IBM scores perfect 10 ... vulnerability in mission-critical OS AIX
(2025/03/19)
- Reference: 1742410689
- News link: https://www.theregister.co.uk/2025/03/19/ibm_aix_critical_vulnerabilities/
- Source link:
IBM "strongly recommends" customers running its Advanced Interactive eXecutive (AIX) operating system apply patches after disclosing two critical vulnerabilities, one of which has a perfect 10 severity score.
The two vulnerabilities, CVE-2024-56346 (10) and CVE-2024-56347 (9.6), both allow remote attackers to execute arbitrary commands. IBM's security bulletin states that both are caused by improper process controls (CWE-114).
IBM has never specified the number of clients on AIX, but third-party sources suggest around 9,000 organizations use the OS, which is generally deployed in critical applications powering high-value industries.
[1]
Enlyft [2]reports that companies such as Pure Storage and Hermes Europe use AIX. The software is commonly used for mission-critical applications across the finance, banking, healthcare, and telecommunications sectors – mainly in the US. It's also often the OS powering large datacenters.
[3]
[4]
Therefore, a perfect 10 bug in a product like AIX is a significant concern. Probably for that reason, IBM didn't share many details about the vulnerabilities themselves or how to exploit them. However, versions 7.2 and [5]7.3 are both vulnerable and should be updated immediately, Big Blue says.
The headline flaw, CVE-2024-56346, affects AIX's nimesis Network Installation Management (NIM) master service. CVE-2024-56347 relates to AIX's nimsh service SSL/TLS protection mechanisms, according to IBM's [6]security bulletin .
[7]
Both vulnerabilities can be exploited remotely in low-complexity attacks that require no privileges, according to exploitability metrics. However, CVE-2024-56347 requires some level of user interaction, while CVE-2024-56346 does not.
[8]Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
[9]'Dead simple' hijacking hole in Apache Tomcat 'now actively exploited in the wild'
[10]GitHub supply chain attack spills secrets from 23,000 projects
[11]Microsoft wouldn't look at a bug report without a video. Researcher maliciously complied
Given that the vulnerabilities affect NIM, which manages AIX OS installations, and organizations often run custom applications on AIX, a successful exploit could have wide-ranging consequences.
Attackers could theoretically access and lift sensitive data from affected organizations, deploy ransomware, corrupt backups, implant backdoors, and more – potentially compromising critical applications used by financial institutions and healthcare organizations.
IBM customers are advised that the severity scores are there as a guide but may rise or fall depending on their specific environment. Regardless, with no workaround or temporary mitigations to fall back on, and the fact [12]AIX is a known target for Chinese espionage , applying the patches promptly is the best course of action, regardless of the environment's configuration.
The Register approached IBM for additional information. ®
Get our [13]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z9tMiTK4FuHbq-6fef6s2AAAAMQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://enlyft.com/tech/products/ibm-aix
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z9tMiTK4FuHbq-6fef6s2AAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z9tMiTK4FuHbq-6fef6s2AAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2021/02/24/aix_7_3_announced/
[6] https://www.ibm.com/support/pages/node/7186621
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z9tMiTK4FuHbq-6fef6s2AAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/03/18/microsoft_trend_flaw/
[9] https://www.theregister.com/2025/03/18/apache_tomcat_java_rce_flaw/
[10] https://www.theregister.com/2025/03/17/supply_chain_attack_github/
[11] https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/
[12] https://www.theregister.com/2024/09/18/chinese_spies_found_on_us_hq_firm_network/
[13] https://whitepapers.theregister.com/
The two vulnerabilities, CVE-2024-56346 (10) and CVE-2024-56347 (9.6), both allow remote attackers to execute arbitrary commands. IBM's security bulletin states that both are caused by improper process controls (CWE-114).
IBM has never specified the number of clients on AIX, but third-party sources suggest around 9,000 organizations use the OS, which is generally deployed in critical applications powering high-value industries.
[1]
Enlyft [2]reports that companies such as Pure Storage and Hermes Europe use AIX. The software is commonly used for mission-critical applications across the finance, banking, healthcare, and telecommunications sectors – mainly in the US. It's also often the OS powering large datacenters.
[3]
[4]
Therefore, a perfect 10 bug in a product like AIX is a significant concern. Probably for that reason, IBM didn't share many details about the vulnerabilities themselves or how to exploit them. However, versions 7.2 and [5]7.3 are both vulnerable and should be updated immediately, Big Blue says.
The headline flaw, CVE-2024-56346, affects AIX's nimesis Network Installation Management (NIM) master service. CVE-2024-56347 relates to AIX's nimsh service SSL/TLS protection mechanisms, according to IBM's [6]security bulletin .
[7]
Both vulnerabilities can be exploited remotely in low-complexity attacks that require no privileges, according to exploitability metrics. However, CVE-2024-56347 requires some level of user interaction, while CVE-2024-56346 does not.
[8]Microsoft isn't fixing 8-year-old shortcut exploit abused for spying
[9]'Dead simple' hijacking hole in Apache Tomcat 'now actively exploited in the wild'
[10]GitHub supply chain attack spills secrets from 23,000 projects
[11]Microsoft wouldn't look at a bug report without a video. Researcher maliciously complied
Given that the vulnerabilities affect NIM, which manages AIX OS installations, and organizations often run custom applications on AIX, a successful exploit could have wide-ranging consequences.
Attackers could theoretically access and lift sensitive data from affected organizations, deploy ransomware, corrupt backups, implant backdoors, and more – potentially compromising critical applications used by financial institutions and healthcare organizations.
IBM customers are advised that the severity scores are there as a guide but may rise or fall depending on their specific environment. Regardless, with no workaround or temporary mitigations to fall back on, and the fact [12]AIX is a known target for Chinese espionage , applying the patches promptly is the best course of action, regardless of the environment's configuration.
The Register approached IBM for additional information. ®
Get our [13]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z9tMiTK4FuHbq-6fef6s2AAAAMQ&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://enlyft.com/tech/products/ibm-aix
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z9tMiTK4FuHbq-6fef6s2AAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z9tMiTK4FuHbq-6fef6s2AAAAMQ&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2021/02/24/aix_7_3_announced/
[6] https://www.ibm.com/support/pages/node/7186621
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z9tMiTK4FuHbq-6fef6s2AAAAMQ&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/03/18/microsoft_trend_flaw/
[9] https://www.theregister.com/2025/03/18/apache_tomcat_java_rce_flaw/
[10] https://www.theregister.com/2025/03/17/supply_chain_attack_github/
[11] https://www.theregister.com/2025/03/17/microsoft_bug_report_troll/
[12] https://www.theregister.com/2024/09/18/chinese_spies_found_on_us_hq_firm_network/
[13] https://whitepapers.theregister.com/
So much for....
Sparkus
forcibly retiring the US based AIX brain trust and outsourcing everything AIX-related overseas.......
Today I learned that IBM AIX was not extinct (I wish the same applied to the thylacine).