IBMB7BA1857111D249D2A167352CDA1BD4FB0FED5CE508588C18D52702AEA010111Security Bulletin: IBM i Access Client Solutions is vulnerable to remote code execution and failing to secure passwords due to multiple vulnerabilities
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
32.0%
Summary
IBM i Access Client Solutions is vulnerable to remote code execution due to a flaw which fails to authenticate the origin of a serialized object (CVE-2023-45185), and insecurely storing passwords by allowing the password encryption key to be retrieved (CVE-2023-45184) or decoded using a brute force attack (CVE-2023-45182). IBM has addressed these CVEs by providing a fix to IBM i Access Client Solutions as described in the remediation/fixes section.
Vulnerability Details
CVEID:CVE-2023-45184
**DESCRIPTION:**IBM i Access Client Solutions could allow an attacker to obtain a decryption key due to improper authority checks.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268270 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-45182
**DESCRIPTION:**IBM i Access Client Solutions is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268265 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
CVEID:CVE-2023-45185
**DESCRIPTION:**IBM i Access Client Solutions could allow an attacker to execute remote code. Due to improper authority checks the attacker could perform operations on the PC under the user’s authority.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268273 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM i Access Family | 1.1.2 - 1.1.4, |
| 1.1.4.3 - 1.1.9.3 |
Remediation/Fixes
The issue can be fixed by upgrading to version 1.1.9.4 or later. See IBM i Access Client Solutions updates for the latest version available.
Product(s)
|
Version(s)
|
Remediation/Fix/Instructions
—|—|—
IBM i Access Client Solutions
|
1.1.2 - 1.1.4,
1.1.4.3 - 1.1.9.3
|
The current version of IBM i Access Client Solutions is available at Downloads.
Or you may download it from the general IBM i software site at
Entitled Systems Support (ESS).
Workarounds and Mitigations
None.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm i access family | ge | 1.1.2 | |
| ibm i access family | le | 1.1.4 |
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.7 High
AI Score
Confidence
Low
0.001 Low
EPSS
Percentile
32.0%