3rd October 2024

IBM i Update: September 2024

IBM-i-Update-September-2024-Thumbnail

Welcome to your IBM i update for September 2024.

This month, Andy scores with an #IBMi Ready badge, provides his predictions for the 2025 Fortra IBM i Marketplace Survey and speak swith the guys over at Silent Signal on their recent IBM i ethical hacking presentation.

You can watch the video below or read the full article underneath.

Watch the Video:

What are the ‘IBM i Ready’ badges on LinkedIn

Now, many of you may have seen the IBM i Ready badge popping up on some of your connections on LinkedIn. But, what is it and is it something I should get too. Well, if you’re watching, or indeed, reading this, then the answer is probably, ‘yes!’. In short, by earning the badge, you demonstrate a foundational understanding of IBM i business value, concepts, and key technologies.

IBM-i-Ready-Badges-LinkedIn-IBM-i-Update-September-2024

 

How do I get an ‘IBM i Ready’ badge?

So, what do we do to obtain this?. First, you’ll need an IBM Id (an IBM account), plus a Credly account too. Once you have those, you can apply for the badge.

On applying, you’ll be asked to log into IBM, it’ll confirm your details and you’ll be directed to the quiz.

Now, the quiz consists of 20 questions and you’ll need to answer at least 16 correct to attain the badge, you will get two attempts and should you fail both times, then you’ll have to wait five days to reset your attempt quota.

Is it easy? Well… let’s just say, if I can gain the badge, the chances are, you can too. I think question 16 had me second guessing a bit, but other than that, it was bread and butter stuff.

Good luck should you have a go yourself!

 

The 2025 IBM i Marketplace Survey is now open

Also prevalent on LinkedIn was the announcement that the 2025 IBM i Marketplace survey is now open to respondents… you’ll have a couple of months to answer the survey, and we encourage you to do so.

IBM-i-Marketplace-Survey-2025-IBM-i-Update-September-2024

Now, I’ve been covering this for a couple of years now, and it’ll be interesting to see the results early next year…

 

Trends emerging from the IBM i Marketplace Surveys

I’ve been monitoring trends to see the general lay-of-the-land within the IBM i community.

Take languages used for new developments for example, traditional languages have taken a tumble but continue to be the mainstay followed by SQL.

While more modern ‘web’ languages continue to eclipse COBOL with the only gain on 2023 being Python.

For 2025, I expect this cycle to continue with perhaps an additional ‘pick up’ in other web and open source languages such as PHP and Node.js.

 

Andy Nicholson’s predictions for the 2025 IBM i Marketplace Survey results

Looking at trends for the past four years…

Cybersecurity continues to top the chart as the main concern facing IBM i IT professionals.

In 2024 we saw that concern over cybersecurity reached a record high of 79% up over 10% from 68% in 2023… will that continue into 2025? I’m sure we’ll continue to see concern high but not (perhaps) the record high of 2024.

IBM-i-Marketplace-Survey-2025-Predications-IBM-i-Update-September-2024

I also expect Disaster recovery which grew from 56% to 63% in 2023/24 to stablaise into 2025 too.

Next, bumping disaster recovery from it’s traditionally second place spot in 2024 was Modernisation – again another big rise from 64% in 2023 to 72% in 2024 and I expect to continue its upwards trajectory in 2025.

The BIG mover in 2024 was within the growing IBM i skills gap.

IBM-i-Marketplace-Survey-Trends-IBM-i-Update-September-2024

Now, I don’t have the data for 2021 and 2022 but you can see the jump in concern over IBM i skills is a whopping 11%.

From 54% in 2023 to 65% in 2024 moving concerns over IBM i skills into the top three and relegating DR to fourth. I see this as the big riser in 2025…

And a primary concern for IBM i shops. The risk to business continuity as key personnel approach retirement is real and there are big questions on how to resource this. Recruit from an ever depleted talent pool or outsource to an application managed service like ours?

These are decisions that keep management up at night.

Security will remain a top concern as IT leadership is today more aware than ever of the devastating ramifications of suffering a cyberattack, while Modernisation will play a bigger role as businesses look at more modern ways to interact with their systems.

 

Incorporating generative AI on the IBM i platform as a co-pilot

one area in which I believe will become more prevalent in 2025 and beyond is with the use of AI.

And I’m not just discussing the rise in Chat.GPT but something more pertinent to, and native on the IBM i platform.

Generative-AI-as-a-coding-co-pilot-IBM-i-Update-September-2024

You’ll remember that in May of this year, that IBM i CTO Steve Will announced they were looking at the possibility of incorporating generative AI on to the IBM i platform.

Steve explained that what the IBM i community needs is co-pilot coding assistant that could help programmers produce quality RPG, not move from RPG to something else.

One of the key reasons I believe that AI will be a big mover in 2025 is that one of the biggest problems for a new programmer at an IBM i shop would be to assess and support massive amounts of RPG easily, especially if it’s coded in, say, RPG2.

Even if it’s well documented, to interpret and add to this code base would be both difficult and time consuming.

So, from Steve’s perspective, the key to this ‘co-pilot’ would be to understand and and provide contextual information, plus support coding activities in both a generative sense and for application support too.

In any case, AI is certainly something to keep an eye on in 2025…

 

Ethical hackers uncover misconfiguration vulnerabilities in the IBM i platform

Silent Signal researchers, Bálint Varga-Perke and Zoltan Panczel, revealed multiple vulnerabilities in the IBM i platform.

During the TROOPERS ethical hacking conference, they provided insight into how they discovered significant flaws in Facsimile Support for i and Performance Tools which allowed local privilege escalation, granting attackers root access to the system.

Silent-Signal-Ethical-Hacking-Interview-IBM-i-Update-September-2024

These flaws, were caused by weaknesses in how these programs handled commands. Attackers with command-line access could exploit these to gain full control of the system.

In addition, they highlighted how attackers can exploit IBM i misconfigurations…

These vulnerabilities included profile swapping, this is where a user’s authority is temporarily exchanged for another and, can provide unauthorised access and privilege escalation, exposing systems to malicious actions.

Misconfigured library lists, especially those containing unqualified library calls, can also be easily exploited.

Attackers can manipulate the list by introducing malicious objects, escalating privileges, or gaining unauthorized access to critical components and as such, strengthening library list management and avoiding unqualified calls are critical steps in hardening the system.

Adopted authority refers to programs running with higher privileges than the user executing them, often intended to simplify operations. However, if not tightly controlled, this can also leave systems vulnerable to exploitation.

And, command injections can occur when attackers are able to inject malicious commands into programs or systems due to poor input validation. By exploiting such misconfigurations, attackers can gain control over critical system functions.

 

IBM i Vulnerabilities with Silent Signal

It was interesting stuff and I took time to meet with those very presenters and ethical hackers, Bálint Varga-Perke and Zoltan Panczel, to learn more about vulnerabilities on the IBM i.

Andy: Today I’m joined by Zoltán Pánczél and Bálint Varga-Perke, co-owners at ethical hacking company Silent Signal.  Welcome both to the IBM i update, perhaps we can start with a quick introduction from yourself on who Silent Signal are and what exactly is ethical hacking?

Zoltan: Silent Signal is an information security company. We provide technical assessments, training, and ensure compliance with regulations and legislation. Ethical hacking actively tests the target system with real-world attack techniques, with prior permission from the target, to identify vulnerabilities and provide solutions to strengthen security against potential threats.

Andy: We’re here today as you both caused quite a bit of a stir in the IBM i community following your presentation at TROOPERS recently.  You exposed many vulnerabilities including bugs, library lists and authorities but from your experience, what areas were easiest to exploit and how did you go about it?

Zoltan: If I had to choose, I would say the library list issue was the easiest. You can watch a detailed introduction to this vulnerability starting at 13:55 in our presentation on YouTube.  You can find the link here – https://youtu.be/t4fUvfzgUbY?si=7AWswkkQTJYc5A1D&t=835

 

How Silent Signal discover weaknesses in the IBM i

Andy: Now, last year, two high-risk vulnerabilities (CVE-2023-30988 and CVE-2023-30989) were disclosed by IBM, both of these were discovered by you and your team at Silent Signal.  Can you walk us through how these vulnerabilities were discovered and the reaction from IBM when you reported the issues?

Zoltan: According to IBM’s scoring approach, only these two vulnerabilities are considered ‘high-risk.’ I would like to take this opportunity to say that CVSS is not a risk assessment framework. Please search for the word ‘risk’ on their homepage! I belive that the remaining privilege escalation issues from user to *ALLOBJ should also be considered ‘high-risk.’

I wrote a fuzzer(A fuzzer is a testing tool that automatically generates inputs into software to identify vulnerabilities or other unintended behaviors.) that discovered the Facsimile Support (CVE-2023-30988) vulnerability. After that I examined the structure of the program object and developed a method, which made identifying the other issues easier, no fuzzing required. Our presentation covers the main concept of this method.

At this point, I must mention the unauthenticated remote command execution vulnerability in the DDM architecture (CVE-2023-30990). We are convinced that this is the most critical vulnerability we have discovered so far.

There was no special reaction from IBM. I reported the vulnerabilities to the IBM Product Security Incident Response Team (PSIRT), and they resolved them and thanked me.

General IBM i Security Questions

Andy: How would you describe the overall security posture of the IBM i platform compared to other enterprise systems?

Zoltan: By default, the IBM i system is no worse than any other platform. The main concerns are configuration issues and business applications (from Independent Software Vendors) with vulnerable implementations. We have encountered many interesting configurations with numerous business applications running at our Clients vulnerable to privilege escalation.

 

Common misconfiguration issues that make the IBM i vulnerable to attacks

Andy: Can you explain some of the most common misconfigurations that make IBM i vulnerable to attacks?

Zoltan: The excessive permissions on file, program, and profile objects are a concern. I want to clear up a misconception: Limited capability works only for FTP and 5250 protocols. A ‘limited’ user can still easily run commands using SSH, DDM, SQL, RCMD, and MGTC.

Andy: On of the areas you covered within your presentation was the exploitation of privilege escalation.  In your experience, how do typical IBM i setups allow for such escalation, and what preventive measures can organisations take?

Zoltan: Unfortunately, it is quite easy. Least privilege and comprehensive hardening measures are essential. Installing PTFs is only one step, but it is not enough. That is why we developed the iCompliant software, which integrates the IBM security reference guide with our penetration testing and research experience, extended in accordance with compliance requirements.

 

Proactive measure IBM i Administrators can take to mitigate vulnerabilities

Andy: What are some proactive measures IBM i administrators can take to avoid or mitigate similar vulnerabilities in the future?

Zoltan: Periodic security reviews and training are essential. If they understand the security concerns and how to prevent them, this would be an ideal starting point.

 

How to prioritise patch management on the IBM i

Andy: For companies running IBM i systems, what’s the best way to prioritise patch management, especially for vulnerabilities like these that require immediate action?

Bálint: The most important thing to understand is that purely technical properties of a vulnerability is only part of a proper risk assessment process. Proactive steps like attack surface reduction , configuration hardening, and monitoring can buy us time to properly assess risk, test resolutions and act with confidence even if a critical vulnerability shows up.

Andy: In the event of a successful attack exploiting these vulnerabilities, what steps should a company take to contain the breach and mitigate damage?

Bálint: One of the main motivations for IBM i research was the scarcity of security information about this platform. This means that defensive measures are not as well understood and battle-tested as in case of other systems. The first question is: how would we detect an attack in the first place – this is something where attack simulations by ethical hackers can help. If we detect a breach I believe the best course of action is to turn to backups, as persistence opportunities on IBM I are even less understood than exploits.

 

How Silent Signal discover weaknesses in the IBM i

Andy: Silent Signal has been actively discovering vulnerabilities in IBM i over the past few years. Could you share more about the techniques your team uses to find flaws in complex systems like IBM i?

Zoltan: We aim to understand the inner workings of the system and exploit its weaknesses. Over the past 20 years, we have identified serious vulnerabilities in various systems and applications, including IBM i. The techniques are not magic; perhaps we just think differently about the functions.

Bálint “Sometimes, hacking is just someone spending more time on something than anyone else might reasonably expect.”

 

Challenges when performing ethical hacking on the IBM i

Andy: What are the biggest challenges when performing ethical hacking on IBM i, considering its reputation as a secure and closed platform?

Zoltan: First, the test machine. I can hardly imagine an ethical hacking team performing adequately without an IBM i test machine. A good penetration tester should have experience in the target environment.

Secondly, there aren’t as many accessible tutorials and tools compared to other platforms. We had to develop our own methodology and internal toolset.

Bálint: The design of the operating system is radically different from anything that we are used to these days – one of our goals with the TROOPERS presentation was to bring IBM i’s concepts closer to security people to facilitate research.

Andy: Given the statement that more IBM i vulnerabilities are expected to be disclosed in the near future, how can organisations better prepare for the potential exposure of their systems?

Zoltan: IBM disclosed four vulnerabilities reported by us in 2024, and I don’t think we will report anything else for the rest of the year. As I mentioned, periodic audits and hardening steps are necessary, just like with any other systems. Such steps can provide protection even if the implementation turns out to be vulnerable. These systems perform business critical functions. Nowadays, it’s a huge mistake to think: ‘Our machine is on the internal network, so no one can penetrate it.’

 

Silent Signal’s thoughts on the current state of IBM i Security

Andy: What are your thoughts on the state of IBM i security today? How do you see it evolving as more vulnerabilities are uncovered?

Bálint: Official advisories show that IBM is doing its homework cleaning up variants of vulnerabilities we reported. The recent announcement about the discontinuation of several software components also point to the direction of attack surface reduction which is always the surest step to improve the security posture of any system. On the other hand we should not forget that there is lots of code in the core system and even more supplied by ISV’s – even if IBM manages to eradicate all known bug classes, business applications will most likely remain easy targets for years to come.

 

That’s it for this months update.

Should you wish to view any of the articles featured in full, please check out our IBM i blog here.

Until next time,
Andy

 


Catch our previous August IBM i Update here. Alternatively, if you’d like to receive the latest IBM i Update hot off the press to your inbox, subscribe to the newsletter version on LinkedIn here.

Posted by Rob on 3rd October 2024.