Get in Touch
Two newly discovered AIX vulnerabilities could be used for command injection with elevated privileges
Target Industry
Organisations that utilise IBM operating systems for endpoints or networking systems.
Overview
Two new vulnerabilities were discovered for the operating system IBM Corporation AIX version 7.2 by an IBM researcher that allow for injection of commands if used in a particular way. The details of the vulnerabilities are as follows:
TALOS-2023-1690 (CVE-2023-26286) – Through the manipulation of the system call “errlog()” an attacker can access out-of-bounds memory due to the improper neutralisation of logs
TALOS-2023-1691 (CVE-2023-28528) – Using a particular parameter of the command “invscout” and requesting the installation of an RPM Package Manager (RPM) that requires a concatenated value which an attacker could execute a command on a privileged level.
Impact
Use of these vulnerabilities could lead to an attacker creating fake log reports, execute privileged commands to steal or destroy sensitive data and lateral movement to infect a wide range of systems. Due to the persistence element of the vulnerabilities, an attacker could retain access to an exploited system for an extended period to create the opening for widespread exploitation of the organisation’s systems. All of this could lead to large-scale financial damage to an organisation due to systems becoming inoperable, damaged trust with any associated organisations and loss of jobs.
Vulnerability Detection
IBM has released security updates with regards to these vulnerabilities. As such, previous versions are vulnerable to potential exploit.
Affected Products
The operating system IBM Corporation AIX 7.2.
Containment, Mitigations & Remediations
Although both vulnerabilities have been since patched due to the disclosure, any systems not running the most recent version of AIX could be vulnerable to these techniques. If the updates pushed by IBM to fix these issues are not deployed it could lead to attackers gaining full access to a system first by creating fake log reports to avoid detection followed by the execution of escalated privilege commands to steal, damage or modify sensitive data within a particular organisation. As IBM has 2.96% of the market share in the last 12 months and their operating systems are used on a large amount of Cisco networking products, such as servers that organisations require for processing sensitive data or conducting business vital operations, any compromise to these systems could not only have an impact on the image of the company but key services provided could be disrupted for extended periods.
Vulnerabilities were patched by IBM on 13th and 14th April by the most recent version of the operating system, AIX. Through ensuring that the most recent version of the OS is installed, the vulnerabilities cannot be exploited.
Threat Landscape
As these vulnerabilities were discovered by security researchers following interval testing, which was promptly followed by the deployments of patches to remediate them, these vulnerabilities have not been seen used in live incident environments.
Threat Group
No attribution to specific threat actors or groups has been identified at the time of this writing.
Mitre Methodologies
T1068 – Exploitation for Privilege Escalation
T1562.003 – Impair Defenses: Impair Command History Logging
Further Information
TALOS-2023-1690 || Cisco Talos Intelligence Group – Comprehensive Threat Intelligence
TALOS-2023-1691 || Cisco Talos Intelligence Group – Comprehensive Threat Intelligence