Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0091 -- [AIX] Multiple AIX vulnerabilities 6 February 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: ps uspchrp utape Logical Volume Manager Linux WebSM remote client swap commands Publisher: IBM Operating System: AIX Impact: Root Compromise Modify Arbitrary Files Access Confidential Data Access: Existing Account CVE Names: CVE-2008-0584 CVE-2008-0585 CVE-2008-0586 CVE-2008-0587 CVE-2008-0588 CVE-2008-0589 Original Bulletin: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4078 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4077 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4076 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4075 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4074 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4073 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4072 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4071 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4070 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4069 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4068 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4067 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4066 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4065 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4064 http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4063 Comment: This bulletin contains six (6) AIX advisories. There are multiple bulletin URL's because IBM has released one per AIX version for each product. Revision History: February 6 2008: Added CVEs January 25 2008: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue Jan 22 14:02:18 CST 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX ps information leak PLATFORMS: AIX 5.2, 5.3, 6.1 SOLUTION: Apply the fix as described below. THREAT: A local attacker may access sensitive information. CERT VU Number: n/a CVE Number: n/a =============================================================================== DETAILED INFORMATION I. OVERVIEW The ps command shows current status of processes. The primary fileset for the ps command is'bos.rte.control'. The ps command allows local users to obtain sensitive information. II. DESCRIPTION An information leak exists in the 'bos.rte.control' fileset commands listed below. A local attacker may access sensitive information for arbitrary processes. The following commands are vulnerable: /usr/bin/ps III. IMPACT The successful exploitation of this vulnerability allows a non-privileged user to access sensitive data for arbitrary processes. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L bos.rte.control The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------ bos.rte.control 5.2.0.0 5.2.0.107 bos.rte.control 5.3.0.0 5.3.0.64 bos.rte.control 5.3.7.0 5.3.7.1 bos.rte.control 6.1.0.0 6.1.0.3 V. SOLUTIONS A. APARS IBM provides the following fixes: AIX Level APAR number Availability --------------------------------------------------- 5.2.0 IZ11242 05/14/08 5.3.0 IZ12745 04/30/08 5.3.7 IZ11243 04/30/08 6.1.0 IZ11244 02/20/08 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ11242 http://www.ibm.com/support/docview.wss?uid=isg1IZ12745 http://www.ibm.com/support/docview.wss?uid=isg1IZ11243 http://www.ibm.com/support/docview.wss?uid=isg1IZ11244 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/ps_ifix.tar The link above is to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Interim Fix ------------------------------------------------------------------- 5.2.0 TL8 IZ11242_08.080110.epkg.Z 5.2.0 TL9 IZ11242_09.080110.epkg.Z 5.2.0 TL10 IZ11242_10.080110.epkg.Z 5.3.0 TL5 IZ12745_05.080110.epkg.Z 5.3.0 TL6 IZ12745_06.080110.epkg.Z 5.3.7 IZ11243_07.080110.epkg.Z 6.1.0 IZ11244_00.080110.epkg.Z To extract the fixes from the tar file: tar xvf ps_ifix.tar cd ps_ifix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------ 59999 42 IZ11242_08.080110.epkg.Z 38864 42 IZ11242_09.080110.epkg.Z 58751 44 IZ11242_10.080110.epkg.Z 53743 57 IZ11243_07.080110.epkg.Z 06072 64 IZ11244_00.080110.epkg.Z 28757 56 IZ12745_05.080110.epkg.Z 46095 57 IZ12745_06.080110.epkg.Z cksum filename ------------------------------------------ 3753955418 42918 IZ11242_08.080110.epkg.Z 656903653 42924 IZ11242_09.080110.epkg.Z 3128991594 44510 IZ11242_10.080110.epkg.Z 2217046042 58015 IZ11243_07.080110.epkg.Z 4248777175 64931 IZ11244_00.080110.epkg.Z 2572937489 56417 IZ12745_05.080110.epkg.Z 2883305420 58229 IZ12745_06.080110.epkg.Z csum -h MD5 (md5sum) filename ---------------------------------------------------------- 72b7caf42d62b438c678e27b053dd80a IZ11242_08.080110.epkg.Z 139afb750077e7006017a931f2126ae1 IZ11242_09.080110.epkg.Z 02b8a618b122b10c7a19d380aca5be9c IZ11242_10.080110.epkg.Z 5b68cd5246cdedbf43c1e76a9d89a027 IZ11243_07.080110.epkg.Z 2822aac0854e313aabbf995d303164d9 IZ11244_00.080110.epkg.Z b2d7d7d6d7521e9da97d76717f58eb6e IZ12745_05.080110.epkg.Z a4691536c95383269ddfdc36534df353 IZ12745_06.080110.epkg.Z csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ 7c8382e31fc29c00b48f1d861b48e61424a8f8d5 IZ11242_08.080110.epkg.Z 7fcb56363ba3f67525949b49b598654fcf0e99ec IZ11242_09.080110.epkg.Z 0c2cf89f03c2d3ec7ee931ef5fad1cae2d1b1025 IZ11242_10.080110.epkg.Z edffff38b42a068a40854f78ad9dbe24daabad40 IZ11243_07.080110.epkg.Z ab7c528a8f851410835640edef9d4457b41a8ba7 IZ11244_00.080110.epkg.Z c6bd4e3e40c0c2c8bbdc79cd569799e7baf4df5a IZ12745_05.080110.epkg.Z acfa10d0c5e24e8f6b00a898d114e1bb2b560412 IZ12745_06.080110.epkg.Z To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. VI. WORKAROUNDS There are no workarounds available. VII. OBTAINING FIXES AIX security related fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xA6A36CCC Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. IX. ACKNOWLEDGMENTS Andrea "bunker" Purificato reported this vulnerability. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFHllXn8lficKajbMwRAjPJAJ93HN3IwZXMx4a5JepjmsiZRLTIxQCfX+XJ OHQaRO3ZzhvoPxbx2cQh+EU= =E4zF - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue Jan 22 14:02:18 CST 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX uspchrp buffer overflow PLATFORMS: AIX 5.2, 5.3 SOLUTION: Apply the fix or workaround as described below. THREAT: A local attacker may execute arbitrary code with root privileges. CERT VU Number: n/a CVE Number: n/a =============================================================================== DETAILED INFORMATION I. OVERVIEW uspchrp is a command in the AIX diagnostics subsystem. The primary fileset for the uspchrp command is 'devices.chrp.base.diag'. The uspchrp command contains a buffer overflow vulnerability. II. DESCRIPTION Buffer overflow vulnerabilities exist in the commands listed below. A local attacker may execute arbitrary code with root privileges because the commands are setuid root. The local attacker must be a member of the 'system' group to execute these commands. The following commands are vulnerable: /usr/lpp/diagnostics/bin/uspchrp III. IMPACT The successful exploitation of this vulnerability allows a non-privileged user to execute code with root privileges. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L devices.chrp.base.diag The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------------- devices.chrp.base.diag 5.2.0.0 5.2.0.105 devices.chrp.base.diag 5.3.0.0 5.3.0.62 devices.chrp.base.diag 5.3.7.0 5.3.7.0 V. SOLUTIONS A. APARS IBM provides the following fixes: AIX Level APAR number Availability ---------------------------------------------------- 5.2.0 IZ06261 Available now 5.3.0 IZ06621 Available now 5.3.7 IZ06489 Available now Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ06261 http://www.ibm.com/support/docview.wss?uid=isg1IZ06621 http://www.ibm.com/support/docview.wss?uid=isg1IZ06489 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/uspchrp_fix.tar The link above is to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Fix ----------------------------------------------------------------- 5.2.0 devices.chrp.base.diag.5.2.0.106.U 5.3.0 devices.chrp.base.diag.5.3.0.63.U 5.3.7 devices.chrp.base.diag.5.3.7.1.U To extract the fixes from the tar file: tar xvf uspchrp_fix.tar cd uspchrp_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------ 11636 5750 bos.rte.install.5.3.0.64.U 10107 332 devices.chrp.base.diag.5.2.0.106.U 53774 315 devices.chrp.base.diag.5.3.0.63.U 56208 717 devices.chrp.base.diag.5.3.7.1.U cksum filename ------------------------------------------ 1540667616 5888000 bos.rte.install.5.3.0.64.U 738120731 339968 devices.chrp.base.diag.5.2.0.106.U 3673447754 322560 devices.chrp.base.diag.5.3.0.63.U 2447421989 734208 devices.chrp.base.diag.5.3.7.1.U csum -h MD5 (md5sum) filename ---------------------------------------------------------- a164402dd6645f4e7b7b83853f3e7123 bos.rte.install.5.3.0.64.U 65b0d18493876f559afa2bb11042fd70 devices.chrp.base.diag.5.2.0.106.U 257c599c06469f0bfc7b2aff894f8002 devices.chrp.base.diag.5.3.0.63.U 8bd620916516362a1d51c99b30730554 devices.chrp.base.diag.5.3.7.1.U csum -h SHA1 (sha1sum) filename - - ---------------------------------------------------------------------------- d9ada029ae60eeba7aad65b4a30c6026f761d093 bos.rte.install.5.3.0.64.U aa46a8fbacd511a234c64641954db0fa81b82da6 devices.chrp.base.diag.5.2.0.106.U 3a33386ba82bd020af7f1bb605212a3d9590b11e devices.chrp.base.diag.5.3.0.63.U 05bfe808eb4cacbcd88c9e802cec17fc3486c2d6 devices.chrp.base.diag.5.3.7.1.U To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d . -p all To install a fix package: installp -a -d . -X all VI. WORKAROUNDS There are two workarounds available. A. OPTION 1 Change the permissions of these commands to remove the setuid bit using the following commands: chmod 500 /usr/lpp/diagnostics/bin/uspchrp NOTE: chmod will disable functionality of these commands for all users except root. B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7) Use the File Permissions Manager (fpm) command to manage setuid and setgid programs. fpm documentation can be found in the AIX 6 Security Redbook at: http://www.redbooks.ibm.com/abstracts/sg247430.html An fpm level of high, medium, or low will remove the setuid bit from the affected commands. For example: fpm -l high -p # to preview changes fpm -l high # to execute changes NOTE: Please review the documentation before execution. fpm will disable functionality of multiple commands for all users except root. VII. OBTAINING FIXES AIX security related fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xA6A36CCC Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. IX. ACKNOWLEDGMENTS IBM discovered and fixed this vulnerability as part of its commitment to secure the AIX operating system. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFHllWM8lficKajbMwRArapAKCzLT/t9C4wSh/wWzJwrdcvK6jiYwCgkhb8 bTaQ0uhu/mssJtflNQZ5bXY= =zl6u - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue Jan 22 14:02:18 CST 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX utape buffer overflow PLATFORMS: AIX 5.2, 5.3 SOLUTION: Apply the fix or workaround as described below. THREAT: A local attacker may execute arbitrary code with root privileges. CERT VU Number: n/a CVE Number: n/a =============================================================================== DETAILED INFORMATION I. OVERVIEW utape is a command in the AIX diagnostics subsystem. The primary fileset for the utape command is 'devices.scsi.tape.diag'. The utape command contains a buffer overflow vulnerability. II. DESCRIPTION Buffer overflow vulnerabilities exist in the commands listed below. A local attacker may execute arbitrary code with root privileges because the commands are setuid root. The local attacker must be a member of the 'system' group to execute these commands. The following commands are vulnerable: /usr/lpp/diagnostics/bin/utape III. IMPACT The successful exploitation of this vulnerability allows a non-privileged user to execute code with root privileges. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L devices.scsi.tape.diag The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------------- devices.scsi.tape.diag 5.2.0.0 5.2.0.105 devices.scsi.tape.diag 5.3.0.0 5.3.0.61 devices.scsi.tape.diag 5.3.7.0 5.3.7.0 V. SOLUTIONS A. APARS IBM provides the following fixes: AIX Level APAR number Availability ---------------------------------------------------- 5.2.0 IZ06260 Available now 5.3.0 IZ06620 Available now 5.3.7 IZ06488 Available now Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ06260 http://www.ibm.com/support/docview.wss?uid=isg1IZ06620 http://www.ibm.com/support/docview.wss?uid=isg1IZ06488 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/utape_fix.tar The link above is to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Fix ---------------------------------------------------- 5.2.0 devices.scsi.tape.diag.5.2.0.106.U 5.3.0 devices.scsi.tape.diag.5.3.0.62.U 5.3.7 devices.scsi.tape.diag.5.3.7.1.U To extract the fixes from the tar file: tar xvf utape_fix.tar cd utape_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ---------------------------------------------- 43510 473 bos.diag.com.5.3.0.64.U 29092 918 bos.diag.rte.5.3.0.64.U 06336 418 bos.diag.util.5.3.0.64.U 11636 5750 bos.rte.install.5.3.0.64.U 18864 72 devices.scsi.tape.diag.5.2.0.106.U 28176 74 devices.scsi.tape.diag.5.3.0.62.U 19213 87 devices.scsi.tape.diag.5.3.7.1.U cksum filename --------------------------------------------------- 1552797269 484352 bos.diag.com.5.3.0.64.U 555269036 940032 bos.diag.rte.5.3.0.64.U 2949613011 428032 bos.diag.util.5.3.0.64.U 1540667616 5888000 bos.rte.install.5.3.0.64.U 3969049039 73728 devices.scsi.tape.diag.5.2.0.106.U 343983838 75776 devices.scsi.tape.diag.5.3.0.62.U 4143416931 89088 devices.scsi.tape.diag.5.3.7.1.U csum -h MD5 (md5sum) filename -------------------------------------------------------------------- 81564c6405419492fbc574e1eb8c8269 bos.diag.com.5.3.0.64.U 35e3bfb3fa74f074ac3a6ef2b39513db bos.diag.rte.5.3.0.64.U cdd1d3506cc241469a2f84302bcf26e1 bos.diag.util.5.3.0.64.U a164402dd6645f4e7b7b83853f3e7123 bos.rte.install.5.3.0.64.U 9b83ea9f5b0e591a2f381d9eded2247b devices.scsi.tape.diag.5.2.0.106.U 39eca30c499d79d1f3e11ceaad6a221a devices.scsi.tape.diag.5.3.0.62.U bcf1c25fadb6a9b1455c26bec95744d2 devices.scsi.tape.diag.5.3.7.1.U csum -h SHA1 (sha1sum) filename - - ---------------------------------------------------------------------------- ab41a3592d00652945ad2c22d6fa05242aa24d4f bos.diag.com.5.3.0.64.U d5b7fdf305373fbaba0da530ed2c1ceae1c0ba80 bos.diag.rte.5.3.0.64.U 28f4ad4a427d7187e68e46f7cf9c030aee3aa3a2 bos.diag.util.5.3.0.64.U d9ada029ae60eeba7aad65b4a30c6026f761d093 bos.rte.install.5.3.0.64.U 38df482c82cb101bf3f93bd4f225436f573ddd0f devices.scsi.tape.diag.5.2.0.106.U c081d5a18279bd055ffd7f434b75ae97c0cfa245 devices.scsi.tape.diag.5.3.0.62.U a854d65a7614ede46d19bcae65dcfcd1644fbaac devices.scsi.tape.diag.5.3.7.1.U To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d . -p all To install a fix package: installp -a -d . -X all VI. WORKAROUNDS There are two workarounds available. A. OPTION 1 Change the permissions of these commands to remove the setuid bit using the following commands: chmod 500 /usr/lpp/diagnostics/bin/utape NOTE: chmod will disable functionality of these commands for all users except root. B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7) Use the File Permissions Manager (fpm) command to manage setuid and setgid programs. fpm documentation can be found in the AIX 6 Security Redbook at: http://www.redbooks.ibm.com/abstracts/sg247430.html An fpm level of high, medium, or low will remove the setuid bit from the affected commands. For example: fpm -l high -p # to preview changes fpm -l high # to execute changes NOTE: Please review the documentation before execution. fpm will disable functionality of multiple commands for all users except root. VII. OBTAINING FIXES AIX security related fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xA6A36CCC Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. IX. ACKNOWLEDGMENTS IBM discovered and fixed this vulnerability as part of its commitment to secure the AIX operating system. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFHllOv8lficKajbMwRAvUgAJ4h8anJbV0rQF+T5Y/AD49daWwAjgCfWgbj +I6Q449xKTLf1N5JWuEb5I8= =N01h - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue Jan 22 14:02:18 CST 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX Logical Volume Manager buffer overflow PLATFORMS: AIX 5.2, 5.3 SOLUTION: Apply the fix or workaround as described below. THREAT: A local attacker may execute arbitrary code with root privileges. CERT VU Number: n/a CVE Number: n/a =============================================================================== DETAILED INFORMATION I. OVERVIEW The AIX Logical Volume Manager provides a suite of utilities for AIX logical volume management features and functions. The primary fileset for the AIX Logical Volume Manager is 'bos.rte.lvm'. In addition, AIX provides another suite of utilities for concurrent logical volume management across multiple hosts. The primary fileset for the AIX Concurrent Logical Volume Manager is 'bos.clvm.enh'. Several imporant commands provided by these filesets for performing various logical volume management tasks have been identified as containing buffer overflow vulnerabilities. II. DESCRIPTION Buffer overflow vulnerabilities exist in the 'bos.rte.lvm' and 'bos.clvm.enh' fileset commands listed below. A local attacker may execute arbitrary code with root privileges because the commands are setuid root. The local attacker must be a member of the 'system' group to execute these commands. The following 'bos.rte.lvm' commands are vulnerable: /usr/sbin/lchangevg /usr/sbin/ldeletepv /usr/sbin/putlvodm /usr/sbin/lvaryoffvg /usr/sbin/lvgenminor The following 'bos.clvm.enh' command is vulnerable: /usr/sbin/tellclvmd III. IMPACT The successful exploitation of this vulnerability allows a non-privileged user to execute code with root privileges. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L bos.rte.lvm bos.clvm.enh The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------ bos.rte.lvm 5.2.0.0 5.2.0.107 bos.rte.lvm 5.3.0.0 5.3.0.61 bos.clvm.enh 5.2.0.0 5.2.0.105 bos.clvm.enh 5.3.0.0 5.3.0.60 V. SOLUTIONS A. APARS IBM provides the following fixes: AIX Level APAR number Availability ----------------------------------------------------- 5.2.0 IZ00559 (available now) 5.2.0 IZ10828 (available now) 5.3.0 IY98331 (available now) 5.3.0 IY98340 (available now) 5.3.0 IY99537 (available now) Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ00559 http://www.ibm.com/support/docview.wss?uid=isg1IZ10828 http://www.ibm.com/support/docview.wss?uid=isg1IY98331 http://www.ibm.com/support/docview.wss?uid=isg1IY98340 http://www.ibm.com/support/docview.wss?uid=isg1IY99537 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/lvm_ifix.tar The link above is to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Fileset AIX Level Fix and Interim Fix ----------------------------------------------------------------- bos.lvm.rte 5200-08 IZ10828_08.071212.epkg.Z bos.lvm.rte 5200-08 IZ00559_8a.071212.epkg.Z bos.clvm.enh 5200-08 IZ00559_8b.071212.epkg.Z bos.lvm.rte 5200-09 IZ10828_09.071212.epkg.Z bos.lvm.rte 5200-09 IZ00559_9a.071211.epkg.Z bos.clvm.enh 5200-09 IZ00559_9b.071211.epkg.Z bos.lvm.rte 5200-10 IZ10828_10.071212.epkg.Z bos.lvm.rte 5200-10 bos.rte.lvm.5.2.0.107.U bos.clvm.enh 5200-10 bos.clvm.enh.5.2.0.107.U bos.lvm.rte 5300-05 IY98331_05.071212.epkg.Z bos.lvm.rte 5300-05 IY99537_05.071212.epkg.Z bos.lvm.rte 5300-05 IY98340_5a.071211.epkg.Z bos.clvm.enh 5300-05 IY98340_5b.071211.epkg.Z bos.lvm.rte 5300-06 bos.rte.lvm.5.3.0.63.U bos.clvm.enh 5300-06 bos.clvm.enh.5.3.0.61.U To extract the fixes from the tar file: tar xvf lvm_ifix.tar cd lvm_ifix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------ 14660 17 IY98331_05.071212.epkg.Z 26095 9 IY98340_5a.071211.epkg.Z 40761 8 IY98340_5b.071211.epkg.Z 10885 16 IY99537_05.071212.epkg.Z 24909 10 IZ00559_8a.071212.epkg.Z 64769 9 IZ00559_8b.071212.epkg.Z 65110 10 IZ00559_9a.071211.epkg.Z 25389 9 IZ00559_9b.071211.epkg.Z 26812 26 IZ10828_08.071212.epkg.Z 55064 26 IZ10828_09.071212.epkg.Z 55484 26 IZ10828_10.071212.epkg.Z 03885 157 bos.clvm.enh.5.2.0.107.U 30581 128 bos.clvm.enh.5.3.0.61.U 48971 1989 bos.rte.lvm.5.2.0.107.U 64179 2603 bos.rte.lvm.5.3.0.63.U cksum filename ------------------------------------------- 3121912357 16875 IY98331_05.071212.epkg.Z 107751313 9190 IY98340_5a.071211.epkg.Z 1129637178 7735 IY98340_5b.071211.epkg.Z 4019303479 16201 IY99537_05.071212.epkg.Z 1791374386 9289 IZ00559_8a.071212.epkg.Z 3287090389 8299 IZ00559_8b.071212.epkg.Z 565672617 9294 IZ00559_9a.071211.epkg.Z 257555679 8302 IZ00559_9b.071211.epkg.Z 3930477686 26525 IZ10828_08.071212.epkg.Z 1199269029 26533 IZ10828_09.071212.epkg.Z 358657844 26480 IZ10828_10.071212.epkg.Z 3753492719 160768 bos.clvm.enh.5.2.0.107.U 4180839749 131072 bos.clvm.enh.5.3.0.61.U 3765659627 2036736 bos.rte.lvm.5.2.0.107.U 3338925192 2665472 bos.rte.lvm.5.3.0.63.U csum -h MD5 (md5sum) filename ---------------------------------------------------------- 73bcf7604dd13f26a7500e45468ff5f7 IY98331_05.071212.epkg.Z 5f32179fc2156bb6e29e775aa7bff623 IY98340_5a.071211.epkg.Z 7c47e56cadabcba0a105ffa7fc1d40fc IY98340_5b.071211.epkg.Z ef3e4512c3b55091893ce733c707e1a2 IY99537_05.071212.epkg.Z db04be33e56169b6a8e8fd747e6948da IZ00559_8a.071212.epkg.Z 553f31ccf6a265333938d81eeae6dabc IZ00559_8b.071212.epkg.Z 2921b9d2a3dbd84591d60fddf0663798 IZ00559_9a.071211.epkg.Z 93ce34dec8f4fa9681a2c7c86be065fc IZ00559_9b.071211.epkg.Z e6b0a4a91ba197de0005bd800f06ba4e IZ10828_08.071212.epkg.Z 602a8c777cc27e51c3d3dbfa8ebd69be IZ10828_09.071212.epkg.Z b84a5cae03921d30675e522da29da1aa IZ10828_10.071212.epkg.Z 2aa4b9b43ca55f74b0fac6be7bc48b66 bos.clvm.enh.5.2.0.107.U 844e1f2ef9d388d2ddd8cf3ef6251f06 bos.clvm.enh.5.3.0.61.U 0c73aa8f0211c400455feaa6fb8a95c4 bos.rte.lvm.5.2.0.107.U 1b5a08eabe984d957db9a145e2a4fd06 bos.rte.lvm.5.3.0.63.U csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ d9929214a4d85b986fb2e06c9b265c768c7178a9 IY98331_05.071212.epkg.Z 0f5fbcdfbbbf505366dad160c8dec1c1ce75285e IY98340_5a.071211.epkg.Z cf2cda3b8d19b73d06b69eeec7e4bae192bec689 IY98340_5b.071211.epkg.Z 9d8727b5733bc34b8daba267b82864ef17b7156f IY99537_05.071212.epkg.Z e7a366956ae7a08deb93cbd52bbbbf451d0f5565 IZ00559_8a.071212.epkg.Z 1898733cdf6098e4f54ec36132a03ebbe0682a7e IZ00559_8b.071212.epkg.Z f68c458c817f99730b193ecbd02ae24b9e51cc67 IZ00559_9a.071211.epkg.Z 185954838c439a3c7f8e5b769aa6cc7d31123b59 IZ00559_9b.071211.epkg.Z 6244138dc98f3fd16928b2bbcba3c5b4734e9942 IZ10828_08.071212.epkg.Z 98bfaf44ba4bc6eba452ea074e276b8e87b41c9d IZ10828_09.071212.epkg.Z 2a9c0dd75bc79eba153d0a4e966d930151121d45 IZ10828_10.071212.epkg.Z 96706ec5afd792852350d433d1bf8d8981b67336 bos.clvm.enh.5.2.0.107.U 91f6d3a4d9ffd15d258f4bda51594dbce7011d8a bos.clvm.enh.5.3.0.61.U 4589a5bca998f437aac5c3bc2c222eaa51490dab bos.rte.lvm.5.2.0.107.U 3449afd795c24594c7a0c496f225c7148b4071ab bos.rte.lvm.5.3.0.63.U To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. FIX AND INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d . -p all To install a fix package: installp -a -d . -X all Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. VI. WORKAROUNDS There are two workarounds available. A. OPTION 1 Change the permissions of these commands to remove the setuid bit using the following commands: chmod 500 /usr/sbin/lchangevg chmod 500 /usr/sbin/ldeletepv chmod 500 /usr/sbin/putlvodm chmod 500 /usr/sbin/lvaryoffvg chmod 500 /usr/sbin/lvgenminor chmod 500 /usr/sbin/tellclvmd NOTE: chmod will disable functionality of these commands for all users except root. B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7) Use the File Permissions Manager (fpm) command to manage setuid and setgid programs. fpm documentation can be found in the AIX 6 Security Redbook at: http://www.redbooks.ibm.com/abstracts/sg247430.html An fpm level of high will remove the setuid bit from the affected commands. For example: fpm -l high -p # to preview changes fpm -l high # to execute changes NOTE: Please review the documentation before execution. fpm will disable functionality of multiple commands for all users except root. VII. OBTAINING FIXES AIX security related fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xA6A36CCC Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. IX. ACKNOWLEDGMENTS IBM discovered and fixed this vulnerability as part of its commitment to secure the AIX operating system. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD4DBQFHllGn8lficKajbMwRAnZ6AJjStvgawxHceUqaL6gMkTnjRIq4AJ9DY+d1 c6fMDU7pQ9MepNO0L0uy3A== =8heK - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue Jan 22 14:02:18 CST 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX incorrect file permissions Linux WebSM remote client PLATFORMS: AIX 5.2, 5.3 SOLUTION: Apply the fix or workaround as described below. THREAT: World writable files installed on Linux client. CERT VU Number: n/a CVE Number: n/a =============================================================================== DETAILED INFORMATION I. OVERVIEW The Web-based System Manager (WebSM) Remote Client for Linux provides remote administration of AIX systems. The primary fileset for the WebSM Remote Client is 'sysmgt.websm.webaccess'. Some of the files installed by the remote client on a Linux system have world writable permissions. II. DESCRIPTION When the WebSM Remote Client is installed on a Linux system, some of the installed files have incorrect world writable permissions. Any user of the Linux system can write to the installed files. III. IMPACT The successful exploitation of this vulnerability allows a non-privileged local user alter the behavior of the WebSM Remote Client on the Linux system. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L sysmgt.websm.webaccess The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------------ sysmgt.websm.webaccess 5.2.0.0 5.2.0.104 sysmgt.websm.webaccess 5.3.0.0 5.3.0.60 V. SOLUTIONS A. APARS IBM provides the following fixes: AIX Level APAR number Availability -------------------------------------------------------- 5.2.0 None Fixed in 5.2 TL10 5.3.0 IY97257 Available now Subscribe to the APAR here: http://www.ibm.com/support/docview.wss?uid=isg1IY97257 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/websm_linux_fix.tar The link above is to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Fix ------------------------------------------------------ 5.2.0 sysmgt.websm.webaccess.5.2.0.105 5.3.0 sysmgt.websm.webaccess.5.3.0.61.U To extract the fixes from the tar file: tar xvf websm_linux_fix.tar cd websm_linux_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ---------------------------------------------- 55252 264604 sysmgt.websm.webaccess.5.2.0.105 36306 271393 sysmgt.websm.webaccess.5.3.0.61.U cksum filename ------------------------------------------------------ 3255572506 270954496 sysmgt.websm.webaccess.5.2.0.105 2688673312 277906432 sysmgt.websm.webaccess.5.3.0.61.U csum -h MD5 (md5sum) filename ------------------------------------------------------------------- c8511ed7108662edb5c6def8462d83a5 sysmgt.websm.webaccess.5.2.0.105 1efd9ef628928c7b7e7ab4d260b7c290 sysmgt.websm.webaccess.5.3.0.61.U csum -h SHA1 (sha1sum) filename --------------------------------------------------------------------------- cdbf1e8a19745f0c72f720d70282e8be7eb43e3a sysmgt.websm.webaccess.5.2.0.105 c63de7a9d6a26116fdaefba3a30759a2877c08c0 sysmgt.websm.webaccess.5.3.0.61.U To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d . -p all To install a fix package: installp -a -d . -X all VI. WORKAROUND Remove the world writable permission from the installed files. Change to the directory where the WebSM Remote Client for Linux was installed and execute the following command: chmod -R o-w . VII. OBTAINING FIXES AIX security related fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xA6A36CCC Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. IX. ACKNOWLEDGMENTS IBM discovered and fixed this vulnerability as part of its commitment to secure the AIX operating system. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFHllCe8lficKajbMwRAgZqAJ47DP6yr6Q8AgGzJ+CuBAKJHXls9gCfWk4p aRimSb6qk4T1sL0vukAsPz0= =5tCw - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue Jan 22 14:02:18 CST 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX swap commands buffer overflow PLATFORMS: AIX 5.2, 5.3 SOLUTION: Apply the fix or workaround as described below. THREAT: A local attacker may execute arbitrary code with root privileges. CERT VU Number: n/a CVE Number: n/a =============================================================================== DETAILED INFORMATION I. OVERVIEW The swapon command activates a paging space. The swapoff command deactivates one or more paging spaces. The primary fileset for the AIX swap commands is 'bos.rte.control'. The swapon and swapoff commands contain buffer overflow vulnerabilities. II. DESCRIPTION Buffer overflow vulnerabilities exist in the 'bos.rte.control' fileset commands listed below. A local attacker may execute arbitrary code with root privileges because the commands are setuid root. The local attacker must be a member of the 'system' group to execute these commands. The following commands are vulnerable: /usr/sbin/swap /usr/sbin/swapoff /usr/sbin/swapon III. IMPACT The successful exploitation of this vulnerability allows a non-privileged user to execute code with root privileges. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L bos.rte.control The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------ bos.rte.control 5.2.0.0 5.2.0.95 bos.rte.control 5.3.0.0 5.3.0.50 V. SOLUTIONS A. APARS IBM provides the following fixes: AIX Level APAR number Availability --------------------------------------------------- 5.2 IY96095 Available now 5.3 IY96101 Available now Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IY96095 http://www.ibm.com/support/docview.wss?uid=isg1IY96101 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/swap_fix.tar The link above is to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Fix ------------------------------------------------------------------- 5.2.0 bos.rte.control.5.2.0.96.U 5.3.0 bos.rte.control.5.3.0.51.U To extract the fixes from the tar file: tar xvf swap_fix.tar cd swap_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename -------------------------------------- 55018 1206 bos.rte.control.5.2.0.96.U 32224 1303 bos.rte.control.5.3.0.51.U cksum filename --------------------------------------------- 2165128344 1234944 bos.rte.control.5.2.0.96.U 2786668967 1334272 bos.rte.control.5.3.0.51.U csum -h MD5 (md5sum) filename ------------------------------------------------------------ 0ca8d74d125a16264c0ece1d478920b8 bos.rte.control.5.2.0.96.U 7bf48b86540b9920399c4c4495d86579 bos.rte.control.5.3.0.51.U csum -h SHA1 (sha1sum) filename -------------------------------------------------------------------- 980e3ef913f0c85bd2f2d4ef8bb16023ec90f559 bos.rte.control.5.2.0.96.U 22fd4dd35387ddf506b914376740d36197cd1685 bos.rte.control.5.3.0.51.U To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d . -p all To install a fix package: installp -a -d . -X all VI. WORKAROUNDS There are two workarounds available. A. OPTION 1 Change the permissions of these commands to remove the setuid bit using the following commands: chmod 500 /usr/sbin/swap chmod 500 /usr/sbin/swapoff chmod 500 /usr/sbin/swapon NOTE: chmod will disable functionality of these commands for all users except root. B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7) Use the File Permissions Manager (fpm) command to manage setuid and setgid programs. fpm documentation can be found in the AIX 6 Security Redbook at: http://www.redbooks.ibm.com/abstracts/sg247430.html An fpm level of high, medium, or low will remove the setuid bit from the affected commands. For example: fpm -l high -p # to preview changes fpm -l high # to execute changes NOTE: Please review the documentation before execution. fpm will disable functionality of multiple commands for all users except root. VII. OBTAINING FIXES AIX security related fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xA6A36CCC Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. IX. ACKNOWLEDGMENTS IBM discovered and fixed this vulnerability as part of its commitment to secure the AIX operating system. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFHlk+M8lficKajbMwRAkTuAJ92g3gSoun41zWIsB017nEMFqcYQACbBKql hVvDI5eV4Dlkp0O0IRNNoPg= =ccj0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR6kuJSh9+71yA2DNAQKWsQQAgSbO/vN/OMrC8MbFgJ342TOsTQS/Iuf1 iMXlhsifvAPq9Qj0Q2T8KGvJiHg6n9u32yPDUzg86WDczzRVaen8hpsVvzZnQYAs B2DzSpI1+TTIxLKCQAKYAoJT718oOwGINmlgEgBTAj7FbQQEWFlyNFsA3+MaLBHa Mvd+rynu8t8= =YIyu -----END PGP SIGNATURE-----