Sploit.io - Search

Risk Assessment

1. Risk Assessment
The vulnerability identified as CVE-2024-22318 affects IBM i Access Client Solutions (ACS) versions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4. It involves the disclosure of NT LAN Manager (NTLM) hashes due to the manipulation of UNC paths within ACS configuration files. This could allow an attacker to redirect authentication attempts to a hostile server, capturing NTLM hashes and potentially compromising user credentials.

The CVSS v3.1 base score of 5.1 (MEDIUM) reflects a local attack vector with high attack complexity, meaning exploitation is not trivial but feasible under specific conditions. The primary impact is on confidentiality, as attackers could gain access to sensitive credentials. Integrity and availability are not directly affected.

The likelihood of exploitation is moderate, as it requires an attacker to have local access to modify configuration files and a hostile server to capture NTLM hashes. However, the business impact could be significant if compromised credentials are used to escalate privileges or access sensitive systems. Organizations using affected versions of IBM ACS should treat this vulnerability with urgency, particularly if NTLM authentication is enabled in their environment.

2. Potential Attack Scenarios
An attacker with local access to a system running a vulnerable version of IBM i Access Client Solutions could exploit this vulnerability by modifying the UNC paths in the ACS configuration files. The attacker would configure these paths to point to a server under their control. When the ACS application attempts to access the modified UNC path, the Windows operating system would automatically attempt to authenticate using the current user's session.

The hostile server would then capture the NTLM hash information transmitted during the authentication attempt. With the NTLM hash, the attacker could use offline cracking techniques to derive the plaintext password or employ pass-the-hash attacks to impersonate the user. This could lead to unauthorized access to sensitive systems, data breaches, or further lateral movement within the network.

3. Mitigation Recommendations
To mitigate this vulnerability, organizations should take the following actions:
- Immediately update IBM i Access Client Solutions to a version beyond 1.1.9.4, as these versions contain fixes for the vulnerability. Refer to IBM's advisory for detailed patching instructions: https://www.ibm.com/support/pages/node/7116091.
- Disable NTLM authentication if it is not required in the environment. Instead, use more secure authentication protocols such as Kerberos.
- Restrict local access to systems running IBM ACS to trusted users only, reducing the attack surface for this vulnerability.
- Monitor and audit configuration files for unauthorized changes, particularly those involving UNC paths.
- Educate users and administrators about the risks of credential theft and the importance of secure configuration practices.

4. Executive Summary
CVE-2024-22318 is a medium-severity vulnerability affecting IBM i Access Client Solutions, which could allow attackers to capture NTLM hashes and compromise user credentials. While exploitation requires local access and a hostile server, the potential impact on confidentiality and the risk of credential theft make this a significant concern.

Organizations using affected versions of IBM ACS should prioritize updating to patched versions and consider disabling NTLM authentication to reduce risk. Immediate action is recommended to prevent potential unauthorized access and data breaches. This vulnerability underscores the importance of maintaining secure configurations and staying vigilant against credential-based attacks.