Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0091 -- [AIX]
Multiple AIX vulnerabilities
6 February 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: ps
uspchrp
utape
Logical Volume Manager
Linux WebSM remote client
swap commands
Publisher: IBM
Operating System: AIX
Impact: Root Compromise
Modify Arbitrary Files
Access Confidential Data
Access: Existing Account
CVE Names: CVE-2008-0584 CVE-2008-0585 CVE-2008-0586
CVE-2008-0587 CVE-2008-0588 CVE-2008-0589
Original Bulletin:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4078
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4077
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4076
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4075
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4074
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4073
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4072
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4071
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4070
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4069
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4068
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4067
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4066
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4065
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4064
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4063
Comment: This bulletin contains six (6) AIX advisories.
There are multiple bulletin URL's because IBM has released one per
AIX version for each product.
Revision History: February 6 2008: Added CVEs
January 25 2008: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Tue Jan 22 14:02:18 CST 2008
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX ps information leak
PLATFORMS: AIX 5.2, 5.3, 6.1
SOLUTION: Apply the fix as described below.
THREAT: A local attacker may access sensitive information.
CERT VU Number: n/a
CVE Number: n/a
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
The ps command shows current status of processes. The primary
fileset for the ps command is'bos.rte.control'. The ps command
allows local users to obtain sensitive information.
II. DESCRIPTION
An information leak exists in the 'bos.rte.control' fileset
commands listed below. A local attacker may access sensitive
information for arbitrary processes.
The following commands are vulnerable:
/usr/bin/ps
III. IMPACT
The successful exploitation of this vulnerability allows a
non-privileged user to access sensitive data for arbitrary
processes.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L bos.rte.control
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
------------------------------------------------
bos.rte.control 5.2.0.0 5.2.0.107
bos.rte.control 5.3.0.0 5.3.0.64
bos.rte.control 5.3.7.0 5.3.7.1
bos.rte.control 6.1.0.0 6.1.0.3
V. SOLUTIONS
A. APARS
IBM provides the following fixes:
AIX Level APAR number Availability
---------------------------------------------------
5.2.0 IZ11242 05/14/08
5.3.0 IZ12745 04/30/08
5.3.7 IZ11243 04/30/08
6.1.0 IZ11244 02/20/08
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ11242
http://www.ibm.com/support/docview.wss?uid=isg1IZ12745
http://www.ibm.com/support/docview.wss?uid=isg1IZ11243
http://www.ibm.com/support/docview.wss?uid=isg1IZ11244
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available. The fixes can be downloaded via ftp
from:
ftp://aix.software.ibm.com/aix/efixes/security/ps_ifix.tar
The link above is to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
AIX Level Interim Fix
-------------------------------------------------------------------
5.2.0 TL8 IZ11242_08.080110.epkg.Z
5.2.0 TL9 IZ11242_09.080110.epkg.Z
5.2.0 TL10 IZ11242_10.080110.epkg.Z
5.3.0 TL5 IZ12745_05.080110.epkg.Z
5.3.0 TL6 IZ12745_06.080110.epkg.Z
5.3.7 IZ11243_07.080110.epkg.Z
6.1.0 IZ11244_00.080110.epkg.Z
To extract the fixes from the tar file:
tar xvf ps_ifix.tar
cd ps_ifix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
------------------------------------
59999 42 IZ11242_08.080110.epkg.Z
38864 42 IZ11242_09.080110.epkg.Z
58751 44 IZ11242_10.080110.epkg.Z
53743 57 IZ11243_07.080110.epkg.Z
06072 64 IZ11244_00.080110.epkg.Z
28757 56 IZ12745_05.080110.epkg.Z
46095 57 IZ12745_06.080110.epkg.Z
cksum filename
------------------------------------------
3753955418 42918 IZ11242_08.080110.epkg.Z
656903653 42924 IZ11242_09.080110.epkg.Z
3128991594 44510 IZ11242_10.080110.epkg.Z
2217046042 58015 IZ11243_07.080110.epkg.Z
4248777175 64931 IZ11244_00.080110.epkg.Z
2572937489 56417 IZ12745_05.080110.epkg.Z
2883305420 58229 IZ12745_06.080110.epkg.Z
csum -h MD5 (md5sum) filename
----------------------------------------------------------
72b7caf42d62b438c678e27b053dd80a IZ11242_08.080110.epkg.Z
139afb750077e7006017a931f2126ae1 IZ11242_09.080110.epkg.Z
02b8a618b122b10c7a19d380aca5be9c IZ11242_10.080110.epkg.Z
5b68cd5246cdedbf43c1e76a9d89a027 IZ11243_07.080110.epkg.Z
2822aac0854e313aabbf995d303164d9 IZ11244_00.080110.epkg.Z
b2d7d7d6d7521e9da97d76717f58eb6e IZ12745_05.080110.epkg.Z
a4691536c95383269ddfdc36534df353 IZ12745_06.080110.epkg.Z
csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
7c8382e31fc29c00b48f1d861b48e61424a8f8d5 IZ11242_08.080110.epkg.Z
7fcb56363ba3f67525949b49b598654fcf0e99ec IZ11242_09.080110.epkg.Z
0c2cf89f03c2d3ec7ee931ef5fad1cae2d1b1025 IZ11242_10.080110.epkg.Z
edffff38b42a068a40854f78ad9dbe24daabad40 IZ11243_07.080110.epkg.Z
ab7c528a8f851410835640edef9d4457b41a8ba7 IZ11244_00.080110.epkg.Z
c6bd4e3e40c0c2c8bbdc79cd569799e7baf4df5a IZ12745_05.080110.epkg.Z
acfa10d0c5e24e8f6b00a898d114e1bb2b560412 IZ12745_06.080110.epkg.Z
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
C. INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; thus, IBM does not warrant the fully
correct functionality of an interim fix.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
VI. WORKAROUNDS
There are no workarounds available.
VII. OBTAINING FIXES
AIX security related fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
AIX fixes can be downloaded from:
http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
Andrea "bunker" Purificato reported this vulnerability.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFHllXn8lficKajbMwRAjPJAJ93HN3IwZXMx4a5JepjmsiZRLTIxQCfX+XJ
OHQaRO3ZzhvoPxbx2cQh+EU=
=E4zF
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Tue Jan 22 14:02:18 CST 2008
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX uspchrp buffer overflow
PLATFORMS: AIX 5.2, 5.3
SOLUTION: Apply the fix or workaround as described below.
THREAT: A local attacker may execute arbitrary code with root
privileges.
CERT VU Number: n/a
CVE Number: n/a
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
uspchrp is a command in the AIX diagnostics subsystem. The
primary fileset for the uspchrp command is
'devices.chrp.base.diag'. The uspchrp command contains a buffer
overflow vulnerability.
II. DESCRIPTION
Buffer overflow vulnerabilities exist in the commands listed
below. A local attacker may execute arbitrary code with root
privileges because the commands are setuid root. The local
attacker must be a member of the 'system' group to execute these
commands.
The following commands are vulnerable:
/usr/lpp/diagnostics/bin/uspchrp
III. IMPACT
The successful exploitation of this vulnerability allows a
non-privileged user to execute code with root privileges.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L devices.chrp.base.diag
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
-------------------------------------------------------
devices.chrp.base.diag 5.2.0.0 5.2.0.105
devices.chrp.base.diag 5.3.0.0 5.3.0.62
devices.chrp.base.diag 5.3.7.0 5.3.7.0
V. SOLUTIONS
A. APARS
IBM provides the following fixes:
AIX Level APAR number Availability
----------------------------------------------------
5.2.0 IZ06261 Available now
5.3.0 IZ06621 Available now
5.3.7 IZ06489 Available now
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ06261
http://www.ibm.com/support/docview.wss?uid=isg1IZ06621
http://www.ibm.com/support/docview.wss?uid=isg1IZ06489
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available. The fixes can be downloaded via ftp
from:
ftp://aix.software.ibm.com/aix/efixes/security/uspchrp_fix.tar
The link above is to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
AIX Level Fix
-----------------------------------------------------------------
5.2.0 devices.chrp.base.diag.5.2.0.106.U
5.3.0 devices.chrp.base.diag.5.3.0.63.U
5.3.7 devices.chrp.base.diag.5.3.7.1.U
To extract the fixes from the tar file:
tar xvf uspchrp_fix.tar
cd uspchrp_fix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
------------------------------------
11636 5750 bos.rte.install.5.3.0.64.U
10107 332 devices.chrp.base.diag.5.2.0.106.U
53774 315 devices.chrp.base.diag.5.3.0.63.U
56208 717 devices.chrp.base.diag.5.3.7.1.U
cksum filename
------------------------------------------
1540667616 5888000 bos.rte.install.5.3.0.64.U
738120731 339968 devices.chrp.base.diag.5.2.0.106.U
3673447754 322560 devices.chrp.base.diag.5.3.0.63.U
2447421989 734208 devices.chrp.base.diag.5.3.7.1.U
csum -h MD5 (md5sum) filename
----------------------------------------------------------
a164402dd6645f4e7b7b83853f3e7123 bos.rte.install.5.3.0.64.U
65b0d18493876f559afa2bb11042fd70 devices.chrp.base.diag.5.2.0.106.U
257c599c06469f0bfc7b2aff894f8002 devices.chrp.base.diag.5.3.0.63.U
8bd620916516362a1d51c99b30730554 devices.chrp.base.diag.5.3.7.1.U
csum -h SHA1 (sha1sum) filename
- - ----------------------------------------------------------------------------
d9ada029ae60eeba7aad65b4a30c6026f761d093 bos.rte.install.5.3.0.64.U
aa46a8fbacd511a234c64641954db0fa81b82da6 devices.chrp.base.diag.5.2.0.106.U
3a33386ba82bd020af7f1bb605212a3d9590b11e devices.chrp.base.diag.5.3.0.63.U
05bfe808eb4cacbcd88c9e802cec17fc3486c2d6 devices.chrp.base.diag.5.3.7.1.U
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
C. FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview a fix installation:
installp -a -d . -p all
To install a fix package:
installp -a -d . -X all
VI. WORKAROUNDS
There are two workarounds available.
A. OPTION 1
Change the permissions of these commands to remove the setuid
bit using the following commands:
chmod 500 /usr/lpp/diagnostics/bin/uspchrp
NOTE: chmod will disable functionality of these commands for
all users except root.
B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7)
Use the File Permissions Manager (fpm) command to manage
setuid and setgid programs.
fpm documentation can be found in the AIX 6 Security Redbook
at:
http://www.redbooks.ibm.com/abstracts/sg247430.html
An fpm level of high, medium, or low will remove the setuid
bit from the affected commands. For example:
fpm -l high -p # to preview changes
fpm -l high # to execute changes
NOTE: Please review the documentation before execution. fpm
will disable functionality of multiple commands for all users
except root.
VII. OBTAINING FIXES
AIX security related fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
AIX fixes can be downloaded from:
http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
IBM discovered and fixed this vulnerability as part of its
commitment to secure the AIX operating system.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFHllWM8lficKajbMwRArapAKCzLT/t9C4wSh/wWzJwrdcvK6jiYwCgkhb8
bTaQ0uhu/mssJtflNQZ5bXY=
=zl6u
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Tue Jan 22 14:02:18 CST 2008
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX utape buffer overflow
PLATFORMS: AIX 5.2, 5.3
SOLUTION: Apply the fix or workaround as described below.
THREAT: A local attacker may execute arbitrary code with root
privileges.
CERT VU Number: n/a
CVE Number: n/a
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
utape is a command in the AIX diagnostics subsystem. The primary
fileset for the utape command is 'devices.scsi.tape.diag'. The
utape command contains a buffer overflow vulnerability.
II. DESCRIPTION
Buffer overflow vulnerabilities exist in the commands listed
below. A local attacker may execute arbitrary code with root
privileges because the commands are setuid root. The local
attacker must be a member of the 'system' group to execute these
commands.
The following commands are vulnerable:
/usr/lpp/diagnostics/bin/utape
III. IMPACT
The successful exploitation of this vulnerability allows a
non-privileged user to execute code with root privileges.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L devices.scsi.tape.diag
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
-------------------------------------------------------
devices.scsi.tape.diag 5.2.0.0 5.2.0.105
devices.scsi.tape.diag 5.3.0.0 5.3.0.61
devices.scsi.tape.diag 5.3.7.0 5.3.7.0
V. SOLUTIONS
A. APARS
IBM provides the following fixes:
AIX Level APAR number Availability
----------------------------------------------------
5.2.0 IZ06260 Available now
5.3.0 IZ06620 Available now
5.3.7 IZ06488 Available now
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ06260
http://www.ibm.com/support/docview.wss?uid=isg1IZ06620
http://www.ibm.com/support/docview.wss?uid=isg1IZ06488
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available. The fixes can be downloaded via ftp
from:
ftp://aix.software.ibm.com/aix/efixes/security/utape_fix.tar
The link above is to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
AIX Level Fix
----------------------------------------------------
5.2.0 devices.scsi.tape.diag.5.2.0.106.U
5.3.0 devices.scsi.tape.diag.5.3.0.62.U
5.3.7 devices.scsi.tape.diag.5.3.7.1.U
To extract the fixes from the tar file:
tar xvf utape_fix.tar
cd utape_fix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
----------------------------------------------
43510 473 bos.diag.com.5.3.0.64.U
29092 918 bos.diag.rte.5.3.0.64.U
06336 418 bos.diag.util.5.3.0.64.U
11636 5750 bos.rte.install.5.3.0.64.U
18864 72 devices.scsi.tape.diag.5.2.0.106.U
28176 74 devices.scsi.tape.diag.5.3.0.62.U
19213 87 devices.scsi.tape.diag.5.3.7.1.U
cksum filename
---------------------------------------------------
1552797269 484352 bos.diag.com.5.3.0.64.U
555269036 940032 bos.diag.rte.5.3.0.64.U
2949613011 428032 bos.diag.util.5.3.0.64.U
1540667616 5888000 bos.rte.install.5.3.0.64.U
3969049039 73728 devices.scsi.tape.diag.5.2.0.106.U
343983838 75776 devices.scsi.tape.diag.5.3.0.62.U
4143416931 89088 devices.scsi.tape.diag.5.3.7.1.U
csum -h MD5 (md5sum) filename
--------------------------------------------------------------------
81564c6405419492fbc574e1eb8c8269 bos.diag.com.5.3.0.64.U
35e3bfb3fa74f074ac3a6ef2b39513db bos.diag.rte.5.3.0.64.U
cdd1d3506cc241469a2f84302bcf26e1 bos.diag.util.5.3.0.64.U
a164402dd6645f4e7b7b83853f3e7123 bos.rte.install.5.3.0.64.U
9b83ea9f5b0e591a2f381d9eded2247b devices.scsi.tape.diag.5.2.0.106.U
39eca30c499d79d1f3e11ceaad6a221a devices.scsi.tape.diag.5.3.0.62.U
bcf1c25fadb6a9b1455c26bec95744d2 devices.scsi.tape.diag.5.3.7.1.U
csum -h SHA1 (sha1sum) filename
- - ----------------------------------------------------------------------------
ab41a3592d00652945ad2c22d6fa05242aa24d4f bos.diag.com.5.3.0.64.U
d5b7fdf305373fbaba0da530ed2c1ceae1c0ba80 bos.diag.rte.5.3.0.64.U
28f4ad4a427d7187e68e46f7cf9c030aee3aa3a2 bos.diag.util.5.3.0.64.U
d9ada029ae60eeba7aad65b4a30c6026f761d093 bos.rte.install.5.3.0.64.U
38df482c82cb101bf3f93bd4f225436f573ddd0f devices.scsi.tape.diag.5.2.0.106.U
c081d5a18279bd055ffd7f434b75ae97c0cfa245 devices.scsi.tape.diag.5.3.0.62.U
a854d65a7614ede46d19bcae65dcfcd1644fbaac devices.scsi.tape.diag.5.3.7.1.U
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
C. FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview a fix installation:
installp -a -d . -p all
To install a fix package:
installp -a -d . -X all
VI. WORKAROUNDS
There are two workarounds available.
A. OPTION 1
Change the permissions of these commands to remove the setuid
bit using the following commands:
chmod 500 /usr/lpp/diagnostics/bin/utape
NOTE: chmod will disable functionality of these commands for
all users except root.
B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7)
Use the File Permissions Manager (fpm) command to manage
setuid and setgid programs.
fpm documentation can be found in the AIX 6 Security Redbook
at:
http://www.redbooks.ibm.com/abstracts/sg247430.html
An fpm level of high, medium, or low will remove the setuid
bit from the affected commands. For example:
fpm -l high -p # to preview changes
fpm -l high # to execute changes
NOTE: Please review the documentation before execution. fpm
will disable functionality of multiple commands for all users
except root.
VII. OBTAINING FIXES
AIX security related fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
AIX fixes can be downloaded from:
http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
IBM discovered and fixed this vulnerability as part of its
commitment to secure the AIX operating system.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFHllOv8lficKajbMwRAvUgAJ4h8anJbV0rQF+T5Y/AD49daWwAjgCfWgbj
+I6Q449xKTLf1N5JWuEb5I8=
=N01h
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Tue Jan 22 14:02:18 CST 2008
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX Logical Volume Manager buffer overflow
PLATFORMS: AIX 5.2, 5.3
SOLUTION: Apply the fix or workaround as described below.
THREAT: A local attacker may execute arbitrary code with root
privileges.
CERT VU Number: n/a
CVE Number: n/a
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
The AIX Logical Volume Manager provides a suite of utilities for
AIX logical volume management features and functions. The primary
fileset for the AIX Logical Volume Manager is 'bos.rte.lvm'. In
addition, AIX provides another suite of utilities for concurrent
logical volume management across multiple hosts. The primary
fileset for the AIX Concurrent Logical Volume Manager is
'bos.clvm.enh'. Several imporant commands provided by these
filesets for performing various logical volume management tasks
have been identified as containing buffer overflow
vulnerabilities.
II. DESCRIPTION
Buffer overflow vulnerabilities exist in the 'bos.rte.lvm' and
'bos.clvm.enh' fileset commands listed below. A local attacker
may execute arbitrary code with root privileges because the
commands are setuid root. The local attacker must be a member of
the 'system' group to execute these commands.
The following 'bos.rte.lvm' commands are vulnerable:
/usr/sbin/lchangevg
/usr/sbin/ldeletepv
/usr/sbin/putlvodm
/usr/sbin/lvaryoffvg
/usr/sbin/lvgenminor
The following 'bos.clvm.enh' command is vulnerable:
/usr/sbin/tellclvmd
III. IMPACT
The successful exploitation of this vulnerability allows a
non-privileged user to execute code with root privileges.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L bos.rte.lvm bos.clvm.enh
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
------------------------------------------------
bos.rte.lvm 5.2.0.0 5.2.0.107
bos.rte.lvm 5.3.0.0 5.3.0.61
bos.clvm.enh 5.2.0.0 5.2.0.105
bos.clvm.enh 5.3.0.0 5.3.0.60
V. SOLUTIONS
A. APARS
IBM provides the following fixes:
AIX Level APAR number Availability
-----------------------------------------------------
5.2.0 IZ00559 (available now)
5.2.0 IZ10828 (available now)
5.3.0 IY98331 (available now)
5.3.0 IY98340 (available now)
5.3.0 IY99537 (available now)
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ00559
http://www.ibm.com/support/docview.wss?uid=isg1IZ10828
http://www.ibm.com/support/docview.wss?uid=isg1IY98331
http://www.ibm.com/support/docview.wss?uid=isg1IY98340
http://www.ibm.com/support/docview.wss?uid=isg1IY99537
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available. The fixes can be downloaded via ftp
from:
ftp://aix.software.ibm.com/aix/efixes/security/lvm_ifix.tar
The link above is to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
AIX Fileset AIX Level Fix and Interim Fix
-----------------------------------------------------------------
bos.lvm.rte 5200-08 IZ10828_08.071212.epkg.Z
bos.lvm.rte 5200-08 IZ00559_8a.071212.epkg.Z
bos.clvm.enh 5200-08 IZ00559_8b.071212.epkg.Z
bos.lvm.rte 5200-09 IZ10828_09.071212.epkg.Z
bos.lvm.rte 5200-09 IZ00559_9a.071211.epkg.Z
bos.clvm.enh 5200-09 IZ00559_9b.071211.epkg.Z
bos.lvm.rte 5200-10 IZ10828_10.071212.epkg.Z
bos.lvm.rte 5200-10 bos.rte.lvm.5.2.0.107.U
bos.clvm.enh 5200-10 bos.clvm.enh.5.2.0.107.U
bos.lvm.rte 5300-05 IY98331_05.071212.epkg.Z
bos.lvm.rte 5300-05 IY99537_05.071212.epkg.Z
bos.lvm.rte 5300-05 IY98340_5a.071211.epkg.Z
bos.clvm.enh 5300-05 IY98340_5b.071211.epkg.Z
bos.lvm.rte 5300-06 bos.rte.lvm.5.3.0.63.U
bos.clvm.enh 5300-06 bos.clvm.enh.5.3.0.61.U
To extract the fixes from the tar file:
tar xvf lvm_ifix.tar
cd lvm_ifix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
------------------------------------
14660 17 IY98331_05.071212.epkg.Z
26095 9 IY98340_5a.071211.epkg.Z
40761 8 IY98340_5b.071211.epkg.Z
10885 16 IY99537_05.071212.epkg.Z
24909 10 IZ00559_8a.071212.epkg.Z
64769 9 IZ00559_8b.071212.epkg.Z
65110 10 IZ00559_9a.071211.epkg.Z
25389 9 IZ00559_9b.071211.epkg.Z
26812 26 IZ10828_08.071212.epkg.Z
55064 26 IZ10828_09.071212.epkg.Z
55484 26 IZ10828_10.071212.epkg.Z
03885 157 bos.clvm.enh.5.2.0.107.U
30581 128 bos.clvm.enh.5.3.0.61.U
48971 1989 bos.rte.lvm.5.2.0.107.U
64179 2603 bos.rte.lvm.5.3.0.63.U
cksum filename
-------------------------------------------
3121912357 16875 IY98331_05.071212.epkg.Z
107751313 9190 IY98340_5a.071211.epkg.Z
1129637178 7735 IY98340_5b.071211.epkg.Z
4019303479 16201 IY99537_05.071212.epkg.Z
1791374386 9289 IZ00559_8a.071212.epkg.Z
3287090389 8299 IZ00559_8b.071212.epkg.Z
565672617 9294 IZ00559_9a.071211.epkg.Z
257555679 8302 IZ00559_9b.071211.epkg.Z
3930477686 26525 IZ10828_08.071212.epkg.Z
1199269029 26533 IZ10828_09.071212.epkg.Z
358657844 26480 IZ10828_10.071212.epkg.Z
3753492719 160768 bos.clvm.enh.5.2.0.107.U
4180839749 131072 bos.clvm.enh.5.3.0.61.U
3765659627 2036736 bos.rte.lvm.5.2.0.107.U
3338925192 2665472 bos.rte.lvm.5.3.0.63.U
csum -h MD5 (md5sum) filename
----------------------------------------------------------
73bcf7604dd13f26a7500e45468ff5f7 IY98331_05.071212.epkg.Z
5f32179fc2156bb6e29e775aa7bff623 IY98340_5a.071211.epkg.Z
7c47e56cadabcba0a105ffa7fc1d40fc IY98340_5b.071211.epkg.Z
ef3e4512c3b55091893ce733c707e1a2 IY99537_05.071212.epkg.Z
db04be33e56169b6a8e8fd747e6948da IZ00559_8a.071212.epkg.Z
553f31ccf6a265333938d81eeae6dabc IZ00559_8b.071212.epkg.Z
2921b9d2a3dbd84591d60fddf0663798 IZ00559_9a.071211.epkg.Z
93ce34dec8f4fa9681a2c7c86be065fc IZ00559_9b.071211.epkg.Z
e6b0a4a91ba197de0005bd800f06ba4e IZ10828_08.071212.epkg.Z
602a8c777cc27e51c3d3dbfa8ebd69be IZ10828_09.071212.epkg.Z
b84a5cae03921d30675e522da29da1aa IZ10828_10.071212.epkg.Z
2aa4b9b43ca55f74b0fac6be7bc48b66 bos.clvm.enh.5.2.0.107.U
844e1f2ef9d388d2ddd8cf3ef6251f06 bos.clvm.enh.5.3.0.61.U
0c73aa8f0211c400455feaa6fb8a95c4 bos.rte.lvm.5.2.0.107.U
1b5a08eabe984d957db9a145e2a4fd06 bos.rte.lvm.5.3.0.63.U
csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
d9929214a4d85b986fb2e06c9b265c768c7178a9 IY98331_05.071212.epkg.Z
0f5fbcdfbbbf505366dad160c8dec1c1ce75285e IY98340_5a.071211.epkg.Z
cf2cda3b8d19b73d06b69eeec7e4bae192bec689 IY98340_5b.071211.epkg.Z
9d8727b5733bc34b8daba267b82864ef17b7156f IY99537_05.071212.epkg.Z
e7a366956ae7a08deb93cbd52bbbbf451d0f5565 IZ00559_8a.071212.epkg.Z
1898733cdf6098e4f54ec36132a03ebbe0682a7e IZ00559_8b.071212.epkg.Z
f68c458c817f99730b193ecbd02ae24b9e51cc67 IZ00559_9a.071211.epkg.Z
185954838c439a3c7f8e5b769aa6cc7d31123b59 IZ00559_9b.071211.epkg.Z
6244138dc98f3fd16928b2bbcba3c5b4734e9942 IZ10828_08.071212.epkg.Z
98bfaf44ba4bc6eba452ea074e276b8e87b41c9d IZ10828_09.071212.epkg.Z
2a9c0dd75bc79eba153d0a4e966d930151121d45 IZ10828_10.071212.epkg.Z
96706ec5afd792852350d433d1bf8d8981b67336 bos.clvm.enh.5.2.0.107.U
91f6d3a4d9ffd15d258f4bda51594dbce7011d8a bos.clvm.enh.5.3.0.61.U
4589a5bca998f437aac5c3bc2c222eaa51490dab bos.rte.lvm.5.2.0.107.U
3449afd795c24594c7a0c496f225c7148b4071ab bos.rte.lvm.5.3.0.63.U
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
C. FIX AND INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview a fix installation:
installp -a -d . -p all
To install a fix package:
installp -a -d . -X all
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; thus, IBM does not warrant the fully
correct functionality of an interim fix.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
VI. WORKAROUNDS
There are two workarounds available.
A. OPTION 1
Change the permissions of these commands to remove the setuid
bit using the following commands:
chmod 500 /usr/sbin/lchangevg
chmod 500 /usr/sbin/ldeletepv
chmod 500 /usr/sbin/putlvodm
chmod 500 /usr/sbin/lvaryoffvg
chmod 500 /usr/sbin/lvgenminor
chmod 500 /usr/sbin/tellclvmd
NOTE: chmod will disable functionality of these commands for
all users except root.
B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7)
Use the File Permissions Manager (fpm) command to manage
setuid and setgid programs.
fpm documentation can be found in the AIX 6 Security Redbook
at:
http://www.redbooks.ibm.com/abstracts/sg247430.html
An fpm level of high will remove the setuid bit from the
affected commands. For example:
fpm -l high -p # to preview changes
fpm -l high # to execute changes
NOTE: Please review the documentation before execution. fpm
will disable functionality of multiple commands for all users
except root.
VII. OBTAINING FIXES
AIX security related fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
AIX fixes can be downloaded from:
http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
IBM discovered and fixed this vulnerability as part of its
commitment to secure the AIX operating system.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD4DBQFHllGn8lficKajbMwRAnZ6AJjStvgawxHceUqaL6gMkTnjRIq4AJ9DY+d1
c6fMDU7pQ9MepNO0L0uy3A==
=8heK
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Tue Jan 22 14:02:18 CST 2008
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX incorrect file permissions Linux WebSM remote client
PLATFORMS: AIX 5.2, 5.3
SOLUTION: Apply the fix or workaround as described below.
THREAT: World writable files installed on Linux client.
CERT VU Number: n/a
CVE Number: n/a
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
The Web-based System Manager (WebSM) Remote Client for Linux
provides remote administration of AIX systems. The primary
fileset for the WebSM Remote Client is 'sysmgt.websm.webaccess'.
Some of the files installed by the remote client on a Linux system
have world writable permissions.
II. DESCRIPTION
When the WebSM Remote Client is installed on a Linux system, some
of the installed files have incorrect world writable permissions.
Any user of the Linux system can write to the installed files.
III. IMPACT
The successful exploitation of this vulnerability allows a
non-privileged local user alter the behavior of the WebSM Remote
Client on the Linux system.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L sysmgt.websm.webaccess
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
------------------------------------------------------
sysmgt.websm.webaccess 5.2.0.0 5.2.0.104
sysmgt.websm.webaccess 5.3.0.0 5.3.0.60
V. SOLUTIONS
A. APARS
IBM provides the following fixes:
AIX Level APAR number Availability
--------------------------------------------------------
5.2.0 None Fixed in 5.2 TL10
5.3.0 IY97257 Available now
Subscribe to the APAR here:
http://www.ibm.com/support/docview.wss?uid=isg1IY97257
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available. The fixes can be downloaded via ftp
from:
ftp://aix.software.ibm.com/aix/efixes/security/websm_linux_fix.tar
The link above is to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
AIX Level Fix
------------------------------------------------------
5.2.0 sysmgt.websm.webaccess.5.2.0.105
5.3.0 sysmgt.websm.webaccess.5.3.0.61.U
To extract the fixes from the tar file:
tar xvf websm_linux_fix.tar
cd websm_linux_fix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
----------------------------------------------
55252 264604 sysmgt.websm.webaccess.5.2.0.105
36306 271393 sysmgt.websm.webaccess.5.3.0.61.U
cksum filename
------------------------------------------------------
3255572506 270954496 sysmgt.websm.webaccess.5.2.0.105
2688673312 277906432 sysmgt.websm.webaccess.5.3.0.61.U
csum -h MD5 (md5sum) filename
-------------------------------------------------------------------
c8511ed7108662edb5c6def8462d83a5 sysmgt.websm.webaccess.5.2.0.105
1efd9ef628928c7b7e7ab4d260b7c290 sysmgt.websm.webaccess.5.3.0.61.U
csum -h SHA1 (sha1sum) filename
---------------------------------------------------------------------------
cdbf1e8a19745f0c72f720d70282e8be7eb43e3a sysmgt.websm.webaccess.5.2.0.105
c63de7a9d6a26116fdaefba3a30759a2877c08c0 sysmgt.websm.webaccess.5.3.0.61.U
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
C. FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview a fix installation:
installp -a -d . -p all
To install a fix package:
installp -a -d . -X all
VI. WORKAROUND
Remove the world writable permission from the installed files.
Change to the directory where the WebSM Remote Client for Linux
was installed and execute the following command:
chmod -R o-w .
VII. OBTAINING FIXES
AIX security related fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
AIX fixes can be downloaded from:
http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
IBM discovered and fixed this vulnerability as part of its
commitment to secure the AIX operating system.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFHllCe8lficKajbMwRAgZqAJ47DP6yr6Q8AgGzJ+CuBAKJHXls9gCfWk4p
aRimSb6qk4T1sL0vukAsPz0=
=5tCw
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Tue Jan 22 14:02:18 CST 2008
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX swap commands buffer overflow
PLATFORMS: AIX 5.2, 5.3
SOLUTION: Apply the fix or workaround as described below.
THREAT: A local attacker may execute arbitrary code with root
privileges.
CERT VU Number: n/a
CVE Number: n/a
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
The swapon command activates a paging space. The swapoff command
deactivates one or more paging spaces. The primary fileset for
the AIX swap commands is 'bos.rte.control'. The swapon and
swapoff commands contain buffer overflow vulnerabilities.
II. DESCRIPTION
Buffer overflow vulnerabilities exist in the 'bos.rte.control'
fileset commands listed below. A local attacker may execute
arbitrary code with root privileges because the commands are
setuid root. The local attacker must be a member of the 'system'
group to execute these commands.
The following commands are vulnerable:
/usr/sbin/swap
/usr/sbin/swapoff
/usr/sbin/swapon
III. IMPACT
The successful exploitation of this vulnerability allows a
non-privileged user to execute code with root privileges.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L bos.rte.control
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
------------------------------------------------
bos.rte.control 5.2.0.0 5.2.0.95
bos.rte.control 5.3.0.0 5.3.0.50
V. SOLUTIONS
A. APARS
IBM provides the following fixes:
AIX Level APAR number Availability
---------------------------------------------------
5.2 IY96095 Available now
5.3 IY96101 Available now
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IY96095
http://www.ibm.com/support/docview.wss?uid=isg1IY96101
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available. The fixes can be downloaded via ftp
from:
ftp://aix.software.ibm.com/aix/efixes/security/swap_fix.tar
The link above is to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
AIX Level Fix
-------------------------------------------------------------------
5.2.0 bos.rte.control.5.2.0.96.U
5.3.0 bos.rte.control.5.3.0.51.U
To extract the fixes from the tar file:
tar xvf swap_fix.tar
cd swap_fix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
--------------------------------------
55018 1206 bos.rte.control.5.2.0.96.U
32224 1303 bos.rte.control.5.3.0.51.U
cksum filename
---------------------------------------------
2165128344 1234944 bos.rte.control.5.2.0.96.U
2786668967 1334272 bos.rte.control.5.3.0.51.U
csum -h MD5 (md5sum) filename
------------------------------------------------------------
0ca8d74d125a16264c0ece1d478920b8 bos.rte.control.5.2.0.96.U
7bf48b86540b9920399c4c4495d86579 bos.rte.control.5.3.0.51.U
csum -h SHA1 (sha1sum) filename
--------------------------------------------------------------------
980e3ef913f0c85bd2f2d4ef8bb16023ec90f559 bos.rte.control.5.2.0.96.U
22fd4dd35387ddf506b914376740d36197cd1685 bos.rte.control.5.3.0.51.U
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
C. FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview a fix installation:
installp -a -d . -p all
To install a fix package:
installp -a -d . -X all
VI. WORKAROUNDS
There are two workarounds available.
A. OPTION 1
Change the permissions of these commands to remove the setuid
bit using the following commands:
chmod 500 /usr/sbin/swap
chmod 500 /usr/sbin/swapoff
chmod 500 /usr/sbin/swapon
NOTE: chmod will disable functionality of these commands for
all users except root.
B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7)
Use the File Permissions Manager (fpm) command to manage
setuid and setgid programs.
fpm documentation can be found in the AIX 6 Security Redbook
at:
http://www.redbooks.ibm.com/abstracts/sg247430.html
An fpm level of high, medium, or low will remove the setuid
bit from the affected commands. For example:
fpm -l high -p # to preview changes
fpm -l high # to execute changes
NOTE: Please review the documentation before execution. fpm
will disable functionality of multiple commands for all users
except root.
VII. OBTAINING FIXES
AIX security related fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
AIX fixes can be downloaded from:
http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
IBM discovered and fixed this vulnerability as part of its
commitment to secure the AIX operating system.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFHlk+M8lficKajbMwRAkTuAJ92g3gSoun41zWIsB017nEMFqcYQACbBKql
hVvDI5eV4Dlkp0O0IRNNoPg=
=ccj0
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR6kuJSh9+71yA2DNAQKWsQQAgSbO/vN/OMrC8MbFgJ342TOsTQS/Iuf1
iMXlhsifvAPq9Qj0Q2T8KGvJiHg6n9u32yPDUzg86WDczzRVaen8hpsVvzZnQYAs
B2DzSpI1+TTIxLKCQAKYAoJT718oOwGINmlgEgBTAj7FbQQEWFlyNFsA3+MaLBHa
Mvd+rynu8t8=
=YIyu
-----END PGP SIGNATURE-----