T 3.67 Inadequate or incorrect configuration of the z/OS operating system
The configuration of a z/OS operating system is very complex and requires considerable intervention by the system administrator. Incorrect or inadequate definitions will rapidly produce vulnerabilities that can lead to related security problems.
Authorised programs
Programs that are loaded from an authorised library and are labelled correspondingly can run functions with a high level of authorisation. If users manage to authorise their own programs without permission, nearly the same functionality is available to these programs as is available to the system programs. It is therefore possible, for example, to deactivate security barriers in RACF at any time.
System programs
When installing the z/OS operating system and its components, it is necessary to define certain system libraries (partitioned datasets) in such a manner that the operating system can rapidly find system programs to be run using internal tables. The libraries of these system programs are combined in so-called link lists and, as a rule, contain programs with a high level of authorisation that run in the kernel mode. Due to errors in the definition (or due to manipulation), other user libraries, which it was not intended to add, can be added to these link lists. The programs of these libraries also have a high level of authorisation and enable functions to be run that can circumvent the security mechanisms.
Errors when creating system libraries
System libraries that have been created as PDS (Partitioned Dataset) with the Secondary Space option can cause problems during operation. During the initialisation phase, the system places the directory for some system libraries in the memory for reasons of speed and only accesses the library using this directory when loading the program. If a new extent (dynamic expansion of the data area on the hard disk) is created during the expansion of a library during software program maintenance, the old program may become active instead of the new program, as the internal directory still points to the old loading address. Furthermore, as a result, the space required by a file can grow continuously without any controlled limiting.
Supervisor calls
Supervisor Calls (SVCs) are calls to special z/OS utilities that run with a high level of authorisation in the kernel mode. Programs for this mode must be particularly securely programmed (IBM specifies corresponding guidelines for this purpose). Under certain circumstances, insecure SVC programs can be used to circumvent z/OS security mechanisms. After a successful attack, an attacker will have a high level of authorisation in the kernel mode. Today, so-called authorisation SVCs are often still in use; they comprise a few instructions and, using modeset, switch on or off the kernel mode and therefore make it possible to run functions in the kernel mode without authorisation.
TSO commands
Time Sharing Option commands (TSO) normally run in the application mode (with normal user privileges), i.e. they do not have special privileges. However, z/OS has commands that need a high level of authorisation to run functions (or subfunctions). Commands that do not have the authorisation needed for processing can produce errors during operation. On the other hand, the uncontrolled enabling of authorised commands results in a weakening of the security.
Restricted Utilities
IBM and other software manufacturers provide additional utilities together with the operating system components. These programs run functions that perform different processing actions such as the copying of files or the creation of catalogues (z/OS file directory for managing files). The majority of these utilities only require normal user privileges to be run. However, some require a high level of system authorisation to run their functions. If these utilities are not correctly defined, there is a risk that they will not function properly. If these utilities are not adequately protected, then there is a risk that they may be misused by unauthorised employees. As a consequence, the integrity of the z/OS system may be compromised.
z/OS commands under SDSF (System Display and Search Facility)
SDSF enables the user to view the output from batch jobs, the system log and other system options in a JES2 system, and, in addition to this, to enter MVS and JES2 commands. If no safeguards have been taken or only inadequate safeguards have been taken, the SDSF user can manipulate the system under certain circumstances, such as terminating batch jobs, stopping or starting initiators or even re-defining system configurations. Furthermore, the user may be able to view all system messages from the syslog and also all job logs (also customer data under certain circumstances).
Enhanced MCS support
Beyond the MCS (Multiple Console Support) console, z/OS supports the enhanced MCS console. This console represents an interface over which commands can be transferred to MVS (JES2/3) and messages can be received from MVS. The enhanced MCS console is available in TSO, NetView and applications such as CICS. If appropriate protective definitions are not made, commands can, under certain circumstances, be issued that could seriously compromise the integrity of a system.
Examples:
- In the past, an authorisation SVC was used on an OS/390 system to use specific functions in TSO/ISPF in the authorised mode (kernel mode). Although this vulnerability had been known for some time, the SVC was also installed in later z/OS environments and was available to every user.
- For historical reasons, a z/OS operating system was operated with the RACF attribute OPERATIONS. Many users whose account had this attribute could read and modify almost all files. On this z/OS system, it was only possible to ensure the integrity of the data contents to a limited extent.
- In a z/OS system, the SDSF for JES2 was made available without any protection. After only a short period of time, the employees had discovered how they could increase the priority of their own user account in the system so that they could have their batch jobs processed quicker in the system. Control and efficient utilisation of the system were no longer possible.