IBM iSeries Cached Passwords

This script is Copyright (C) 2012-2017 Tenable Network Security, Inc.


Synopsis :

At least one password is stored in the registry by the client software
for the IBM iSeries system.

Description :

The client software for the IBM iSeries system can automatically
connect to an iSeries system without prompting for user credentials.
It does so by storing a default user and its associated password in
the registry. The password is protected by a weak encoding algorithm
and a known key. A remote attacker can exploit this by accessing the
encoded password value in the registry, allowing the attacker to
recover the password in plaintext.

See also :

https://www-01.ibm.com/support/docview.wss?uid=nas8N1021418
https://www.tenable.com/security/research/tra-2016-18

Solution :

Upgrade to IBM iSeries version 7.1 service pack SI60523 or later.

Risk factor :

Low / CVSS Base Score : 2.1
(CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N)

Family: Windows

Nessus Plugin ID: 57849 ()

Bugtraq ID:

CVE ID: CVE-2016-0287

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now