Severity: Unknown
Description: IBM i OSPF 6.1, 7.1, 7.2, and 7.3 is vulnerable when a rogue router spoofs its origin. Routing tables are affected by a missing LSA, which may lead to loss of connectivity. IBM X-Force ID: 128379.
CVSS Score: N/A
D
No data available.
No data available.
1. Risk Assessment
The vulnerability CVE-2017-1460 in IBM i OSPF versions 6.1, 7.1, 7.2, and 7.3 presents a moderate risk to organizations utilizing these versions of OSPF. The nature of the vulnerability involves a rogue router successfully spoofing its origin, leading to a missing Link State Advertisement (LSA) and impacting routing tables. This primarily affects availability, potentially causing loss of connectivity. While not directly impacting confidentiality or integrity, loss of connectivity can certainly impact business processes that rely on network communication. The likelihood of exploitation is moderate, requiring a rogue router within the network or a network connected to the affected IBM i systems. The ease of exploitation is also moderate; a moderately skilled attacker could deploy a rogue router with a spoofed origin. The EPSS score of 0.003920000 indicates a relatively low, but not insignificant, probability of exploitation. The business impact can range from minor disruptions to significant outages depending on the criticality of the affected network segments.
2. Potential Attack Scenarios
A potential attack scenario involves an attacker deploying a rogue router onto the network, or compromising an existing router, and configuring it to spoof its origin during the OSPF hello process. The rogue router announces itself as being closer to a destination network than it actually is. This causes the affected IBM i OSPF routers to update their routing tables, potentially directing traffic through the rogue router. This can result in traffic being delayed, dropped, or misdirected. A successful attack could lead to loss of connectivity to key resources, disrupting services like database access, application servers, or external communication. The attacker could strategically choose which networks are affected, potentially isolating specific parts of the organization. The outcome could range from a minor performance degradation to a complete outage, depending on the scope and duration of the attack.
3. Mitigation Recommendations
The primary mitigation for CVE-2017-1460 is to upgrade the affected IBM i OSPF versions to a patched version. IBM provides specific instructions and updates in their support documentation. Immediately patching the vulnerable systems should be prioritized, especially those supporting critical business functions. Beyond patching, consider implementing router authentication mechanisms, such as OSPF authentication, to verify the origin of LSAs and reduce the effectiveness of spoofing attacks. Network segmentation can also limit the blast radius of a successful attack, preventing the rogue router from impacting the entire network. Regularly monitor routing tables for unexpected changes and investigate any anomalies. Refer to the following resources for more information:
IBM Support Document: http://www.ibm.com/support/docview.wss?uid=nas8N1022191
IBM X-Force Exchange: https://exchange.xforce.ibmcloud.com/vulnerabilities/128379
PacketStorm Security: https://packetstormsecurity.com/search/?q=CVE-2017-1460
4. Executive Summary
IBM i OSPF versions 6.1, 7.1, 7.2, and 7.3 are susceptible to a vulnerability (CVE-2017-1460) that could cause loss of network connectivity. A rogue router can spoof its origin, impacting routing tables and potentially disrupting business operations. While the likelihood of a successful attack is moderate, the potential impact ranges from minor disruptions to significant outages, depending on the criticality of affected network segments. We recommend immediate patching of the vulnerable systems, along with implementation of router authentication and network segmentation to minimize the risk. Addressing this vulnerability is important to ensure reliable network communication and maintain business continuity. Prompt action will mitigate the risk of service disruptions and ensure continued productivity.
Severity: Unknown
Description: IBM i 7.1, 7.2, 7.3, and 7.4 SMTP allows a network attacker to send emails to non-existent local-domain recipients to the SMTP server, caused by using a non-default configuration. An attacker could exploit this vulnerability to consume unnecessary network bandwidth and disk space, and allow remote attackers to send spam email. IBM X-Force ID: 198056.
CVSS Score: N/A
D
No data available.
No data available.
1. Risk Assessment
The vulnerability CVE-2021-20501 impacts IBM i operating systems versions 7.1, 7.2, 7.3, and 7.4. It’s a Denial of Service (DoS) vulnerability stemming from the SMTP server’s handling of emails sent to non-existent local-domain recipients when a non-default configuration is in use. The business impact centers around potential network bandwidth consumption, disk space exhaustion, and the possibility of increased spam volume. The likelihood of exploitation is moderate, as it requires a network attacker to identify systems using a non-default SMTP configuration. The ease of exploitation is also moderate, requiring the attacker to send a reasonable volume of emails to trigger the DoS condition. While confidentiality and integrity are not directly impacted, availability is the key concern. The CVSS v3.0 base score is 5.9 (Medium), indicating a moderate overall risk. The EPSS score of 0.004540000 suggests a relatively low, but not insignificant, probability of exploitation in the wild.
2. Potential Attack Scenarios
A potential attack scenario involves a spam campaign leveraging the vulnerability. An attacker identifies a target IBM i system utilizing a non-default SMTP configuration. The attacker then initiates a flood of emails to numerous non-existent user accounts within the local domain of the target IBM i system. For example, if the local domain is “example.com”, the attacker sends emails to addresses like “user123456@example.com”, “user987654@example.com”, and so on, where these users don't exist. The SMTP server, attempting to process each email, consumes network bandwidth and disk space. If the volume of emails is high enough, the SMTP server can become overwhelmed, potentially leading to delays in legitimate email delivery or even a complete service outage, affecting business communications. This also allows the attacker to send spam, potentially overloading mail filters.
3. Mitigation Recommendations
The primary mitigation recommendation is to apply the official fix provided by IBM. The fix addresses the SMTP server's handling of emails sent to non-existent local-domain recipients. Refer to IBM Security Bulletin 6445505 for detailed patching instructions: https://www.ibm.com/support/pages/node/6445505. As an immediate action, organizations should review their SMTP configurations and ensure they are using a standard, well-protected setup. Consider limiting the rate at which the SMTP server accepts emails from external sources. Regularly monitor SMTP server performance for unusual bandwidth or disk space consumption. Review email logs for patterns indicating a potential attack.
4. Executive Summary
IBM i systems running versions 7.1 through 7.4 are susceptible to a Denial of Service vulnerability (CVE-2021-20501) in the SMTP server. This vulnerability allows attackers to consume network bandwidth and disk space by sending emails to non-existent local-domain recipients, potentially disrupting email communications and allowing increased spam. While not a critical vulnerability, the moderate risk and potential for business disruption warrant prompt attention. Applying the official IBM patch is the most effective mitigation. Organizations should review their SMTP configurations and monitor for signs of exploitation. Addressing this vulnerability will ensure reliable email services and minimize the potential impact of a spam-based attack.
Severity: Unknown
Description: The IBM i 7.1, 7.2, 7.3, and 7.4 Extended Dynamic Remote SQL server (EDRSQL) could allow a remote authenticated user to send a specially crafted request and cause a denial of service. IBM X-Force ID: 214537.
CVSS Score: N/A
D
No data available.
No data available.
1. Risk Assessment
The vulnerability CVE-2021-39056 affects the IBM i operating system versions 7.1, 7.2, 7.3, and 7.4, specifically within the Extended Dynamic Remote SQL (EDRSQL) server component. This is a denial of service vulnerability, meaning a remote, authenticated user can send a specially crafted request that causes the EDRSQL server to become unavailable, impacting applications relying on it. The CVSS v3.0 base score is 6.5 (Medium), indicating a moderate level of risk. The likelihood of exploitation is considered moderate, as it requires an authenticated user, limiting the attacker pool. However, if an attacker has valid credentials, exploitation is relatively easy, given the low attack complexity. The vulnerability primarily impacts availability, potentially disrupting business processes that rely on the EDRSQL server. Confidentiality and integrity are not directly impacted. The EPSS score of 0.002780000 suggests a relatively low but non-negligible probability of exploitation in the wild.
2. Potential Attack Scenarios
An attacker with valid credentials to the IBM i system can exploit this vulnerability by sending a specifically crafted SQL request to the EDRSQL server. The request is designed to consume excessive resources, such as CPU or memory, leading to a denial of service.
Attack Vector: Network. The attack is conducted remotely over the network.
Attack Process:
1. The attacker authenticates to the IBM i system using valid credentials.
2. The attacker crafts a malicious SQL query that targets the EDRSQL server. This query might involve a complex join or a large data set that stresses the server’s resources.
3. The attacker sends the crafted SQL query to the EDRSQL server.
4. The EDRSQL server attempts to process the request, consuming excessive resources.
5. The EDRSQL server becomes unresponsive or slow, leading to a denial of service for other applications using it.
Potential Outcomes:
Applications relying on the EDRSQL server experience performance degradation or become completely unavailable. This could impact critical business processes like order processing, inventory management, or financial reporting.
3. Mitigation Recommendations
The primary mitigation for CVE-2021-39056 is to apply the official fix provided by IBM. IBM has released PTF (Program Temporary Fix) packages for the affected versions of IBM i.
Immediate Actions:
* Patch the affected IBM i systems with the latest PTF. The specific PTF number will depend on the version of IBM i.
* Review IBM Security Bulletin 6540294 for detailed instructions on applying the fix: https://www.ibm.com/support/pages/node/6540294
* Monitor EDRSQL server performance after patching to ensure the fix has been effectively applied.
Longer-Term Actions:
* Regularly review and apply IBM security bulletins.
* Implement robust authentication and authorization controls to limit access to the IBM i system.
4. Executive Summary
CVE-2021-39056 is a medium-severity denial of service vulnerability affecting IBM i systems running versions 7.1 through 7.4. A remote, authenticated user can send a specially crafted SQL request to the Extended Dynamic Remote SQL server, potentially disrupting services that rely on it. While the attacker requires valid credentials, the ease of exploitation makes this a risk to consider. The business impact could be significant, potentially impacting critical applications and business processes. We recommend promptly applying the official patch provided by IBM to mitigate this vulnerability. Addressing this issue will help ensure the continued availability of key applications and minimize disruption to business operations. The vulnerability is well documented with IBM providing a clear path to remediation.