Tim Brown of Cisco Security Advisory EMEA discovered these vulnerabilities and contributed to this blog post.

A Cisco security researcher recently discovered two vulnerabilities in the IBM AIX Unix platforms that could be exploited to inject commands and logs into targeted systems with elevated privileges.

AIX is a more than 20-year-old set of operating systems for Unix that run on various IBM platforms.

TALOS-2023-1690 (CVE-2023-26286) is a vulnerability in AIX’s errlog() syscall functionality that can be triggered if an adversary sends a specially crafted syscall. This could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges. An adversary could also exploit TALOS-2023-1690 to gain out-of-bounds memory access.

TALOS-2023-1691 (CVE-2023-28528) exists in AIX’s invscout setUID binary. In this case, the adversary could send a specially crafted command line argument to gain the ability to inject arbitrary commands.

While the vulnerability in invscout is relatively run-of-the mill, the vulnerability with errlog() is more notable. In this case, the malicious input is supplied by user via a non-privileged syscall resulting in the AIX kernel writing the data to a privileged device (/dev/error). From there, a privileged service (errdaemon) runs as root and reads from the device and misprocesses it, resulting in command execution and/or memory corruption. The vulnerability is notable for the following reasons:

  • The errlog() syscall does not limit who can access it, nor which kernel and user-land errors it can be used to raise.
  • The same configurable mechanism by which errdaemon handles events written to /dev/error, could also be used by adversaries to construct a persistence mechanism, with errdaemon being configured to perform malicious activities when an appropriately constructed message is logged by a user.
  • On systems where the errors are collected and fed to a SIEM or other network monitoring solution, this presents opportunities for detection beyond on-device telemetry, as can be seen with the related Snort rule.

Cisco Talos worked with IBM to ensure these vulnerabilities are resolved and an update is available for affected customers, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: IBM Corporation AIX, version 7.2. Talos tested and confirmed this version of AIX could be exploited by these vulnerabilities.

The following Snort rules will detect exploitation attempts against the TALOS-2023-1690 vulnerability: 61154 and 61155. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.