AIX

 View Only
  • 1.  AIX and IBM and OSS supply chain attacks

    Posted Wed April 03, 2024 10:27 AM

    I'd appreciate some clarity from IBM as to how they are protecting their AIX customers from supply chain attacks in OSS software.

    The recent xz library supply chain attack is rather alarming due to the long term social engineering that occurred to place a bad actor in a position of power over a commonly used library. That it rapidly progressed to attempts to deploy backdoored code that could be leveraged without compromising carefully examined projects like OpenSSH raises the question of how to protect our production systems.

    As I understand it, IBM ships openssl and openssh from upstream OSS sources. How are these validated and secured from these kinds of attacks?

    I am deliberately excluding the AIX/Linux toolkit from the question, as it is unsupported and best effort.



    ------------------------------
    ========================
    Russell Adams
    https://adamssystems.nl/
    ========================
    ------------------------------


  • 2.  RE: AIX and IBM and OSS supply chain attacks

    IBM Champion
    Posted Thu April 04, 2024 06:04 AM

    I am not IBM, but exactly the xz kind of attack would never work on AIX. The backdoor checks and installs only on x86_64 architecture.

    Regarding supply chain attacks in common, yes, there is enough place for improvements in AIX and I'd like to get some info from IBM too.



    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------



  • 3.  RE: AIX and IBM and OSS supply chain attacks

    Posted Thu April 04, 2024 07:36 AM
    On Thu, Apr 04, 2024 at 10:04:32AM +0000, Andrey Klyachkin via IBM TechXchange Community wrote:
    > I am not IBM, but exactly the xz kind of attack would never work on
    > AIX. The backdoor checks and installs only on x86_64 architecture.

    That doesn't mean there couldn't be a POWER architecture one, or an
    interpreted language like Python.

    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/




  • 4.  RE: AIX and IBM and OSS supply chain attacks

    Posted Thu April 04, 2024 06:58 AM

    Hi Russel,

    I'm not speaking for IBM and can't comment on the core questions you raised.

    But as you raised the topic with the context of the xz backdoor usable via ssh, it is noteworthy to also note, that AIX should not affected by CVE-2024-3094.

    At the time of writing the exploit requires:

    • Package build as deb or rpm (Linux Weekly News has an excellent article how that exploit works),
    • OpenSSH using systemd,
    • OpenSSH and / or systemd being linked against xz.

    Given that none of these constraints are met on an AIX system, it is fairly safe to say, that AIX is not affected by this backdoor, even though an official statement from IBM just for sake of having an official source would be nice.

    Best regards,

      Alexander



    ------------------------------
    Alexander Reichle-Schmehl
    ------------------------------



  • 5.  RE: AIX and IBM and OSS supply chain attacks

    Posted Thu April 04, 2024 07:40 AM
    On Thu, Apr 04, 2024 at 10:58:19AM +0000, Alexander Reichle-Schmehl via IBM TechXchange Community wrote:
    > But as you raised the topic with the context of the xz backdoor
    > usable via ssh, it is noteworthy to also note, that AIX should not
    > affected by CVE-2024-3094.

    Thankfully it isn't vulnerable. AIX doesn't use glibc, isn't infected
    by systemd, and any embedded x86 byte code wouldn't work on POWER.

    I'm asking about the generic case.

    ------------------------------------------------------------------
    Russell Adams Russell.Adams@AdamsSystems.nl
    Principal Consultant Adams Systems Consultancy
    https://adamssystems.nl/




  • 6.  RE: AIX and IBM and OSS supply chain attacks

    Posted 25 days ago

    Ping! There has been no IBM response.

    An excellent example of this is the libcurl library now shipping with AIX 7.3. There was a CVE just this week for this library which IBM sent out.

    My question stands: What is IBM doing to protect their customers from non-IBM code they are including in AIX?



    ------------------------------
    ========================
    Russell Adams
    https://adamssystems.nl/
    ========================
    ------------------------------