 17 percentage points from the 2022 report. The 79 percent figure for security tops the previous high of 77 percent reported in the 2020 Marketplace report.
RELATED STORIES
IBM Patches New Security Vulns In IBM i Components, Power Firmware
IBM Patches a Slew of Security Vulns in Db2 Web Query
Software Supply Chain Attacks Are A Growing Threat
Serious New IBM i Vulns Exposed by Silent Signal – More On the Way
