IBM X-Force Red releases m-Ray, an open-source mainframe vulnerability scanner

Mainframes are a critical component of the IT infrastructure in many industries, powering high-volume transaction processing with high reliability and numerous security mechanisms. Banks, airlines, hotels and insurance companies all rely on mainframes for handling the transactions associated with bank transfers, credit card purchases, creating reservations and processing insurance claims.

Like any computer system, mainframe misconfigurations are possible despite the advanced security features. Due to the importance of the information these machines handle, it is imperative that the security on mainframes is assessed by penetration testers regularly and with care. Each mainframe is specially tailored to fit a particular use case, so it can take time for a penetration tester to gain an understanding of the environment they are evaluating. After the initial reconnaissance phase, the tester will search for vulnerabilities and misconfigurations in the software and applications running on the mainframe.

There are several penetration testing tools available for mainframes, but these are standalone scripts, not part of a multi-functional tool. A tester must spend time determining which scripts are appropriate to run and where to find the scripts that will work best in their environment. To address this gap, Elizabeth Christensen and I, both interns for IBM X-Force Red, developed m-RAY, an automated vulnerability scanner for IBM mainframes running the z/OS operating system. It is intended to aid penetration testers in the initial stages of their engagement by identifying common misconfigurations and vulnerabilities. Using this tool, testers reduce the hours spent manually running commands and performing reconnaissance, increasing the amount of time they can spend following up on potential attack paths or pivot points and identifying issues before an adversary can.

m-RAY was designed as an easily extensible framework that checks for vulnerabilities in the configurations of various services and simplifies the process of running scripts in a z/OS environment. Because of the customized nature of mainframes, testers can configure which features they would like to use to best suit the environment they are working in.

The list of misconfigurations to check for was compiled from the z/OS RACF Security Technical Implementation Guide (STIG). STIGs are configuration requirements used by the Department of Defense to secure their systems and are based on recommendations from NIST. Whether a company is required to comply with these requirements or not, STIGs provide a source of industry best practices for various software products and form the basis of this security tool. The team identified the top 25 misconfigurations that would provide the greatest value to a tester, and that would be most important for clients to be aware of, then implemented these as vulnerability checks.

For example, m-RAY checks whether user permission levels align in the Unix and TSO environments, whether SSH is configured to use secure cryptographic algorithms and whether inactive accounts are automatically revoked. Currently, m-RAY provides information about mainframe misconfigurations in the Unix System Services environment and in RACF, the security software that handles user access control on z/OS. Some provide a definitive answer on whether a certain misconfiguration is present on the system, while others provide system information such as a list of user accounts that can access a given resource. A penetration tester can then work with the client to determine whether access is properly restricted.

In addition to checking system configurations, another goal of m-RAY is to consolidate the features of existing mainframe tooling. These enumeration tools are often written in REXX, a mainframe scripting language. To use one of these scripts during a penetration test, the tester must find the open-source tool, download it to their computer, upload it from there to the mainframe, run it and interpret the results. To streamline this procedure, m-RAY includes the two most popular open-source REXX scripts and automates the process of uploading and running the script, as well as cleaning up the environment afterward. Testers can also add their own custom REXX scripts to the tool.

Overall, by using m-RAY, a penetration tester can automate many of the vulnerability checks that they would otherwise need to perform manually and can reduce the time spent getting an initial overview of the system.

There are multiple ways to interact with a modern mainframe. The traditional method is TSO, which allows users to connect to an interactive session and issue commands. This usually involves the use of a specialized terminal emulator that operates over the IBM 3270 protocol. Most modern mainframes also run SSH, a remote connectivity protocol that can operate across all platforms. This provides a way to issue both TSO and UNIX commands and automate actions as part of a script. m-RAY operates over an SSH connection to the mainframe to take advantage of the additional functionality SSH provides and to avoid platform-specific dependencies.

SSH on the mainframe uses Unix System Services, a feature of z/OS that allows it to run programs written for Unix systems. Using this protocol, m-RAY sets up a connection to the mainframe and runs commands to gather information to perform misconfiguration checks. SCP is used to securely copy REXX scripts to the mainframe. Authentication can be performed through either a password or a key pair to accommodate different system configurations.

The main application provides a command line user interface, sets up connections and begins checking for vulnerabilities. The penetration tester enters the IP address of the mainframe, selects the types of misconfigurations to check for and enters a set of low-level credentials. Then, a connection is initiated between m-RAY and the mainframe that ensures the ability to send commands and receive results from the system.

Vulnerability checks are divided into three categories: Unix System Services checks, checks through TSO and general reconnaissance. After selecting one of these categories, a tester has the option to run all checks or configure which ones they would like to run. After gathering the results of a scan, m-RAY produces a report of findings and some system information that can provide direction for the penetration tester as they progress through their engagement. Running a REXX script works similarly. After selecting the scripts option, a tester can select which ones they would like to execute.

The most important part of this application design is its modularity. As security best practices evolve over time, it will be necessary to add checks for new misconfigurations and modify existing ones. New checks and scripts can be added by modifying an included template and only require knowing which commands need to be run to gather the relevant information. If a penetration tester wanted to add a new check that involved running a TSO command, they do not need to know how to set up a connection to the mainframe, they only need to know the TSO command and, optionally, what the desired result of the command is. Adding a new check should take less than 10 minutes. It is also possible to add new connection protocols. m-RAY used SSH since it was the best fit for the current functionality, but adding another connection protocol is also simplified through connection classes implementing a standard interface.

m-RAY is an open-source tool that can be found here.

The hope with this project is that it will continue to be expanded with new misconfiguration and vulnerability checks beyond the 25 currently implemented. The current selection has been curated to provide the most value to both penetration testers and the clients whose systems they are assessing. This, combined with the functionality of existing open-source tooling, results in the most comprehensive mainframe penetration testing tool available.