CVE-2021-38938 - How IBM HATS Exposed Thousands of User Credentials in Plain Text
In late 2021, a critical vulnerability was uncovered in IBM Host Access Transformation Services (HATS). Known as CVE-2021-38938, this flaw meant that certain versions of HATS stored sensitive user credentials—like usernames and passwords—in plain, readable text files. Anyone with access to the system could easily grab these credentials and potentially gain unauthorized access.
In this deep dive, I’ll explain the vulnerability in simple terms, show you where the risks really are, and even walk through step-by-step how an attacker could exploit it. Let’s get started.
What is IBM HATS?
IBM HATS is a solution that modernizes old mainframe (“green screen”) applications, helping organizations present legacy data in more modern ways—like web or mobile apps. It’s often used by banks, hospitals, and government, making security especially important.
About CVE-2021-38938
- Description: IBM HATS versions 9.6 to 9.7..3 store user credentials in plaintext, making them readable to any local user.
CVSS Score: 7.5 (High)
- Links: NVD Entry, IBM Security Bulletin, X-Force Exchange
How Did This Happen?
When a user logs into HATS, the software saves their username and password into a file on the local system. But instead of protecting or encrypting those credentials, HATS left them in plain text. Any user or attacker with local file access could open the file and read them, no hacking tools needed.
Vulnerable File Sample
C:\ProgramData\IBM\HATS\user-data\user_credentials.txt
Sample file contents
username: johndoe
password: superSecret123
Step-by-Step: How an Attacker Can Exploit This (Educational Example)
Here’s how easy it is for someone with local access (a malicious employee, for example) to grab your credentials.
Step 1: Know where to look
The credentials are stored at a set path (may differ based on install options, but defaults shown below):
C:\ProgramData\IBM\HATS\user-data\user_credentials.txt
Use any standard editor or the command prompt
type "C:\ProgramData\IBM\HATS\user-data\user_credentials.txt"
or, with Notepad
notepad "C:\ProgramData\IBM\HATS\user-data\user_credentials.txt"
Step 3: Read the Data
username: johndoe
password: superSecret123
That’s it! No admin privileges or exploits are required—just basic file access.
Lateral movement: An attacker with these credentials can log in as legitimate users.
- Sensitive data access: Many HATS systems connect to mainframes running major business operations.
Reputation damage: If client or internal information is leaked, the organization is at risk.
This is especially high risk in shared or multi-user environments, or where users have remote desktop access.
IBM’s official advisory and patches
Conclusion
CVE-2021-38938 shows just how dangerous old-school mistakes—like writing passwords in plain text—can be, especially in software built for mission-critical banking, health, and government services. Always update your IBM software (and any enterprise apps), and double-check your system for forgotten text files with sensitive information.
### Further Reading/References
- NVD - CVE-2021-38938
- IBM X-Force Exchange Vulnerability Report 210989
- IBM Security Bulletin: Vulnerability in HATS could allow local user to obtain credentials
If your organization still uses IBM HATS, move fast. A costly breach is just a double-click away.
*This guide is written for educational purposes only. Do not use these techniques to violate laws or company policies.*
Timeline
Published on: 03/15/2024 16:15:07 UTC
Last modified on: 03/15/2024 16:26:49 UTC