IBM i Access Client Solutions information disclosure

Vulnerability

IBM i Access Client Solutions (ACS) versions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4 accept Universal Naming Convention (UNC) paths within its configuration files. An attacker who can modify these paths to point to a hostile server can trigger NTLM authentication by the Windows operating system when ACS processes the path [1]. No special ACS feature enables NTLM; the issue arises because ACS does not block UNC paths, and if NTLM is enabled on the Windows workstation, the OS automatically attempts authentication [1].

Exploitation

An attacker needs local or remote write access to the ACS configuration files (for example, via a compromised user account or by enticing a user to load a malicious configuration). The attacker modifies a UNC path in a configuration file to point to an attacker-controlled SMB server. When ACS reads that path, Windows initiates NTLM authentication to the hostile server [1]. The hostile server captures the NTLM hash. No user interaction beyond normal ACS use of the modified configuration is required [1].

Impact

Successful exploitation allows the hostile server to capture the NTLM hash of the current Windows user session [1]. This hash can be used in further attacks (such as pass-the-hash or offline cracking) to obtain the user's credentials, leading to unauthorized access and credential theft [1]. The confidentiality of the user's credentials is compromised.

Mitigation

IBM recommends that administrators and users be aware that NTLM enables a variety of security issues on Windows workstations. As a workaround, NTLM can be disabled on Windows systems, or strict UNC path validation policies can be enforced [1]. No patched version of ACS is listed in the available references to date. Affected versions are 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4 [1].