× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2016

RE: Rexec and IBM Flashcopy on IBM i

I too was surprised by the response.

It is a lab services product so I am not sure if there are any differences
in support, security patching, etc.

It is an awesome product and our backups (complete save system each night)
have
really simplified our backup/recovery strategy. it was rather simple to
write the exit point

That siad, it is a pain explaining (to the auditors) the nessus scans each
time.
As I would expect most IBMi's, we have dozens of IP-addresses on each
lpar, each ip-address
on our IBMi shows the rexec vulnerability.

To my knowledge you cannot bind rexec to 1 ip-address on the IBMi?

We are eventually migrating to the full-system flash copy/HA to bring our
recovery windows
down from 3-5 days to 15-60 minutes.

Jim

Jim W Grant
Senior VP, Chief Information Officer
Web: www.pdpgroupinc.com
Email: JWGrant@xxxxxxxxxxxxxxx




From: "Jim Oberholtzer" <midrangel@xxxxxxxxxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'"
<midrange-l@xxxxxxxxxxxx>
Date: 04/22/2016 08:59 AM
Subject: RE: Rexec and IBM Flashcopy on IBM i
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



I'm shocked they would do something like that when remote data queues and
listening jobs can do the job without having to pass security information
around. Geesh, it took me a couple of days to write up a very similar
process and it never sends any profile or password information anywhere. I
do have SSH users set up with profiles that have the appropriate signature
files in the home directory that solves the problem of logging on to the
HMC
and such. Sounds like it's time to look for another solution.

--
Jim Oberholtzer
Agile Technology Architects


-----Original Message-----
From: MIDRANGE-L [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of
JWGrant@xxxxxxxxxxxxxxx
Sent: Thursday, April 21, 2016 5:26 PM
To: Midrange Systems Technical Discussion
Subject: Re: Rexec and IBM Flashcopy on IBM i

We have an issue with Rexec server on IBMi as well.

We use IBM Rochester's FSFC Toolkit to flashcopy the all our LPAR
partitions
each evening. We then spin up the flashed system and backup the partition
to
tape.

The FSFC toolkit uses the Rexec server to communicate between the
controlling partition and the target partition for command and control.
The
credentials go in the clear. When we scan the network each IBMi shows
critical vulnerabilities.

We had to write a rexec server exit to limit the systems and profiles that
were able to access the rexec server.

We opened a ticket with IBM labs but they responded they had no plans to
change from rexec.

Jim

Jim W Grant
Senior VP, Chief Information Officer
Web: www.pdpgroupinc.com




From: John Yeung <gallium.arsenide@xxxxxxxxx>
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
Date: 04/21/2016 05:40 PM
Subject: Re: XWindows service on IBM i
Sent by: "MIDRANGE-L" <midrange-l-bounces@xxxxxxxxxxxx>



On Thu, Apr 21, 2016 at 3:10 PM, Buck Calabro <kc2hiz@xxxxxxxxx> wrote:
On 4/21/2016 2:55 PM, Justin Dearing wrote:
Pretty rexec is part of rsh, unencrypted ssh. Don't use it.
Password transmitted in plain text.

This is a shut it of and see if people complain kind of thing because
it's
unpopular and insecure. I don't blame your auditors getting upset at
this.

CVE-1999-0526
CVSS v2 Base Score: 10.0 HIGH
See also: http://www.kb.cert.org/vuls/id/704969

I might get upset about rexec too, but the link points to X11 /
XWindows. Rexec isn't X11, is it? Is the CVE some confusion over
port numbers?

Right. It looks like either Rob or the auditors (or maybe both) have had
some kind of misunderstanding. X11 (formally the X Window System) is
unrelated to rexec or RUNRMTCMD. (Based on the link provided by Chris, I
think RUNRMTCMD *is* the midrange incarnation of Unix's rexec, because
they
use the same commonly recognized port, and they provide the same or very
similar functionality.)

I can't say which is the "real" issue, but I can say with confidence that
RUNRMTCMD is discussed in these midrange lists far more often than X11 is.
And rexec is inherently insecure, whereas X11 can be used in conjunction
with SSH.

John Y.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe,
unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

Please contact support@xxxxxxxxxxxx for any subscription related
questions.




As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.