Two newly discovered AIX vulnerabilities could be used for command injection with elevated privileges

Target Industry

Organisations that utilise IBM operating systems for endpoints or networking systems.

Overview

Two new vulnerabilities were discovered for the operating system IBM Corporation AIX version 7.2 by an IBM researcher that allow for injection of commands if used in a particular way. The details of the vulnerabilities are as follows:

TALOS-2023-1690 (CVE-2023-26286) – Through the manipulation of the system call “errlog()” an attacker can access out-of-bounds memory due to the improper neutralisation of logs

TALOS-2023-1691 (CVE-2023-28528) – Using a particular parameter of the command “invscout” and requesting the installation of an RPM Package Manager (RPM) that requires a concatenated value which an attacker could execute a command on a privileged level.

Impact

Use of these vulnerabilities could lead to an attacker creating fake log reports, execute privileged commands to steal or destroy sensitive data and lateral movement to infect a wide range of systems. Due to the persistence element of the vulnerabilities, an attacker could retain access to an exploited system for an extended period to create the opening for widespread exploitation of the organisation’s systems. All of this could lead to large-scale financial damage to an organisation due to systems becoming inoperable, damaged trust with any associated organisations and loss of jobs.

Vulnerability Detection

IBM has released security updates with regards to these vulnerabilities. As such, previous versions are vulnerable to potential exploit.

Affected Products

The operating system IBM Corporation AIX 7.2.

Containment, Mitigations & Remediations

Although both vulnerabilities have been since patched due to the disclosure, any systems not running the most recent version of AIX could be vulnerable to these techniques. If the updates pushed by IBM to fix these issues are not deployed it could lead to attackers gaining full access to a system first by creating fake log reports to avoid detection followed by the execution of escalated privilege commands to steal, damage or modify sensitive data within a particular organisation. As IBM has 2.96% of the market share in the last 12 months and their operating systems are used on a large amount of Cisco networking products, such as servers that organisations require for processing sensitive data or conducting business vital operations, any compromise to these systems could not only have an impact on the image of the company but key services provided could be disrupted for extended periods.

Vulnerabilities were patched by IBM on 13th and 14th April by the most recent version of the operating system, AIX. Through ensuring that the most recent version of the OS is installed, the vulnerabilities cannot be exploited.

Threat Landscape

As these vulnerabilities were discovered by security researchers following interval testing, which was promptly followed by the deployments of patches to remediate them, these vulnerabilities have not been seen used in live incident environments.

Threat Group

No attribution to specific threat actors or groups has been identified at the time of this writing.

Mitre Methodologies

T1068 – Exploitation for Privilege Escalation

T1562.003 – Impair Defenses: Impair Command History Logging

Further Information

TALOS-2023-1690 || Cisco Talos Intelligence Group – Comprehensive Threat Intelligence

TALOS-2023-1691 || Cisco Talos Intelligence Group – Comprehensive Threat Intelligence