Common Holes and a Deep Dive into the Top Prevalent Vulnerabilities that Impact z/OS and all ESMs

Brian Marshall

President, Vanguard Integrity Professionals

November 2020

Session nn

Place your

custom session

QR code here.

Please remove

the border and

text beforehand.

GSE UK Conference 2020 Charity

• The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.

• Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:

http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion

Why Be Concerned

• How important is the z/OS mainframe's data and services to your organization?

• How would your organization be affected if data on the mainframe was ...• Stolen or publicly disclosed

• Inappropriately modified

• Deleted

• Rendered unavailable because the operation of the system was disrupted

• Working in conjunction with z/OS and installed system software products (e.g., CICS), RACF, ACF2, and Top Secret can help guard against bad outcomes by preventing users from accessing data and software functions they are not supposed to use if they are fully and properly implemented.

Some Top Data Breaches

• Equifax: $575 to 700 Million

• TARGET: $300 – $600 Million

• British Airways: $230 million

• Uber: $148 million

• Marriott International: $124 million

• Yahoo: $85 million• Tesco Bank: $21 million• Target: $18.5 million• Anthem: $16 million• 1&1 Telecom: $10.6 million• Google: $7.5 million• The University of Texas MD Anderson Cancer Center: $4.3 million• Fresenius Medical Care North America: $3.5 million• Cottage Health, Touchstone Medical Imaging, and University of Rochester Medical

Center (URMC): $3 million each• Jackson Health System: $2.15 million

It Doesn’t End Here

• While financial penalties have their place, there

are also a range of tools regulators have at their

disposal under the GDPR that can be used in

conjunction with fines. These include issuing

assessment notices, where the regulator can

assess whether processing is compliant, and

enforcement notices, where the regulator can

order a company to take steps to remedy any

failure to comply.

Source: complianceweek.com

Source: csoonline.com

Some of the more Prevalent ESM Vulnerabilities

• Excessive Access to APF Libraries

• Privileged Users are not MFA authenticated

• Weak Password Encryption Algorithm

• Started Task and Batch IDs with Excessive Access Authority

• Sensitive Datasets Profiles with Default Access greater than NONE

• Excessive Assignment of z/OS UNIX Superuser Privileges

• IDs with Unchanged Non-Expiring Passwords

• Inappropriate Authority to Submit Work using Another User's ID

Excessive Access to APF Libraries

EXPLANATION Authorized Program Facility (APF) libraries are in integral part of the z/OS architecture to enable

maintenance of the integrity of the z/OS operating system environment. Libraries designated as APF

allow programs to execute with the authority of z/OS itself, so the ability to modify these libraries must

be strictly controlled.

RISK

INVESTIGATION

UPDATE or higher access to an APF library can allow an individual to implement an APF-authorized

program which can bypass security controls and execute privileged instructions.

Using either LIST commands or reports from any Administrative product and review the users that

have access greater than read and ensure they belong in the access list.

REMEDIATION RACF Profiles, ACF2 Rules and TSS Permits need to be defined closely matching the full dataset

name for all APF authorized libraries, including LNKLST (if LNKAUTH=APFTAB), and LPA datasets.

Additionally, Success logging at the UPDATE or WRITE and above must be implemented. Keep in

mind implied access, access by only issuing warning(s), global access, and access via exits can all be

problematic. IT TAKES only ONE!

Also consider high level authorities (e.g., RACF OPERATIONS, ACF2 NONCNCL, Top Security

NODSNCHK) that can bypass normal dataset protections.

A process for quickly discovering and locking down new APF libraries is essential. 6

Privileged Users are not MFA Authenticated

EXPLANATION Privileged users on the Mainframe are the ones that have the most authority and access such as

Security Administrators and Systems Programmers who are authorized to update APF libraries. Their

logon credentials require the highest level of authentication protection.

RISK

INVESTIGATION

A single userid/password of a privileged user that is stolen or hacked will leave your entire system

vulnerable. Stolen fixed-value credentials is simply the fastest and easiest way to gain System

Authority.

Review privileged users logon and ensure that they are required to use MFA authentication. There

are so many method and providers of MFA that this really cannot be automated

REMEDIATION MFA implementation for privileged users is rapidly becoming a must-do. Simply providing MFA at the

network external entry point is not sufficient. Ideally, this should be rolled out to all users. MFA

products are available from all the ESM vendors and third-party add-on product vendors.

7

Weak Password Encryption Algorithm

EXPLANATION Strong Password Encryption is necessary to thwart attempts to discover passwords using brute-

force password cracking attacks.

RISK

INVESTIGATION

Identities that authenticate using simple USERID/PASSWORD combinations are inherently

dangerous when a poor password encryption algorithm is implemented. Any user with access to a

copy of the ESM's database could potentially decrypt passwords for IDs belonging to privileged user

and then use those IDs to launch a mainframe attack.

SETROPTS LIST, SET C(GSO) SHOW ACF or TSS MODIFY STATUS and review reports

REMEDIATION RACF: Set PASSWORD ENCRYPTION algorithm to KDFAES (SETROPTS command)

ACF2: Set GSO Option PWDENCT(AES2) – CHANGE PSWD REP PSWDENCT(AES2)

TSS: AES_ENCRYPTION and AESENC() affect this. One needs the other. TSSEXTEND to

convert security file for AES_ENCRYPTION

8

Sensitive Datasets with Default Access greater than NONE

EXPLANATION Sensitive datasets are those containing security and control information, proprietary information, and

PII, PHI, PCI, and FRCA data whose confidentiality must be protected as mandated by legal and

regulatory requirements.

RISK

INVESTIGATION

Weak default access could allow inappropriate disclosure of sensitive data to be disclosed.

Disclosure of such data could adversely affect the organization and its employees, customers,

suppliers, and business partners.

The tough part here is identifying what is sensitive and how it is accessible. Once you have that,

look at each profile. Also keep in mind that you should be looking to use pervasive en

REMEDIATION Remediation begins with identifying the datasets where sensitive data is kept and then removing

default access. Default access is defined in:

RACF: Universal Access (UACC) profile settings, ID(*) permissions, and Global Access Table entries

ACF2: Dataset rules

TSS : TSS ALL record9

Started Task and Batch IDs with Excessive Access Authority

EXPLANATION The principle of “least necessary privilege" is just as applicable to Started Task and Batch IDs as it is

to users if not more so. A Started Task and Batch ID should only be able to do that which it is

designed and intended to do, and its authority should be subject to oversight by security and auditing.

RISK

INVESTIGATION

Excessive access can lead to sloppy software configuration and design practices, innocent but

inappropriate access to sensitive data, and intentional misuse to gain unauthorized access.

Identify your started task users (STARTED Class in RACF), ACF2 uses the STARTED TASK list, then

the LID and then the default , TSS uses ACIDs with FACILITY(STC) and then ensure those users do

not have access beyond what they need.

REMEDIATION First and foremost, ensure Started Tasks and Batch Jobs are assigned unique IDs. While it is not

unreasonable for a set of like Started Tasks to share an ID or for a particular Batch ID to be assigned

to all the jobs for a specific application, sharing IDs beyond that should be forbidden.

It is best to permit access directly to the these unique IDs. Using groups is only appropriate for like

sets of like IDs. Do not mix Started Task and Batch IDs with users. Assign access only as necessary.

Avoid the use of high-privileged authorities unless they are vendor-specified.

RACF: OPERATIONS, and for Started Tasks, TRUSTED and PRIVILEGED

ACF2: NON-CNCL or SECURITY with NORSRCVLD and/or NORULEVLD

TSS: PERMIT of MODE(DORM) or NODSNCHK, NOVOLCHK, NORESCHK

10

Excessive Assignment of z/OS UNIX Superuser Privileges

EXPLANATION User IDs with z/OS UNIX Superuser authority (a.k.a, root or UID 0) have full authority to access and

administer security for all UNIX directories and files.

RISK

INVESTIGATION

Superusers can accidentally or maliciously damage or disclose sensitive data residing in the Unix

File System or disrupt Unix processes critical to z/OS operations and network connectivity.

Review access for FACILITY class and UNIXPRIV resources. Review UID(0) and ensure no human

users have access

REMEDIATION Assign UID(0) only to Daemons (not users) if specified by vendor documentation. If available as an

option, substitute access to FACILITY / IBMFAC BPX.SUPERUSER.

Permit access to BPX.SUPERUSER to Tech Support staff responsible for maintaining z/OS Unix.

Permit access to BPX resources and UNIXPRIV resources as a substitute for full Superuser

authority wherever feasible.

Implement FSACCESS controls to restrict Superuser access to File Systems with sensitive data.11

IDs with Unchanged Non-Expiring Passwords

EXPLANATION Process IDs with non-expiring passwords are often needed for tasks such as File Transfers between

system. These passwords are known to system administrators. IDs with these properties have non-

expiring passwords.

RACF: NOINTERVAL

ACF2: LID MAXDAYS and LIDZMAX. The GSO PSWDMAX.

TSS: Control Option PWEXP and ACID password expiration date and interval.

.

RISK

INVESTIGATION

Process IDs with known passwords could be used inappropriately, either maliciously or for an

unintended purpose.

LU *,SET LID LIST LIKE(-) and TSS LIST(ACIDS) DATA(PW) and review expiration dates and

intervals

REMEDIATION Document the intended use of each process ID and where it's password is maintained. Change the

passwords for such IDs on a regular basis and whenever there is a change of system administrator.

Restrict the access of these process IDs based on least necessary privilege. If possible, limit them to

only logging on from the intended source.

In the case of RACF, use PROTECTED in lieu of passwords when feasible.

12

Inappropriate Authority to Submit Work using Another User's ID

EXPLANATION Each of the ESM have features to enable a user to submit work, specifically batch jobs, under the

authority of another user. This is primarily intended to enable Started Tasks such as a Job Schedule

to submit application Batch IDs. The issue here is whether users should submit work only under their

own ID or be allowed to do so with the ID of another user.

RISK

INVESTIGATION

Users permitted to submit work with another ID inherit the authority of the other ID, which may

exceed their own, and could misuse this authority. This is especially troubling if the other ID has high-

level privileges. The identity of the originating user may be lost in the audit trail such the

accountability can not be determined.

This can get really ugly Review the SURROGAT access user.SUBMIT profile with read or higher

access and remember that they can cascade across users. Review users with JOBFROM attribute

REMEDIATION Carefully review the following controls and seek to eliminate access if feasible, especially if the ID to

be submitted has high-level authorities.

RACF: SURROGAT userid.SUBMIT profiles and permissions.

ACF2: TYPE(SUR) and JOBFROM

TSS: NOSUBCHK, ACID submit authority, ACIDs with NOPW

13

A couple of the more Prevalent z/OS Vulnerabilities

• Obsolete or Invalid APF Definitions

• Human Userids with UID(0)

• LNKAUTH=APFTAB

Obsolete or Invalid APF Definitions

EXPLANATION The APF list specifies the APF-authorized libraries in the z/OS operating system. A program that

resides in an APF-authorized library can run authorized.

RISK

INVESTIGATION

Obsolete entries (datasets that do not exist on the system) or Invalid Entries (datasets that exist but

are specified by volume but exist on a different volume) in the APF list could potentially be used to

compromise integrity of the system as any subsequent definition of a matching dataset will then

inherit authorization

Using SDSF APF View, Health Checker or D PROG,APF find all entries that are invalid due to not

existing any longer, Specified on the wrong volume, specified as SMS managed and not on an SMS

managed volume

REMEDIATION Remove the invalid entries from the APF list. AFAIK, no harm can be caused by removing an invalid

but go through change control and testing nonetheless.

SDSF APF View of INVALID APF entries

16

IBM Health Check of INVALID APF entries

17

Human Userids with UID(0)

EXPLANATION The USS UID not to be confused with the ACF2 UID is the unix identity of a user. On z/OS the UID is

maintained and associated to the ESM identity in the ESM. UID(0) is the most powerful of all UIDs

and is (almost) always a shared identity with machine ids.

RISK

INVESTIGATION

UID(0) provides root access and allows a user complete control and access of everything in Unix

Systems Services. They can access everything and they can modify all attributes, start and stop

daemons, modify parameters, change startup settings.

RACF: TSO SR CLASS(USER) UID(0)

ACF2 : SHOW OMVS USER(0)

TSS : TSS WHOHAS UID(0)

REMEDIATION With the list of userids with UID(0), identify those that are Human Users. Then (and this is the tough

part) try and figure out what permissions they actually need. If this cannot be determined you can

assign FACILITY class BPX.SUPERUSER authority but it is a lot better to be granular in the

assignment of privileges via UNIXPRIV profiles.

The profile for BPX.SUPERUSER must be BPX.SUPERUSER: UNIXPRIV profiles can be found at:

https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.4.0/com.ibm.zos.v2r4.bpxb200/usspriv

.htm

LNKAUTH=APFTAB

EXPLANATION This parameter specifies whether all libraries in the LNKLST concatenation are to be treated as APF-

authorized when accessed as part of the concatenation, or whether only those libraries that are named

in the APF table are to be treated as APF-authorized.

RISK

INVESTIGATION

It is very common for a security and operations folks alike to worry about APF authorized libraries in the APF list and ignore those that inherit it from the LNKAUTH setting.

LNKAUTH= is specified in the IEASYSxx member. The setting can only be either LNKLST or APFTAB.

If APFTAB, life is good as only specified libraries in the APF list are APF Authorized (See FYI).

If LNKLST, this requires a lot of work. What needs APF authorization and when does it come from LNKLST?

REMEDIATION The best approach is to methodically find all Jobs and STCs that run authorized without a JOBLIB or STEPLIB and

if it uses a module in LNKLST that is not in APF list, then add that Dataset to APF list. (Be mindful of LOGON

PROCs as well)

LNKAUTH=APFTAB

20

LNKAUTH=APFTAB

21

LNKAUTH=APFTAB

22

23

Vanguard's Top 10 Critical Assessment Findings in Mainframe EnvironmentsThe percentage numbers represent the percentages of environments in which Vanguard has found

this configuration error in over 350 environments in the last 10 years.

SEVERE (needs immediate remediation)

HIGH (needs plan of remediation for some point in the relatively near future)

MEDIUM (needs plan of remediation for some point in the future)

LOW (should be remediated when time and resources permits)

* Only looked at over the last 4 years

*82% Privileged Users are not MFA enabled. HIGH

77% User ID’s with no Password Interval SEVERE

63% Inappropriate Usage of z/OS UNIX Superuser Privilege, UID = 0 SEVERE

53% Started Task IDs are not Defined as PROTECTED IDs HIGH

52% Excessive Access to z/OS UNIX File System Data Sets HIGH

52% Excessive Access to APF Libraries SEVERE

52% Excessive Access to the SMF Data Sets HIGH

51% Sensitive Data Sets with UACC Greater than NONE HIGH

49% The Active Password Encryption Algorithm is insufficient SEVERE

47% Started Task IDs and/or Scheduler IDs have too much access HIGH

All Installations Have Issues!

You are not alone

Please submit your session feedback!

• Do it online at http://conferences.gse.org.uk/2020/feedback/nn

• This session is 1AZ

Place your

custom session

QR code here.

Please remove

the border and

text beforehand.

Reminder - GSE UK Conference 2020 Charity

• The GSE UK Region team hope that you find this presentation and others that follow useful and help to expand your knowledge of z Systems.

• Please consider showing your appreciation by kindly donating a small sum to our charity this year, NHS Charities Together. Follow the link below or scan the QR Code:http://uk.virginmoneygiving.com/GuideShareEuropeUKRegion