viosvrcmd – the backdoor to the PHyp?
February 6, 2014
Posted by on
The title is provocative, but if we agree that Virtual I/O Server is part of the POWER Hypervisor it’s absolutely true. The command viosvrcmd is a HMC command which allows to perform any non-interactive VIO commands by a HMC user which has the taskrole authority – ‘VirtualIOServerCommand’ and visibility to a VIOS LPAR without be prompting for VIOS user and password.
I believe that this command is absolutely necessary for performing some tasks such as Live Partition Mobility but…
Probably IBM PHYP development team had an idea, that security will be managed on the user accounts layer. And only selected personnel will be eligible to run this command. But then another part of IBM – the developers of the product – ‘Tivoli® Application Dependency Discovery Manager’ decide to use viosvrcmd command for VIOS resources scanning. This tool runs some automated processes against a HMC (uses password less communication). Of course, you need to assign some HMC account with it. Normally, you would create a basic account with read only authorities, but while the tool query a VIOS , it needs VirtualIOServerCommand authorites which practically open access to the PHYP to an unauthorized personnel.
I don’t know how many IBM products uses this functionality, but for me its huge security gap.
I just googled, and people use viosvrcmd command to avoid VIOS authentication, for instance you can change a VIOS password.