CVE-2023-40686: 
NixOS vulnerability analysis and mitigation

Management Central, a component of IBM i Navigator versions 7.2, 7.3, 7.4, and 7.5, contains a local privilege escalation vulnerability identified as CVE-2023-40686. The vulnerability was discovered and reported to IBM by Zoltan Panczel from Silent Signal, and was publicly disclosed on October 27, 2023. This security flaw exists even when Management Central is not being used for systems management tasks (IBM Support).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NIST with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while IBM Corporation assessed it with a base score of 4.9 (MEDIUM) and vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is classified under CWE-269 (Improper Privilege Management) (NVD).

If exploited, this vulnerability allows a malicious actor with command line access to the operating system to elevate their privileges and gain component access to the operating system. This could potentially compromise the security and integrity of the affected IBM i systems (IBM Support).

IBM has released fixes for this vulnerability through PTFs (Program Temporary Fixes) for the affected versions. For IBM i 7.5, the fix is included in PTF SI84794 and SI85339; for 7.4, in SI84792 and SI84784; for 7.3, in SI84791 and SI84783; and for 7.2, in SI84788 and SI84782. These PTFs should be applied to both 5770-SS1 Base and 5770-SS1 Option 3. No workarounds are available, making patch installation the only mitigation option (IBM Support).