IBM i Access Client Solutions information disclosure

Vulnerability

IBM i Access Client Solutions (ACS) versions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 contain a flaw where the encryption key used to protect passwords can be decoded [1]. The encryption mechanism is reversible, allowing the key to be recovered from the software itself. This affects all listed versions; no prerequisites on the ACS installation are required beyond accessing the encrypted password blob.

Exploitation

A local attacker must first obtain the encrypted password string (for example, from a stored credential file or memory dump) [1]. The attacker then analyzes the ACS binaries or configuration to extract the hard-coded or derivable encryption key. By applying the known key and algorithm to the encrypted password, the attacker can decode it to plaintext without any authenticated access to the ACS client itself.

Impact

Successful exploitation leads to disclosure of the plaintext password for the remote system that the ACS client was configured to connect to [1]. The attacker gains the ability to log in to the target IBM i system with the compromised user's credentials, potentially leading to broader unauthorized access. The confidentiality of the stored password is fully breached.

Mitigation

IBM has addressed this vulnerability in the IBM i Access Client Solutions fix pack provided in the security bulletin [1]. Users should apply the latest fix for their affected version (1.1.2–1.1.4 and 1.1.4.3–1.1.9.3). No workaround is available; updating to the fixed release is the recommended action. This CVE is not listed in the KEV catalog at the time of publication.