The HMC is a closed appliance with only minimal configurability by the customer. I would open a service call and refer the matter to IBM. If this is really a risk then they should jump all over it.
My $0.02. -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Todd Burrell Sent: Thursday, May 05, 2011 3:43 PM To: IBM-MAIN@bama.ua.edu Subject: RIP issue with HMC - security violation? I got the following info from one of our security folks today about a potential security exposure with the HMC. Is it valid that the HMC has a RIP listener active, or could I potentially turn it off? Any info about this would be helpful so I can get the security scan group off my back. Here was the decription of the violation: Synopsis : Routing tables can be modified. Description : The remote RIP listener accepts routes that are not sent by a neighbor. This cannot happen in the RIP protocol as defined by RFC2453, and although the RFC is silent on this point, such routes should probably be ignored. A remote attacker might use this flaw to access the local network if it is not protected by a properly configured firewall, or to hijack connections. Solution : Either disable the RIP listener if it is not used, use RIP-2 in conjunction with authentication, or use another routing protocol. Risk Factor : High / CVSS Base Score : 7.5 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
