IBM i Access Client Solutions

Vulnerability

IBM i Access Client Solutions (ACS) versions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 contain a vulnerability in their password storage mechanism. The application fails to perform proper authority checks when accessing the decryption key used to protect stored passwords. This allows a local user who can run ACS to retrieve the key, compromising the confidentiality of encrypted passwords.

Exploitation

An attacker must have local access to the system running the affected version of IBM i Access Client Solutions. No authentication is required beyond the ability to launch the application. The attacker can exploit the weak authority checks to directly obtain the decryption key from the application's storage.

Impact

Successful exploitation allows the attacker to retrieve the decryption key. If they also have access to the encrypted password data (e.g., via another vulnerability or physical access), they can decrypt passwords used to access other IBM i systems. This leads to a high impact on confidentiality of those systems. The CVSS vector (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects a high confidentiality impact but no direct impact on integrity or availability.

Mitigation

IBM has addressed this vulnerability in IBM i Access Client Solutions versions 1.1.9.4 and later, as described in the security bulletin [1]. Users should upgrade to the fixed version. No workarounds are documented. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.