IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls. This addresses additional attack vectors for a vulnerability that was previously addressed in CVE-2024-56346.
Executing commands or loading libraries from an untrusted source or in an untrusted environment can cause an application to execute malicious commands (and payloads) on behalf of an attacker.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Vios | Ibm | 3.1.0 (including) | 3.1.0 (including) |
| Vios | Ibm | 4.1.0 (including) | 4.1.0 (including) |
| Aix | Ibm | 7.2 (including) | 7.2 (including) |
| Aix | Ibm | 7.3 (including) | 7.3 (including) |
Process control vulnerabilities of the first type occur when either data enters the application from an untrusted source and the data is used as part of a string representing a command that is executed by the application. By executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.