A critical remote code execution vulnerability has been identified in the IBM AIX and VIOS operating systems. An unauthenticated remote attacker could exploit a flaw in the Network Installation Management (NIM) service to execute arbitrary commands, potentially leading to a complete compromise of the affected system. This vulnerability is a variant of a previously disclosed issue, increasing the likelihood of exploitation.

The vulnerability exists within the SSL/TLS implementation of the nimsh (NIM Service Handler) service. Due to improper process controls, a remote attacker can send specially crafted data to the nimsh service during the SSL/TLS handshake. This flaw allows the attacker to bypass authentication and security checks, ultimately enabling them to execute arbitrary commands on the target system with the privileges of the nimsh service, which typically runs as root. This is a new attack vector for a vulnerability that was not fully addressed by the patch for CVE-2024-56347.

This vulnerability is rated as critical severity with a CVSS score of 9.6. Successful exploitation would grant an attacker complete control over the affected AIX or VIOS server. This could lead to severe business consequences, including data theft of sensitive corporate or customer information, deployment of ransomware, complete disruption of critical business services running on the server, and the ability for an attacker to pivot and launch further attacks against the internal network. The impact on confidentiality, integrity, and availability is considered high.

Immediate Action: Organizations must prioritize the deployment of security patches provided by IBM. System administrators should immediately update all affected IBM AIX and VIOS instances to the latest available version that addresses this vulnerability. After patching, it is crucial to monitor systems for any signs of post-patch exploitation attempts and review historical access logs for indicators of compromise.

Proactive Monitoring:

• Monitor network traffic to the nimsh service ports (typically TCP/3901 and TCP/3902) for unusual or unauthorized connections from unexpected IP addresses.
• Review system logs (syslog, auth.log) for any anomalous processes being spawned by the nimsh daemon or suspicious command execution patterns.
• Implement security information and event management (SIEM) rules to alert on connections to nimsh from external or untrusted network segments.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Use a firewall or access control lists (ACLs) to restrict access to the nimsh service ports, allowing connections only from trusted NIM master servers and management consoles.
• If the Network Installation Management service is not required on a system, disable the nimsh daemon entirely.
• Deploy an Intrusion Prevention System (IPS) with signatures capable of detecting and blocking exploit attempts against this vulnerability.

Public Exploit Available: false

Given the critical CVSS score of 9.6 and the potential for complete system compromise via remote, unauthenticated access, this vulnerability represents a severe risk to the organization. We strongly recommend that all affected IBM AIX and VIOS systems are patched on an emergency basis. While this CVE is not currently on the CISA KEV list, its high severity and relationship to a previously known vulnerability make it a prime candidate for future inclusion and exploitation. If patching is delayed, the compensating controls listed above should be implemented immediately to mitigate the risk.