CVE-2025-36192

Description

IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:ibm:ds8a00_firmware:10.10.106.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:ibm:ds8a00:10.1:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:ibm:ds8a00_firmware:10.1.3.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:ibm:ds8a00_firmware:10.2.45.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:ibm:ds8a00:10.0:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:ibm:ds8a00_firmware:89.40.83.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:ibm:ds8a00_firmware:89.42.18.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:ibm:ds8a00_firmware:89.44.5.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:ibm:ds8a00:9.4:*:*:*:*:*:*:* - NOT VULNERABLE

IBM DS8A00 (R10.1) < 10.10.106.0

IBM DS8A00 (R10.0) < 10.1.3.010.2.45.0

IBM DS8900F (R9.4) < 89.40.83.089.42.18.089.44.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-36192 PoC - IBM DS8000 CCW Authorization Bypass
# This PoC demonstrates the missing authorization check in IBM Safeguarded Copy
# Note: This is a conceptual PoC for authorized security testing only

import struct
import sys

class IBM_DS8000_CCWSecurityTest:
    def __init__(self, target_ip, firmware_version):
        self.target_ip = target_ip
        self.firmware_version = firmware_version
        self.ccw_command_codes = {
            0x01: 'Sense', 0x02: 'Read', 0x03: 'Write',
            0x04: 'Read Backward', 0x05: 'Sense ID', 0x09: 'Read Buffer'
        }
        
    def check_vulnerability(self):
        """
        Check if the target DS8000 system is vulnerable to CVE-2025-36192
        """
        print(f"[*] Targeting IBM DS8000 at {self.target_ip}")
        print(f"[*] Firmware Version: {self.firmware_version}")
        print(f"[*] Checking for CVE-2025-36192 vulnerability...")
        
        # Vulnerable versions check
        vulnerable_versions = [
            '10.10.106.0',  # DS8A00 R10.1
            '10.1.3.010.2.45.0',  # DS8A00 R10.0
            '89.40.83.089.42.18.089.44.5.0'  # DS8900F R9.4
        ]
        
        if self.firmware_version in vulnerable_versions:
            print("[+] Target appears to be running a vulnerable firmware version")
            return True
        else:
            print("[-] Target firmware version is not in the known vulnerable list")
            return False
    
    def test_ccw_authorization(self):
        """
        Test CCW authorization bypass - simulates unauthorized backup operation
        """
        print("\n[*] Testing CCW authorization bypass...")
        
        # Simulate CCW command with insufficient authorization
        ccw_command = {
            'command_code': 0x09,  # Read Buffer (used for backup inspection)
            'flags': 0x00,
            'data_address': 0x00000000,
            'count': 256
        }
        
        # Check if CCW update permission exists without proper authorization validation
        ccw_permission_check = self._check_ccw_permission()
        
        if ccw_permission_check:
            print("[+] CCW update permission detected without proper authorization")
            print("[!] Vulnerability confirmed: Missing authorization check in Safeguarded Copy")
            
            # Simulate backup deletion attempt
            self._attempt_backup_deletion()
            return True
        else:
            print("[-] CCW permission properly restricted")
            return False
    
    def _check_ccw_permission(self):
        """Check if current user has CCW update permissions"""
        # In real scenario, this would check actual CCW permissions
        # This is a simplified simulation
        print("[*] Checking CCW update permissions...")
        return True  # Simulating vulnerable state
    
    def _attempt_backup_deletion(self):
        """Simulate unauthorized backup deletion attempt"""
        print("[!] Attempting to access Safeguarded Copy backup...")
        print("[!] Bypassing authorization check...")
        print("[!] Deleting/corrupting backup data...")
        print("[+] Backup deletion operation completed (in vulnerable system)")

def main():
    if len(sys.argv) < 3:
        print(f"Usage: python {sys.argv[0]} <target_ip> <firmware_version>")
        print(f"Example: python {sys.argv[0]} 10.10.106.0 10.1.3.010.2.45.0")
        sys.exit(1)
    
    target_ip = sys.argv[1]
    firmware_version = sys.argv[2]
    
    tester = IBM_DS8000_CCWSecurityTest(target_ip, firmware_version)
    
    if tester.check_vulnerability():
        tester.test_ccw_authorization()
    else:
        print("[*] Target may not be vulnerable, manual verification recommended")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-36192
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-36192
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-36192/
[4] VulDB https://vuldb.com/cve/CVE-2025-36192
[5] https://www.ibm.com/support/pages/node/7255039

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-36192", "sourceIdentifier": "[email protected]", "published": "2025-12-26T14:15:58.507", "lastModified": "2026-01-14T21:09:40.390", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy / GDPS Logical corruption protection mechanisms."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.4, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:ibm:ds8a00_firmware:10.10.106.0:*:*:*:*:*:*:*", "matchCriteriaId": "96C7F2F9-6689-4047-ADE5-3A1535093DE0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:ibm:ds8a00:10.1:*:*:*:*:*:*:*", "matchCriteriaId": "F9D004FD-95F3-401B-AA6F-A06FA102F563"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:ibm:ds8a00_firmware:10.1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "180A479A-E1D7-4BFE-BD82-11F14400B330"}, {"vulnerable": true, "criteria": "cpe:2.3:o:ibm:ds8a00_firmware:10.2.45.0:*:*:*:*:*:*:*", "matchCriteriaId": "EBF8C49D-40E2-4A58-AA97-89EE82DF0EDC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:ibm:ds8a00:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "ABE8C07D-7623-4369-8562-C05E4608DB69"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:ibm:ds8a00_firmware:89.40.83.0:*:*:*:*:*:*:*", "matchCriteriaId": "72ECB98D-288D-4AF5-9E5D-A7B830BE9DBD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:ibm:ds8a00_firmware:89.42.18.0:*:*:*:*:*:*:*", "matchCriteriaId": "7503A3BA-6751-4A53-B87C-AD042F12C52B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:ibm:ds8a00_firmware:89.44.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "24C528D3-53AE-4BBB-9863-F99EFE68BD73"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:ibm:ds8a00:9.4:*:*:*:*:*:*:*", "matchCriteriaId": "F6ED1239-B799-41D9-A08C-C18A7CAB93E8"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7255039", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}