Common Holes and a Deep Dive into the Top Prevalent Vulnerabilities that Impact z/OS and all ESMs
Brian Marshall
President, Vanguard Integrity Professionals
November 2020
Session nn
Place your
custom session
QR code here.
Please remove
the border and
text beforehand.
GSE UK Conference 2020 Charity
• The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.
• Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:
http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion
Why Be Concerned
• How important is the z/OS mainframe's data and services to your organization?
• How would your organization be affected if data on the mainframe was ...• Stolen or publicly disclosed
• Inappropriately modified
• Deleted
• Rendered unavailable because the operation of the system was disrupted
• Working in conjunction with z/OS and installed system software products (e.g., CICS), RACF, ACF2, and Top Secret can help guard against bad outcomes by preventing users from accessing data and software functions they are not supposed to use if they are fully and properly implemented.
Some Top Data Breaches
• Equifax: $575 to 700 Million
• TARGET: $300 – $600 Million
• British Airways: $230 million
• Uber: $148 million
• Marriott International: $124 million
• Yahoo: $85 million• Tesco Bank: $21 million• Target: $18.5 million• Anthem: $16 million• 1&1 Telecom: $10.6 million• Google: $7.5 million• The University of Texas MD Anderson Cancer Center: $4.3 million• Fresenius Medical Care North America: $3.5 million• Cottage Health, Touchstone Medical Imaging, and University of Rochester Medical
Center (URMC): $3 million each• Jackson Health System: $2.15 million
It Doesn’t End Here
• While financial penalties have their place, there
are also a range of tools regulators have at their
disposal under the GDPR that can be used in
conjunction with fines. These include issuing
assessment notices, where the regulator can
assess whether processing is compliant, and
enforcement notices, where the regulator can
order a company to take steps to remedy any
failure to comply.
Source: complianceweek.com
Source: csoonline.com
Some of the more Prevalent ESM Vulnerabilities
• Excessive Access to APF Libraries
• Privileged Users are not MFA authenticated
• Weak Password Encryption Algorithm
• Started Task and Batch IDs with Excessive Access Authority
• Sensitive Datasets Profiles with Default Access greater than NONE
• Excessive Assignment of z/OS UNIX Superuser Privileges
• IDs with Unchanged Non-Expiring Passwords
• Inappropriate Authority to Submit Work using Another User's ID
Excessive Access to APF Libraries
EXPLANATION Authorized Program Facility (APF) libraries are in integral part of the z/OS architecture to enable
maintenance of the integrity of the z/OS operating system environment. Libraries designated as APF
allow programs to execute with the authority of z/OS itself, so the ability to modify these libraries must
be strictly controlled.
RISK
INVESTIGATION
UPDATE or higher access to an APF library can allow an individual to implement an APF-authorized
program which can bypass security controls and execute privileged instructions.
Using either LIST commands or reports from any Administrative product and review the users that
have access greater than read and ensure they belong in the access list.
REMEDIATION RACF Profiles, ACF2 Rules and TSS Permits need to be defined closely matching the full dataset
name for all APF authorized libraries, including LNKLST (if LNKAUTH=APFTAB), and LPA datasets.
Additionally, Success logging at the UPDATE or WRITE and above must be implemented. Keep in
mind implied access, access by only issuing warning(s), global access, and access via exits can all be
problematic. IT TAKES only ONE!
Also consider high level authorities (e.g., RACF OPERATIONS, ACF2 NONCNCL, Top Security
NODSNCHK) that can bypass normal dataset protections.
A process for quickly discovering and locking down new APF libraries is essential. 6
Privileged Users are not MFA Authenticated
EXPLANATION Privileged users on the Mainframe are the ones that have the most authority and access such as
Security Administrators and Systems Programmers who are authorized to update APF libraries. Their
logon credentials require the highest level of authentication protection.
RISK
INVESTIGATION
A single userid/password of a privileged user that is stolen or hacked will leave your entire system
vulnerable. Stolen fixed-value credentials is simply the fastest and easiest way to gain System
Authority.
Review privileged users logon and ensure that they are required to use MFA authentication. There
are so many method and providers of MFA that this really cannot be automated
REMEDIATION MFA implementation for privileged users is rapidly becoming a must-do. Simply providing MFA at the
network external entry point is not sufficient. Ideally, this should be rolled out to all users. MFA
products are available from all the ESM vendors and third-party add-on product vendors.
7
Weak Password Encryption Algorithm
EXPLANATION Strong Password Encryption is necessary to thwart attempts to discover passwords using brute-
force password cracking attacks.
RISK
INVESTIGATION
Identities that authenticate using simple USERID/PASSWORD combinations are inherently
dangerous when a poor password encryption algorithm is implemented. Any user with access to a
copy of the ESM's database could potentially decrypt passwords for IDs belonging to privileged user
and then use those IDs to launch a mainframe attack.
SETROPTS LIST, SET C(GSO) SHOW ACF or TSS MODIFY STATUS and review reports
REMEDIATION RACF: Set PASSWORD ENCRYPTION algorithm to KDFAES (SETROPTS command)
ACF2: Set GSO Option PWDENCT(AES2) – CHANGE PSWD REP PSWDENCT(AES2)
TSS: AES_ENCRYPTION and AESENC() affect this. One needs the other. TSSEXTEND to
convert security file for AES_ENCRYPTION
8
Sensitive Datasets with Default Access greater than NONE
EXPLANATION Sensitive datasets are those containing security and control information, proprietary information, and
PII, PHI, PCI, and FRCA data whose confidentiality must be protected as mandated by legal and
regulatory requirements.
RISK
INVESTIGATION
Weak default access could allow inappropriate disclosure of sensitive data to be disclosed.
Disclosure of such data could adversely affect the organization and its employees, customers,
suppliers, and business partners.
The tough part here is identifying what is sensitive and how it is accessible. Once you have that,
look at each profile. Also keep in mind that you should be looking to use pervasive en
REMEDIATION Remediation begins with identifying the datasets where sensitive data is kept and then removing
default access. Default access is defined in:
RACF: Universal Access (UACC) profile settings, ID(*) permissions, and Global Access Table entries
ACF2: Dataset rules
TSS : TSS ALL record9
Started Task and Batch IDs with Excessive Access Authority
EXPLANATION The principle of “least necessary privilege" is just as applicable to Started Task and Batch IDs as it is
to users if not more so. A Started Task and Batch ID should only be able to do that which it is
designed and intended to do, and its authority should be subject to oversight by security and auditing.
RISK
INVESTIGATION
Excessive access can lead to sloppy software configuration and design practices, innocent but
inappropriate access to sensitive data, and intentional misuse to gain unauthorized access.
Identify your started task users (STARTED Class in RACF), ACF2 uses the STARTED TASK list, then
the LID and then the default , TSS uses ACIDs with FACILITY(STC) and then ensure those users do
not have access beyond what they need.
REMEDIATION First and foremost, ensure Started Tasks and Batch Jobs are assigned unique IDs. While it is not
unreasonable for a set of like Started Tasks to share an ID or for a particular Batch ID to be assigned
to all the jobs for a specific application, sharing IDs beyond that should be forbidden.
It is best to permit access directly to the these unique IDs. Using groups is only appropriate for like
sets of like IDs. Do not mix Started Task and Batch IDs with users. Assign access only as necessary.
Avoid the use of high-privileged authorities unless they are vendor-specified.
RACF: OPERATIONS, and for Started Tasks, TRUSTED and PRIVILEGED
ACF2: NON-CNCL or SECURITY with NORSRCVLD and/or NORULEVLD
TSS: PERMIT of MODE(DORM) or NODSNCHK, NOVOLCHK, NORESCHK
10
Excessive Assignment of z/OS UNIX Superuser Privileges
EXPLANATION User IDs with z/OS UNIX Superuser authority (a.k.a, root or UID 0) have full authority to access and
administer security for all UNIX directories and files.
RISK
INVESTIGATION
Superusers can accidentally or maliciously damage or disclose sensitive data residing in the Unix
File System or disrupt Unix processes critical to z/OS operations and network connectivity.
Review access for FACILITY class and UNIXPRIV resources. Review UID(0) and ensure no human
users have access
REMEDIATION Assign UID(0) only to Daemons (not users) if specified by vendor documentation. If available as an
option, substitute access to FACILITY / IBMFAC BPX.SUPERUSER.
Permit access to BPX.SUPERUSER to Tech Support staff responsible for maintaining z/OS Unix.
Permit access to BPX resources and UNIXPRIV resources as a substitute for full Superuser
authority wherever feasible.
Implement FSACCESS controls to restrict Superuser access to File Systems with sensitive data.11
IDs with Unchanged Non-Expiring Passwords
EXPLANATION Process IDs with non-expiring passwords are often needed for tasks such as File Transfers between
system. These passwords are known to system administrators. IDs with these properties have non-
expiring passwords.
RACF: NOINTERVAL
ACF2: LID MAXDAYS and LIDZMAX. The GSO PSWDMAX.
TSS: Control Option PWEXP and ACID password expiration date and interval.
.
RISK
INVESTIGATION
Process IDs with known passwords could be used inappropriately, either maliciously or for an
unintended purpose.
LU *,SET LID LIST LIKE(-) and TSS LIST(ACIDS) DATA(PW) and review expiration dates and
intervals
REMEDIATION Document the intended use of each process ID and where it's password is maintained. Change the
passwords for such IDs on a regular basis and whenever there is a change of system administrator.
Restrict the access of these process IDs based on least necessary privilege. If possible, limit them to
only logging on from the intended source.
In the case of RACF, use PROTECTED in lieu of passwords when feasible.
12
Inappropriate Authority to Submit Work using Another User's ID
EXPLANATION Each of the ESM have features to enable a user to submit work, specifically batch jobs, under the
authority of another user. This is primarily intended to enable Started Tasks such as a Job Schedule
to submit application Batch IDs. The issue here is whether users should submit work only under their
own ID or be allowed to do so with the ID of another user.
RISK
INVESTIGATION
Users permitted to submit work with another ID inherit the authority of the other ID, which may
exceed their own, and could misuse this authority. This is especially troubling if the other ID has high-
level privileges. The identity of the originating user may be lost in the audit trail such the
accountability can not be determined.
This can get really ugly Review the SURROGAT access user.SUBMIT profile with read or higher
access and remember that they can cascade across users. Review users with JOBFROM attribute
REMEDIATION Carefully review the following controls and seek to eliminate access if feasible, especially if the ID to
be submitted has high-level authorities.
RACF: SURROGAT userid.SUBMIT profiles and permissions.
ACF2: TYPE(SUR) and JOBFROM
TSS: NOSUBCHK, ACID submit authority, ACIDs with NOPW
13
A couple of the more Prevalent z/OS Vulnerabilities
• Obsolete or Invalid APF Definitions
• Human Userids with UID(0)
• LNKAUTH=APFTAB
Obsolete or Invalid APF Definitions
EXPLANATION The APF list specifies the APF-authorized libraries in the z/OS operating system. A program that
resides in an APF-authorized library can run authorized.
RISK
INVESTIGATION
Obsolete entries (datasets that do not exist on the system) or Invalid Entries (datasets that exist but
are specified by volume but exist on a different volume) in the APF list could potentially be used to
compromise integrity of the system as any subsequent definition of a matching dataset will then
inherit authorization
Using SDSF APF View, Health Checker or D PROG,APF find all entries that are invalid due to not
existing any longer, Specified on the wrong volume, specified as SMS managed and not on an SMS
managed volume
REMEDIATION Remove the invalid entries from the APF list. AFAIK, no harm can be caused by removing an invalid
but go through change control and testing nonetheless.
Human Userids with UID(0)
EXPLANATION The USS UID not to be confused with the ACF2 UID is the unix identity of a user. On z/OS the UID is
maintained and associated to the ESM identity in the ESM. UID(0) is the most powerful of all UIDs
and is (almost) always a shared identity with machine ids.
RISK
INVESTIGATION
UID(0) provides root access and allows a user complete control and access of everything in Unix
Systems Services. They can access everything and they can modify all attributes, start and stop
daemons, modify parameters, change startup settings.
RACF: TSO SR CLASS(USER) UID(0)
ACF2 : SHOW OMVS USER(0)
TSS : TSS WHOHAS UID(0)
REMEDIATION With the list of userids with UID(0), identify those that are Human Users. Then (and this is the tough
part) try and figure out what permissions they actually need. If this cannot be determined you can
assign FACILITY class BPX.SUPERUSER authority but it is a lot better to be granular in the
assignment of privileges via UNIXPRIV profiles.
The profile for BPX.SUPERUSER must be BPX.SUPERUSER: UNIXPRIV profiles can be found at:
https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.4.0/com.ibm.zos.v2r4.bpxb200/usspriv
.htm
LNKAUTH=APFTAB
EXPLANATION This parameter specifies whether all libraries in the LNKLST concatenation are to be treated as APF-
authorized when accessed as part of the concatenation, or whether only those libraries that are named
in the APF table are to be treated as APF-authorized.
RISK
INVESTIGATION
It is very common for a security and operations folks alike to worry about APF authorized libraries in the APF list and ignore those that inherit it from the LNKAUTH setting.
LNKAUTH= is specified in the IEASYSxx member. The setting can only be either LNKLST or APFTAB.
If APFTAB, life is good as only specified libraries in the APF list are APF Authorized (See FYI).
If LNKLST, this requires a lot of work. What needs APF authorization and when does it come from LNKLST?
REMEDIATION The best approach is to methodically find all Jobs and STCs that run authorized without a JOBLIB or STEPLIB and
if it uses a module in LNKLST that is not in APF list, then add that Dataset to APF list. (Be mindful of LOGON
PROCs as well)
23
Vanguard's Top 10 Critical Assessment Findings in Mainframe EnvironmentsThe percentage numbers represent the percentages of environments in which Vanguard has found
this configuration error in over 350 environments in the last 10 years.
SEVERE (needs immediate remediation)
HIGH (needs plan of remediation for some point in the relatively near future)
MEDIUM (needs plan of remediation for some point in the future)
LOW (should be remediated when time and resources permits)
* Only looked at over the last 4 years
*82% Privileged Users are not MFA enabled. HIGH
77% User ID’s with no Password Interval SEVERE
63% Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0 SEVERE
53% Started Task IDs are not Defined as PROTECTED IDs HIGH
52% Excessive Access to z/OS UNIX File System Data Sets HIGH
52% Excessive Access to APF Libraries SEVERE
52% Excessive Access to the SMF Data Sets HIGH
51% Sensitive Data Sets with UACC Greater than NONE HIGH
49% The Active Password Encryption Algorithm is insufficient SEVERE
47% Started Task IDs and/or Scheduler IDs have too much access HIGH
Please submit your session feedback!
• Do it online at http://conferences.gse.org.uk/2020/feedback/nn
• This session is 1AZ
Place your
custom session
QR code here.
Please remove
the border and
text beforehand.
Reminder - GSE UK Conference 2020 Charity
• The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.
• Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion
Top Related