Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0267 -- [AIX]
AIX Logical Volume Manager buffer overflow
14 March 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: AIX 5.2
AIX 5.3
Publisher: IBM
Operating System: AIX
Impact: Root Compromise
Access: Existing Account
Original Bulletin:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4169
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Tue Jan 22 14:02:18 CST 2008
| Updated: Tue Mar 11 12:55:14 CDT 2008
| IZ10828 availablity updated
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX Logical Volume Manager buffer overflow
PLATFORMS: AIX 5.2, 5.3
SOLUTION: Apply the fix or workaround as described below.
THREAT: A local attacker may execute arbitrary code with root
privileges.
CERT VU Number: n/a
CVE Number: n/a
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
The AIX Logical Volume Manager provides a suite of utilities for
AIX logical volume management features and functions. The primary
fileset for the AIX Logical Volume Manager is 'bos.rte.lvm'. In
addition, AIX provides another suite of utilities for concurrent
logical volume management across multiple hosts. The primary
fileset for the AIX Concurrent Logical Volume Manager is
'bos.clvm.enh'. Several imporant commands provided by these
filesets for performing various logical volume management tasks
have been identified as containing buffer overflow
vulnerabilities.
II. DESCRIPTION
Buffer overflow vulnerabilities exist in the 'bos.rte.lvm' and
'bos.clvm.enh' fileset commands listed below. A local attacker
may execute arbitrary code with root privileges because the
commands are setuid root. The local attacker must be a member of
the 'system' group to execute these commands.
The following 'bos.rte.lvm' commands are vulnerable:
/usr/sbin/lchangevg
/usr/sbin/ldeletepv
/usr/sbin/putlvodm
/usr/sbin/lvaryoffvg
/usr/sbin/lvgenminor
The following 'bos.clvm.enh' command is vulnerable:
/usr/sbin/tellclvmd
III. IMPACT
The successful exploitation of this vulnerability allows a
non-privileged user to execute code with root privileges.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L bos.rte.lvm bos.clvm.enh
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
------------------------------------------------
bos.rte.lvm 5.2.0.0 5.2.0.107
bos.rte.lvm 5.3.0.0 5.3.0.61
bos.clvm.enh 5.2.0.0 5.2.0.105
bos.clvm.enh 5.3.0.0 5.3.0.60
V. SOLUTIONS
A. APARS
IBM provides the following fixes:
AIX Level APAR number Availability
-----------------------------------------------------
5.2.0 IZ00559 (available now)
| 5.2.0 IZ10828 05/07/2008
5.3.0 IY98331 (available now)
5.3.0 IY98340 (available now)
5.3.0 IY99537 (available now)
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ00559
http://www.ibm.com/support/docview.wss?uid=isg1IZ10828
http://www.ibm.com/support/docview.wss?uid=isg1IY98331
http://www.ibm.com/support/docview.wss?uid=isg1IY98340
http://www.ibm.com/support/docview.wss?uid=isg1IY99537
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available. The fixes can be downloaded via ftp
from:
ftp://aix.software.ibm.com/aix/efixes/security/lvm_ifix.tar
The link above is to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
AIX Fileset AIX Level Fix and Interim Fix
-----------------------------------------------------------------
bos.lvm.rte 5200-08 IZ10828_08.071212.epkg.Z
bos.lvm.rte 5200-08 IZ00559_8a.071212.epkg.Z
bos.clvm.enh 5200-08 IZ00559_8b.071212.epkg.Z
bos.lvm.rte 5200-09 IZ10828_09.071212.epkg.Z
bos.lvm.rte 5200-09 IZ00559_9a.071211.epkg.Z
bos.clvm.enh 5200-09 IZ00559_9b.071211.epkg.Z
bos.lvm.rte 5200-10 IZ10828_10.071212.epkg.Z
bos.lvm.rte 5200-10 bos.rte.lvm.5.2.0.107.U
bos.clvm.enh 5200-10 bos.clvm.enh.5.2.0.107.U
bos.lvm.rte 5300-05 IY98331_05.071212.epkg.Z
bos.lvm.rte 5300-05 IY99537_05.071212.epkg.Z
bos.lvm.rte 5300-05 IY98340_5a.071211.epkg.Z
bos.clvm.enh 5300-05 IY98340_5b.071211.epkg.Z
bos.lvm.rte 5300-06 bos.rte.lvm.5.3.0.63.U
bos.clvm.enh 5300-06 bos.clvm.enh.5.3.0.61.U
To extract the fixes from the tar file:
tar xvf lvm_ifix.tar
cd lvm_ifix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
------------------------------------
14660 17 IY98331_05.071212.epkg.Z
26095 9 IY98340_5a.071211.epkg.Z
40761 8 IY98340_5b.071211.epkg.Z
10885 16 IY99537_05.071212.epkg.Z
24909 10 IZ00559_8a.071212.epkg.Z
64769 9 IZ00559_8b.071212.epkg.Z
65110 10 IZ00559_9a.071211.epkg.Z
25389 9 IZ00559_9b.071211.epkg.Z
26812 26 IZ10828_08.071212.epkg.Z
55064 26 IZ10828_09.071212.epkg.Z
55484 26 IZ10828_10.071212.epkg.Z
03885 157 bos.clvm.enh.5.2.0.107.U
30581 128 bos.clvm.enh.5.3.0.61.U
48971 1989 bos.rte.lvm.5.2.0.107.U
64179 2603 bos.rte.lvm.5.3.0.63.U
cksum filename
-------------------------------------------
3121912357 16875 IY98331_05.071212.epkg.Z
107751313 9190 IY98340_5a.071211.epkg.Z
1129637178 7735 IY98340_5b.071211.epkg.Z
4019303479 16201 IY99537_05.071212.epkg.Z
1791374386 9289 IZ00559_8a.071212.epkg.Z
3287090389 8299 IZ00559_8b.071212.epkg.Z
565672617 9294 IZ00559_9a.071211.epkg.Z
257555679 8302 IZ00559_9b.071211.epkg.Z
3930477686 26525 IZ10828_08.071212.epkg.Z
1199269029 26533 IZ10828_09.071212.epkg.Z
358657844 26480 IZ10828_10.071212.epkg.Z
3753492719 160768 bos.clvm.enh.5.2.0.107.U
4180839749 131072 bos.clvm.enh.5.3.0.61.U
3765659627 2036736 bos.rte.lvm.5.2.0.107.U
3338925192 2665472 bos.rte.lvm.5.3.0.63.U
csum -h MD5 (md5sum) filename
----------------------------------------------------------
73bcf7604dd13f26a7500e45468ff5f7 IY98331_05.071212.epkg.Z
5f32179fc2156bb6e29e775aa7bff623 IY98340_5a.071211.epkg.Z
7c47e56cadabcba0a105ffa7fc1d40fc IY98340_5b.071211.epkg.Z
ef3e4512c3b55091893ce733c707e1a2 IY99537_05.071212.epkg.Z
db04be33e56169b6a8e8fd747e6948da IZ00559_8a.071212.epkg.Z
553f31ccf6a265333938d81eeae6dabc IZ00559_8b.071212.epkg.Z
2921b9d2a3dbd84591d60fddf0663798 IZ00559_9a.071211.epkg.Z
93ce34dec8f4fa9681a2c7c86be065fc IZ00559_9b.071211.epkg.Z
e6b0a4a91ba197de0005bd800f06ba4e IZ10828_08.071212.epkg.Z
602a8c777cc27e51c3d3dbfa8ebd69be IZ10828_09.071212.epkg.Z
b84a5cae03921d30675e522da29da1aa IZ10828_10.071212.epkg.Z
2aa4b9b43ca55f74b0fac6be7bc48b66 bos.clvm.enh.5.2.0.107.U
844e1f2ef9d388d2ddd8cf3ef6251f06 bos.clvm.enh.5.3.0.61.U
0c73aa8f0211c400455feaa6fb8a95c4 bos.rte.lvm.5.2.0.107.U
1b5a08eabe984d957db9a145e2a4fd06 bos.rte.lvm.5.3.0.63.U
csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
d9929214a4d85b986fb2e06c9b265c768c7178a9 IY98331_05.071212.epkg.Z
0f5fbcdfbbbf505366dad160c8dec1c1ce75285e IY98340_5a.071211.epkg.Z
cf2cda3b8d19b73d06b69eeec7e4bae192bec689 IY98340_5b.071211.epkg.Z
9d8727b5733bc34b8daba267b82864ef17b7156f IY99537_05.071212.epkg.Z
e7a366956ae7a08deb93cbd52bbbbf451d0f5565 IZ00559_8a.071212.epkg.Z
1898733cdf6098e4f54ec36132a03ebbe0682a7e IZ00559_8b.071212.epkg.Z
f68c458c817f99730b193ecbd02ae24b9e51cc67 IZ00559_9a.071211.epkg.Z
185954838c439a3c7f8e5b769aa6cc7d31123b59 IZ00559_9b.071211.epkg.Z
6244138dc98f3fd16928b2bbcba3c5b4734e9942 IZ10828_08.071212.epkg.Z
98bfaf44ba4bc6eba452ea074e276b8e87b41c9d IZ10828_09.071212.epkg.Z
2a9c0dd75bc79eba153d0a4e966d930151121d45 IZ10828_10.071212.epkg.Z
96706ec5afd792852350d433d1bf8d8981b67336 bos.clvm.enh.5.2.0.107.U
91f6d3a4d9ffd15d258f4bda51594dbce7011d8a bos.clvm.enh.5.3.0.61.U
4589a5bca998f437aac5c3bc2c222eaa51490dab bos.rte.lvm.5.2.0.107.U
3449afd795c24594c7a0c496f225c7148b4071ab bos.rte.lvm.5.3.0.63.U
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
C. FIX AND INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview a fix installation:
installp -a -d . -p all
To install a fix package:
installp -a -d . -X all
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; thus, IBM does not warrant the fully
correct functionality of an interim fix.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
VI. WORKAROUNDS
There are two workarounds available.
A. OPTION 1
Change the permissions of these commands to remove the setuid
bit using the following commands:
chmod 500 /usr/sbin/lchangevg
chmod 500 /usr/sbin/ldeletepv
chmod 500 /usr/sbin/putlvodm
chmod 500 /usr/sbin/lvaryoffvg
chmod 500 /usr/sbin/lvgenminor
chmod 500 /usr/sbin/tellclvmd
NOTE: chmod will disable functionality of these commands for
all users except root.
B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7)
Use the File Permissions Manager (fpm) command to manage
setuid and setgid programs.
fpm documentation can be found in the AIX 6 Security Redbook
at:
http://www.redbooks.ibm.com/abstracts/sg247430.html
An fpm level of high will remove the setuid bit from the
affected commands. For example:
fpm -l high -p # to preview changes
fpm -l high # to execute changes
NOTE: Please review the documentation before execution. fpm
will disable functionality of multiple commands for all users
except root.
VII. OBTAINING FIXES
AIX security related fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
AIX fixes can be downloaded from:
http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
IBM discovered and fixed this vulnerability as part of its
commitment to secure the AIX operating system.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFH1snN8lficKajbMwRApPrAJ9yjY259En1VgQHknBDZ3EaB1KLNwCZAf3/
AviHtDb0FIUEr/Uzww/xJeo=
=8AKd
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR9nRgSh9+71yA2DNAQIrkgP+Kg99jlJLvspMQQ4yhDfBjV3lIQQJruX3
v65bBQqgfx5sqRObB0Rdzt2lcqwyZEvO0iLm1LxTGODUJmB3C9T5gA1A2f0dmywO
jGtsBMTFOpTxgMJWfdOOEKAvX4HzY9eDH8nxojT0rANoI7vNI8p9uPDklZXvaq4c
pCwp7lX1ELc=
=95f3
-----END PGP SIGNATURE-----