CVE-2024-47104
📋 TL;DR
This vulnerability allows authenticated IBM i users with view authority to modify security attributes of underlying physical files without proper object management rights. An attacker could bypass intended access controls to perform unauthorized actions. This affects IBM i 7.4 and 7.5 systems where users have view access to files.
💻 Affected Systems
- IBM i
📦 What is this software?
I by Ibm
I by Ibm
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could escalate privileges to modify or delete critical system files, potentially leading to data loss, system compromise, or unauthorized data access.
Likely Case
Authorized users exploiting the flaw to access or modify sensitive data they shouldn't have permissions for, violating data integrity and confidentiality.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with only authorized users having minimal necessary privileges.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of view-based file relationships. The vulnerability is in the authorization logic, making exploitation straightforward for knowledgeable users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply IBM i PTF Group SF99725 Level 37 or later for 7.4, and SF99726 Level 27 or later for 7.5
Vendor Advisory: https://www.ibm.com/support/pages/node/7179158
Restart Required: Yes
Instructions:
1. Download the appropriate PTF Group for your IBM i version. 2. Apply the PTF using the GO PTF command or IBM i Navigator. 3. Restart the system to activate the fix. 4. Verify the PTF is active using the DSPPTF command.
🔧 Temporary Workarounds
Restrict View Access
ibmiTemporarily remove or restrict user authority to views that are based on sensitive physical files until patching can be completed.
GRTOBJAUT OBJ(/QSYS.LIB/YOURLIB.LIB/YOURVIEW.LIB) OBJTYPE(*FILE) USER(USERNAME) AUT(*EXCLUDE)
🧯 If You Can't Patch
- Implement strict least-privilege access controls for views and physical files
- Enable detailed auditing of file access and modification attempts
🔍 How to Verify
Check if Vulnerable:
Check IBM i version with DSPPTF command and verify if PTF Groups SF99725 (7.4) or SF99726 (7.5) are at required levels or higher.Check Version:
DSPPTF LICPGM(5770SS1)Verify Fix Applied:
Run DSPPTF LICPGM(5770SS1) and confirm PTF Groups SF99725 Level ≥37 (7.4) or SF99726 Level ≥27 (7.5) are installed and active.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modifications by users with only view access
- Changes to physical file security attributes from users without *OBJMGT authority
Network Indicators:
- N/A - This is a local privilege escalation vulnerability
SIEM Query:
Search for audit journal entries (QAUDJRN) with event types CPF9Bxx or CPF9Cxx showing file security attribute changes from users with limited privileges.