Note that while the CVSSv2 score for this is considered 'low risk', the immediate follow-up allows for access to an additional host, possibly with administrator privileges.īy default, IBM iSeries has a policy limiting failed logins to three.
Nessus plugin 57849 ( ibmi_cached_password.nasl) can access the registry and decode the password if the scanner is given sufficient privileges to access the registry. This poses security risks as the local administrator may not be authorized to access the iSeries host, and should not be allowed to see a domain administrator's password. Host:, UserID: QSECOFR, Password: more interesting, and scary, part of this is that IBM iAccess for Windows also acquires a copy of the user's Windows password, and stores it in the same insecure manner. windows, UserID: dadmin1, Password: s******e
The following shows a local administrator is enable to see passwords of dadmin1 and QSECOFR: Nessus was able to extract the following cached password(s) for IBM iSeries system(s) :