Other communication subsystems can be configured and can likewise contain powerful default profiles.
Several times we find that QUSER has been changed to have *ALLOBJ special authority and is a default profile in QSYSWRK, the subsystem generally used by SNA communications. Text from this value’s help states that “The local system is not a secure location.” The exposures are default profiles in your communications subsystems and their authorities and privileges. Even using exit programs won’t protect you from this low complexity attack because several powerful profiles such as your HA profiles are usually allowed through the exits unauthenticated resulting in a complete loss of Confidentiality, Integrity, and Availability.Īnother unauthenticated attack vector exists if your QAPPNRMT configuration list specifies a SECLOC value = *NO for any remote connections. USING followed by ‘ ‘ signifies NO PASSWORD, and will connect QSECOFR or any “USER” with no credentials (unauthenticated access).
DB2 connect to my400db USER QSECOFR USING ‘ ‘. The following connection string used by DB2 Connect is an example of unauthenticated access. DB2 Connect is one example developed by IBM, but being open architectures, anyone can develop a client for any OS. The above presents 2 vulnerabilities, unauthenticated access, CVSS rating 10, and a weak encryption algorithm *DES, CVSS rating 7.5.ĭDM/DRDA is open architectures ( Inside IBM’s Distributed Data Management architecture | IBM Journals & Magazine | IEEE Xplore).
You can check the current setting with the following command: CHGDDMTCPA and prompt with F4. Any of these three values will allow unauthenticated access to your IBM i with a low complexity and authentication not required that can result in a complete compromise of system Confidentiality, Integrity, and Availability. The worst unauthenticated access vulnerability on most IBM i systems exists when DDM/DRDA set to *USRID, *NO, or *VLDONLY. On the IBM i, there are other more serious protocols and services that can lead to unauthenticated access with the same Impact Metrics that are often overlooked and exist on the majority (> 50%) of all systems we assess. CVE 2022-23307 impacting log4j version 1.2 will list these CIA impacts. The above descriptions of Confidentiality, Integrity and Availability (CIA) Impact Metrics are from the CVSS 3.1 Calculator (). The attacker can render the resource completely unavailable.)Īccess Complexity Low (Specialized access conditions or extenuating circumstances do not exist.Īuthentication is not required to exploit the vulnerability. Integrity Impact Complete (There is a total compromise of system integrity, and a complete loss of system protection resulting in the entire system being compromised.)Īvailability Impact Complete (There is a total shutdown of the affected resource. One of the greatest threats to any network, host, or server is unauthenticated access where an attacker can gain local or remote access with no credentials that can lead to a Critical rating with the following descriptions ( CVSS v3.1 User Guide ().Ĭonfidentiality Impact Complete (There is total information disclosure, resulting in all system files being revealed.)
0 kommentar(er)
