ACS Password Leaks Are A Security Issue On IBM i

February 17, 2025 Alex Woodie

IBM i shops that are relying on the old WINLOGON process with their Access Client Solutions (ACS) installations will need to find a new way to synchronize passwords between Windows clients and IBM i servers. According to a new report from Silent Signal, the passwords could still be compromised.

In early January, Big Blue published an IBM Support document about problems that IBM i shops were having after they applied the Windows 11 24H2 update, which Microsoft had started rolling out in October 2024. IBM i customers who used the ACS Windows Application Package told IBM they were no longer able to use the WINLOGON authentication option to log-in. They also reported that mapped IFS drives could no longer be accessed or displayed an error.

The reason for those problems is simple, IBM said. “In the Windows 11 24H2 update, Microsoft disabled *WINLOGON by default from an OS perspective, making the option in IBM i Access useless,” the IBM Support document states. “Users need to select an alternate authentication option.”

WINLOGON eliminated the need to repetitively enter user names and passwords when IBM i customers use the same set of credentials for accessing their Windows and IBM i machines. It has been in use since the first release of Windows NT 3.0 came out way back in 1993. IBM has supported WINLOGON with its Windows-based clients, including older iSeries Access and the newer Java-based ACS products, as it gives IBM i customers the convenience of single-sign on (SSO) functionality.

However, Microsoft has moved on from WINLOGON for SSO. Instead, it’s now favoring its newer Local Security Authority (LSA) framework, which came out with Windows 8.1 in 2013. On newer systems, the LSA Subsystem Service (LSASS) runs as a protected process. WINLOGON running on ACS – or any other client – is not compatible with LSASS. With the Windows 11 24h2 update, LSA was enabled by default.

Microsoft had warned about the upcoming deprecation of features like WINLOGON as late as March 2024. IBM has also been preparing its IBM i customers for this. In May, with the launch of ACS 1.1.0.28, IBM warned in an IBM Support document that the update would disable WINLOGON for the ACS Windows Application Package by default. However, admins could turn the feature back on. To re-enable WINLOGON, IBM explained how to edit the Windows registry and give permission for a network provider DLL called “Cwbnetnt” to run.

That got the attention of security researchers at Silent Signal, the Hungarian company that has already found nearly a dozen security vulnerabilities in IBM i. The company began exploring what was going on between IBM i and Windows with the WINLOGON process.

“The “no man’s land” between system boundaries is always a playground for hackers, and this article [IBM’s early January blog post] was fascinating because it pointed to the Local Security Authority subsystem of Windows,” writes Bálint Varga-Perke, one of the Silent Signal principles, in a January 21 blog post.

Varga-Perke’s research led him to a security vulnerability in System i Navigator that was first documented by security company called Tenable back in 2016, and which IBM patched the same year. While the risk factor from the flaw was low, the company found that it was fairly easy for someone to get access to the IBM i host by taking advantage of weak password obfuscation in the handoff between IBM i and Windows.

“The vulnerability lies in the fact that any Windows user with administrative privilege can access iSeries/Windows credentials saved in the registry by any other Windows users, even if that administrative Windows user is not necessarily authorized to access the iSeries host, nor is allowed to access other Windows users’ passwords,” the company writes in its June 2016 blog post.

The discovery of that older System i Navigator issue didn’t stop Varga-Perke. He writes:

“At this point, we could just write down our work as DUPLICATE and grab a drink, but the timeline still bugged us: there is a CVE for this problem from 2016, yet it was not earlier than 2024 that IBM decided to deprecate the *WINLOGON feature, and even in early 2025 they had to document the compatibility problem. This should mean that the feature is still alive and may still provide us with some nice leaks!”

Varga-Perke and his colleagues downloaded different versions of ACS Windows Application Package to see they could compromise some passwords. They used various tools, including Windows stack tracers, to poke around at the internals. Specifically, they searched to see what data the ACS process “mpnotify.exe” was writing.

They found that by combining various pieces of data (the blob from the registry, the hostname, the Build GUID and the OS Product ID) they could get at the plaintext password in older versions of ACS. But in 2019, IBM made a change that protected the blog with registry access control lists (ACLs).

IBM i shops running older versions of Windows and older releases of ACS Windows Application Package are still likely running with potentially exposed passwords. That is an issue that IBM i administrators will certainly want to address.

In the longer term, the issue becomes how to enable SSO between IBM i and Windows systems. Because IBM i and Windows use different encryption techniques, passwords must be passed between systems in plaintext, which means security must come from somewhere else. The question is where.

IBM itself provides some options in its early January IBM Support document (updated on January 28, after Silent Signal posted its blog).

“A common option is to set a default user profile. The first time a user makes a connection to the IBM i, they are prompted for a password,” IBM writes. “All subsequent connections automatically use the specified USRPRF and pull the password out of a cache. The user is not prompted again. The cache is cleared on reboot and thus requires providing the password again.

“Another option would be to implement Kerberos, though that is non-trivial to configure,” IBM continues. “Administrators might consider ‘netrc,’ or the ‘cwblogon’ utility (part of ACS Win AP), though, we cannot recommend using that in a script because that would mean leaving plain-text credentials in a file.”

It’s a thorny issue, and we’ll be interested to hear what IBM plans to do to address this issue in the long term. In the meantime, Silent Signal encourages IBM i administrators to clean up their registries to eliminate any potential entries that the bad guys can use.

“So, if you are on a Blue Team, make sure to run a quick scan for ‘Function Admin Timestamp’ keys and remove them as soon as possible,” Varga-Perke wrote.

RELATED STORIES

Ethical Hackers Discuss Penetration Work On IBM i

Serious New IBM i Vulns Exposed by Silent Signal – More On the Way

New “High Priority” DDM Vulnerability Affects IBM i