Disclamer: Don't shoot the messenger (I am very passionate on this
topic). The fact is unpatched zero day vulnerabilities exist on all z/OS
mainframe's. Don't take my word for this. Ask KRI's clients what their
experience is with z/Assure VAP finding (probable) zero day integrity
based code vulnerabilities. I say probable because the ISV's don't
appear to share the integrity vulnerability details with anyone outside
their respective organizations. They certainly do not share this
information with Key Resources. So if the ISV takes longer than a couple
of days to provide a patch its likely they did not have one before the
vulnerability was reported. Thus you can conclude that the vulnerability
was a zero day.
Comment: If there were no unpatched security holes then IBM wouldn't
need to release security PTFs to fix them.
Response: Correct. You only need to look at the patches provided by your
ISV's (IBM, CA, BMC, Rocket.... Sorry if I missed any one!) and you will
find security and/or integrity patches.
Comment: I would hope that it's a lot harder to find one than it used to be.
A: No actually it is not. I started doing this in 2009. Key Resource's
z/Assure VAP product regularly finds integrity based-code
vulnerabilities. Most of these vulnerabilities appear to be zero day. As
some people would consider my comments biased, don't take my word for
it. Ask our clients if what I am saying is accurate.
Question: What zero-day vulnerabilities would there be? I’ve not heard
of unpatched security holes in z/OS before.
Short answer: Conspiracy of Silence. Unless you are with the companies
that find the vulnerability, work for the ISV support group, or are part
of the ISV management or development teams you would never know about
the vulnerability UNTIL you saw the patch on their patch portals.
Patches normally contain no details about the vulnerability. This is how
mainframe integrity based-code vulnerability management is done. These
vulnerabilities are NOT reported on the National Vulnerability Database.
Comment: Aside from of course, phishing and other attacks aimed at the users
and not the machine itself.
Answer: Nothing to do with phishing and other attacks. I am referring to integrity
based-code vulnerabilities. These vulnerabilities are in SVC's, PC routines, or APF).
However, a good hacker will combine vulnerabilities to achieve their goal. The hacker
wants to establish a beach head in your network. From there they can traverse the network
compromising system's until they get access to z/OS. With these integrity based-code
vulnerabilities once they are established and able to run work on z/OS they can elevate
their credentials with an integrity based-code vulnerabilities and turn off logging.
"Run work" would roughly translate to: a) FTP JCL to z/OS b) Logon to TSO or
something similar c) Submit JCL through RJE or NJE (google metasploit NJE for attach
vectors)........there are documented attacks using this technique.
Feel free to contact me offline to continue this discussion.
Ray Overby
On 10/30/2018 7:43 PM, Seymour J Metz wrote:
If there were no unpatched security holes then IBM wouldn't need to release
security PTFs to fix them. I would hope that it's a lot harder to find one than
it used to be.
--
Shmuel (Seymour J.) Metz
http://mason.gmu.edu/~smetz3
________________________________________
From: IBM Mainframe Discussion List <[email protected]> on behalf of Eric
Verwijs <[email protected]>
Sent: Tuesday, October 30, 2018 10:59 AM
To: [email protected]
Subject: eWEEK Article highlights weaknesses in Mainframe Security
http://secure-web.cisco.com/1cEGuBe_ZRQESR4kUXS7ShVfhPRr6RLxpO47vTAIYiTpY0Px4GzQAVFwbRnVRDSO88yQdYgZwS9NG2LhzWNCaA7jKdLghofcDczS2pS3jXM7QWTltrwO_G_rwXUyVhX6ZWsuHZY6BnoUE_A8HOWKsXNFwYvaiJjxToXSq6pYcfH4L-krJSWFPD-gLTdPf1R9xE7aoeN-_Hy7BnmgO9LtgBCAavC3aAT3sRoaplXe4Jxk4KcS3OamjQqK37nR0H3AW9MKFVQZaESyzWDzyrh9-zAveMhyg7Pwrf2PVRC_NVB9who4DKiu2x4w-qS9h0_TRcIsa8i7taFLNn3uRnvBXcyZED7CuE3hWLOKJRvH8PRslj5ZwVqdfDbfEYzbAKO_Abcu0TGiSQOS6nMco7sLYZ0Sl5rfVpSCkNmPODHPZmAoBPzLFjdZM7XhMXYE4faKg/http%3A%2F%2Fwww.eweek.com%2Fsecurity%2Ftaking-a-closer-look-at-mainframe-security
What zero-day vulnerabilities would there be? I’ve not heard of unpatched
security holes in Z/OS before.
Unless you are not properly managing your data, that is, limit access to
confidential information, how would someone get it? Aside from of course,
phishing and other attacks aimed at the users and not the machine itself.
Regards,
Eric Verwijs
Programmer-analyste, RPC, SV et solutions de paiement - Direction générale de
l'innovation, information et technologie
Emploi et Développement social Canada / Gouvernement du Canada
[email protected]
Téléphone 819-654-0934
Télécopieur 819-654-1009
Programmer Analyst, CPP, OAS, and Payment Solutions - Innovation, Information
and Technology Branch
Employment and Social Development Canada / Government of Canada
[email protected]
Telephone 819-654-0934
Facsimile 819-654-1009
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
