RE: DB2UDB hack

From: Patrick Botz

Whether you consider PASE part of i5/OS or not, the fact that it is on the
system and there are OS programs running in it,

Only if I run them, Patrick. I and many clients have run quite successfully
for many years without PASE. But that doesn't mean others don't, and so the
issue is a good one to address.

and because arbitrary
commands executed in PASE can manipulate native i5/OS objects, means that
a buffer overflow attack against PASE can theoretically put the native
i5/OS stuff at risk.

Theoretically, yes. Again, I'm not sure how many AIX buffer overrun
exploits there have been, and of course even then the hacker would have to
be willing to write AIX machine code that would then access System i
resources, and my guess is that's an exceedingly diminishing set of
circumstances.

Not that security by obscurity is a good thing, just that the chances are
awfully remote.

Now, this doesn't mean the sky is falling.

Right.

It doesn't mean that because
it is possible, that there are holes. It just means that you can run
programs in PASE that are susceptible to buffer overflow attacks. It means
that you have to understand which pieces of i5/OS run in PASE. The most
obvious piece -- and the one that has had buffer overflow patches for
previous versions -- is the DNS server. i5/OS uses the AIX DNS server, if
that is ever patched for security reasons, most likely you will see an
i5/OS PTF (which in all likelyhood will just replace the same AIX binary
shipped with i5/OS).

I agree. And thus I think it should be clear to everyone that you shouldn't
run PASE programs with *ALLOBJ authority anymore than you should allow FTP
access via QSECOFR.

Joe