Thanks for all the responses. I wasn't aware of any vulnerabilities, patched or
otherwise. I don't handle our mainframe's security, another department does
that.
Frightening.
Regards,
Eric Verwijs
Programmeur-analyste, RPC, SV et solutions de paiement - Direction générale de
l'innovation, information et technologie
Emploi et Développement social Canada / Gouvernement du Canada
frederick.verw...@hrsdc-rhdcc.gc.ca
Téléphone 819-654-0934
Télécopieur 819-654-1009
Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, Information
and Technology Branch
Employment and Social Development Canada / Government of Canada
frederick.verw...@hrsdc-rhdcc.gc.ca
Telephone 819-654-0934
Facsimile 819-654-1009
-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf
Of Ray Overby
Sent: November-01-18 2:35 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: eWEEK Article highlights weaknesses in Mainframe Security
Disclamer: Don't shoot the messenger (I am very passionate on this
topic). The fact is unpatched zero day vulnerabilities exist on all z/OS
mainframe's. Don't take my word for this. Ask KRI's clients what their
experience is with z/Assure VAP finding (probable) zero day integrity
based code vulnerabilities. I say probable because the ISV's don't
appear to share the integrity vulnerability details with anyone outside
their respective organizations. They certainly do not share this
information with Key Resources. So if the ISV takes longer than a couple
of days to provide a patch its likely they did not have one before the
vulnerability was reported. Thus you can conclude that the vulnerability
was a zero day.
Comment: If there were no unpatched security holes then IBM wouldn't
need to release security PTFs to fix them.
Response: Correct. You only need to look at the patches provided by your
ISV's (IBM, CA, BMC, Rocket Sorry if I missed any one!) and you will
find security and/or integrity patches.
Comment: I would hope that it's a lot harder to find one than it used to be.
A: No actually it is not. I started doing this in 2009. Key Resource's
z/Assure VAP product regularly finds integrity based-code
vulnerabilities. Most of these vulnerabilities appear to be zero day. As
some people would consider my comments biased, don't take my word for
it. Ask our clients if what I am saying is accurate.
Question: What zero-day vulnerabilities would there be? I’ve not heard
of unpatched security holes in z/OS before.
Short answer: Conspiracy of Silence. Unless you are with the companies
that find the vulnerability, work for the ISV support group, or are part
of the ISV management or development teams you would never know about
the vulnerability UNTIL you saw the patch on their patch portals.
Patches normally contain no details about the vulnerability. This is how
mainframe integrity based-code vulnerability management is done. These
vulnerabilities are NOT reported on the National Vulnerability Database.
Comment: Aside from of course, phishing and other attacks aimed at the users
and not the machine itself.
Answer: Nothing to do with phishing and other attacks. I am referring to
integrity based-code vulnerabilities. These vulnerabilities are in SVC's, PC
routines, or APF). However, a good hacker will combine vulnerabilities to
achieve their goal. The hacker wants to establish a beach head in your network.
From there they can traverse the network compromising system's until they get
access to z/OS. With these integrity based-code vulnerabilities once they are
established and able to run work on z/OS they can elevate their credentials
with an integrity based-code vulnerabilities and turn off logging. "Run work"
would roughly translate to: a) FTP JCL to z/OS b) Logon to TSO or something
similar c) Submit JCL through RJE or NJE (google metasploit NJE for attach
vectors)there are documented attacks using this technique.
Feel free to contact me offline to continue this discussion.
Ray Overby
On 10/30/2018 7:43 PM, Seymour J Metz wrote:
> If there were no unpatched security holes then IBM wouldn't need to release
> security PTFs to fix them. I would hope that it's a lot harder to find one
> than it used to be.
>
>
> --
> Shmuel (Seymour J.) Metz
> http://mason.gmu.edu/~smetz3
>
>
> From: IBM Mainframe Discussion List on behalf of
> Eric Verwijs
> Sent: Tuesday, October 30, 2018 10:59 AM
> To: IBM-MAIN@listserv.ua.edu
> Subject: eWEEK Article highlights weaknesses in Mainframe Security
>
> http://secure-web.cisco.com/1cEGuBe_ZRQESR4kUXS7ShVfhPRr6RLxpO47vTAIYiTpY0Px4GzQAVFwbRnVRDSO88yQdYgZwS9NG2LhzWNCaA7jKdLghofcDczS2pS3jXM7QWTltrwO_G_rwXUyVhX6ZWsuHZY6BnoUE_A8HOWKsXNFwYvaiJjxToXSq6pYcfH4L-krJSWFPD-gLTdPf1R9xE7aoeN-_Hy7BnmgO9LtgBCAavC3aAT3sRoaplXe4Jxk4KcS3OamjQqK37n