IBM “strongly recommends” customers running its Advanced Interactive eXecutive (AIX) operating system apply patches after disclosing two critical vulnerabilities, one of which has a perfect 10 severity score.
The two vulnerabilities, CVE-2024-56346 (10) and CVE-2024-56347 (9.6), both allow remote attackers to execute arbitrary commands. IBM’s security bulletin states that both are caused by improper process controls (CWE-114).
IBM has never specified the number of clients on AIX, but third-party sources suggest around 9,000 organizations use the OS, which is generally deployed in critical applications powering high-value industries.
Enlyft reports that companies such as Pure Storage and Hermes Europe use AIX. The software is commonly used for mission-critical applications across the finance, banking, healthcare, and telecommunications sectors – mainly in the US. It’s also often the OS powering large datacenters.
Therefore, a perfect 10 bug in a product like AIX is a significant concern. Probably for that reason, IBM didn’t share many details about the vulnerabilities themselves or how to exploit them. However, versions 7.2 and 7.3 are both vulnerable and should be updated immediately, Big Blue says.
The headline flaw, CVE-2024-56346, affects AIX’s nimesis Network Installation Management (NIM) master service. CVE-2024-56347 relates to AIX’s nimsh service SSL/TLS protection mechanisms, according to IBM’s security bulletin.
Both vulnerabilities can be exploited remotely in low-complexity attacks that require no privileges, according to exploitability metrics. However, CVE-2024-56347 requires some level of user interaction, while CVE-2024-56346 does not.