Article Details

IBM scores perfect 10 ... vulnerability in mission-critical OS AIX. Big Blue's workstation workhorse patches hole in network installation manager that could let the bad guys in. IBM "strongly recommends" customers running its Advanced Interactive eXecutive (AIX) operating system apply patches after disclosing two critical vulnerabilities, one of which has a perfect 10 severity score. The two vulnerabilities, CVE-2024-56346 (10) and CVE-2024-56347 (9.6), both allow remote attackers to execute arbitrary commands. IBM's security bulletin states that both are caused by improper process controls (CWE-114). IBM has never specified the number of clients on AIX, but third-party sources suggest around 9,000 organizations use the OS, which is generally deployed in critical applications powering high-value industries. Enlyft reports that companies such as Pure Storage and Hermes Europe use AIX. The software is commonly used for mission-critical applications across the finance, banking, healthcare, and telecommunications sectors – mainly in the US. It's also often the OS powering large datacenters. Therefore, a perfect 10 bug in a product like AIX is a significant concern. Probably for that reason, IBM didn't share many details about the vulnerabilities themselves or how to exploit them. However, versions 7.2 and 7.3 are both vulnerable and should be updated immediately, Big Blue says. The headline flaw, CVE-2024-56346, affects AIX's nimesis Network Installation Management (NIM) master service. CVE-2024-56347 relates to AIX's nimsh service SSL/TLS protection mechanisms, according to IBM's security bulletin. Both vulnerabilities can be exploited remotely in low-complexity attacks that require no privileges, according to exploitability metrics. However, CVE-2024-56347 requires some level of user interaction, while CVE-2024-56346 does not. Given that the vulnerabilities affect NIM, which manages AIX OS installations, and organizations often run custom applications on AIX, a successful exploit could have wide-ranging consequences. Attackers could theoretically access and lift sensitive data from affected organizations, deploy ransomware, corrupt backups, implant backdoors, and more – potentially compromising critical applications used by financial institutions and healthcare organizations. IBM customers are advised that the severity scores are there as a guide but may rise or fall depending on their specific environment. Regardless, with no workaround or temporary mitigations to fall back on, and the fact AIX is a known target for Chinese espionage, applying the patches promptly is the best course of action, regardless of the environment's configuration. The Register approached IBM for additional information.