Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2008.0267 -- [AIX] AIX Logical Volume Manager buffer overflow 14 March 2008 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: AIX 5.2 AIX 5.3 Publisher: IBM Operating System: AIX Impact: Root Compromise Access: Existing Account Original Bulletin: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=4169 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue Jan 22 14:02:18 CST 2008 | Updated: Tue Mar 11 12:55:14 CDT 2008 | IZ10828 availablity updated =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX Logical Volume Manager buffer overflow PLATFORMS: AIX 5.2, 5.3 SOLUTION: Apply the fix or workaround as described below. THREAT: A local attacker may execute arbitrary code with root privileges. CERT VU Number: n/a CVE Number: n/a =============================================================================== DETAILED INFORMATION I. OVERVIEW The AIX Logical Volume Manager provides a suite of utilities for AIX logical volume management features and functions. The primary fileset for the AIX Logical Volume Manager is 'bos.rte.lvm'. In addition, AIX provides another suite of utilities for concurrent logical volume management across multiple hosts. The primary fileset for the AIX Concurrent Logical Volume Manager is 'bos.clvm.enh'. Several imporant commands provided by these filesets for performing various logical volume management tasks have been identified as containing buffer overflow vulnerabilities. II. DESCRIPTION Buffer overflow vulnerabilities exist in the 'bos.rte.lvm' and 'bos.clvm.enh' fileset commands listed below. A local attacker may execute arbitrary code with root privileges because the commands are setuid root. The local attacker must be a member of the 'system' group to execute these commands. The following 'bos.rte.lvm' commands are vulnerable: /usr/sbin/lchangevg /usr/sbin/ldeletepv /usr/sbin/putlvodm /usr/sbin/lvaryoffvg /usr/sbin/lvgenminor The following 'bos.clvm.enh' command is vulnerable: /usr/sbin/tellclvmd III. IMPACT The successful exploitation of this vulnerability allows a non-privileged user to execute code with root privileges. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L bos.rte.lvm bos.clvm.enh The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------ bos.rte.lvm 5.2.0.0 5.2.0.107 bos.rte.lvm 5.3.0.0 5.3.0.61 bos.clvm.enh 5.2.0.0 5.2.0.105 bos.clvm.enh 5.3.0.0 5.3.0.60 V. SOLUTIONS A. APARS IBM provides the following fixes: AIX Level APAR number Availability ----------------------------------------------------- 5.2.0 IZ00559 (available now) | 5.2.0 IZ10828 05/07/2008 5.3.0 IY98331 (available now) 5.3.0 IY98340 (available now) 5.3.0 IY99537 (available now) Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ00559 http://www.ibm.com/support/docview.wss?uid=isg1IZ10828 http://www.ibm.com/support/docview.wss?uid=isg1IY98331 http://www.ibm.com/support/docview.wss?uid=isg1IY98340 http://www.ibm.com/support/docview.wss?uid=isg1IY99537 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/lvm_ifix.tar The link above is to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Fileset AIX Level Fix and Interim Fix ----------------------------------------------------------------- bos.lvm.rte 5200-08 IZ10828_08.071212.epkg.Z bos.lvm.rte 5200-08 IZ00559_8a.071212.epkg.Z bos.clvm.enh 5200-08 IZ00559_8b.071212.epkg.Z bos.lvm.rte 5200-09 IZ10828_09.071212.epkg.Z bos.lvm.rte 5200-09 IZ00559_9a.071211.epkg.Z bos.clvm.enh 5200-09 IZ00559_9b.071211.epkg.Z bos.lvm.rte 5200-10 IZ10828_10.071212.epkg.Z bos.lvm.rte 5200-10 bos.rte.lvm.5.2.0.107.U bos.clvm.enh 5200-10 bos.clvm.enh.5.2.0.107.U bos.lvm.rte 5300-05 IY98331_05.071212.epkg.Z bos.lvm.rte 5300-05 IY99537_05.071212.epkg.Z bos.lvm.rte 5300-05 IY98340_5a.071211.epkg.Z bos.clvm.enh 5300-05 IY98340_5b.071211.epkg.Z bos.lvm.rte 5300-06 bos.rte.lvm.5.3.0.63.U bos.clvm.enh 5300-06 bos.clvm.enh.5.3.0.61.U To extract the fixes from the tar file: tar xvf lvm_ifix.tar cd lvm_ifix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------ 14660 17 IY98331_05.071212.epkg.Z 26095 9 IY98340_5a.071211.epkg.Z 40761 8 IY98340_5b.071211.epkg.Z 10885 16 IY99537_05.071212.epkg.Z 24909 10 IZ00559_8a.071212.epkg.Z 64769 9 IZ00559_8b.071212.epkg.Z 65110 10 IZ00559_9a.071211.epkg.Z 25389 9 IZ00559_9b.071211.epkg.Z 26812 26 IZ10828_08.071212.epkg.Z 55064 26 IZ10828_09.071212.epkg.Z 55484 26 IZ10828_10.071212.epkg.Z 03885 157 bos.clvm.enh.5.2.0.107.U 30581 128 bos.clvm.enh.5.3.0.61.U 48971 1989 bos.rte.lvm.5.2.0.107.U 64179 2603 bos.rte.lvm.5.3.0.63.U cksum filename ------------------------------------------- 3121912357 16875 IY98331_05.071212.epkg.Z 107751313 9190 IY98340_5a.071211.epkg.Z 1129637178 7735 IY98340_5b.071211.epkg.Z 4019303479 16201 IY99537_05.071212.epkg.Z 1791374386 9289 IZ00559_8a.071212.epkg.Z 3287090389 8299 IZ00559_8b.071212.epkg.Z 565672617 9294 IZ00559_9a.071211.epkg.Z 257555679 8302 IZ00559_9b.071211.epkg.Z 3930477686 26525 IZ10828_08.071212.epkg.Z 1199269029 26533 IZ10828_09.071212.epkg.Z 358657844 26480 IZ10828_10.071212.epkg.Z 3753492719 160768 bos.clvm.enh.5.2.0.107.U 4180839749 131072 bos.clvm.enh.5.3.0.61.U 3765659627 2036736 bos.rte.lvm.5.2.0.107.U 3338925192 2665472 bos.rte.lvm.5.3.0.63.U csum -h MD5 (md5sum) filename ---------------------------------------------------------- 73bcf7604dd13f26a7500e45468ff5f7 IY98331_05.071212.epkg.Z 5f32179fc2156bb6e29e775aa7bff623 IY98340_5a.071211.epkg.Z 7c47e56cadabcba0a105ffa7fc1d40fc IY98340_5b.071211.epkg.Z ef3e4512c3b55091893ce733c707e1a2 IY99537_05.071212.epkg.Z db04be33e56169b6a8e8fd747e6948da IZ00559_8a.071212.epkg.Z 553f31ccf6a265333938d81eeae6dabc IZ00559_8b.071212.epkg.Z 2921b9d2a3dbd84591d60fddf0663798 IZ00559_9a.071211.epkg.Z 93ce34dec8f4fa9681a2c7c86be065fc IZ00559_9b.071211.epkg.Z e6b0a4a91ba197de0005bd800f06ba4e IZ10828_08.071212.epkg.Z 602a8c777cc27e51c3d3dbfa8ebd69be IZ10828_09.071212.epkg.Z b84a5cae03921d30675e522da29da1aa IZ10828_10.071212.epkg.Z 2aa4b9b43ca55f74b0fac6be7bc48b66 bos.clvm.enh.5.2.0.107.U 844e1f2ef9d388d2ddd8cf3ef6251f06 bos.clvm.enh.5.3.0.61.U 0c73aa8f0211c400455feaa6fb8a95c4 bos.rte.lvm.5.2.0.107.U 1b5a08eabe984d957db9a145e2a4fd06 bos.rte.lvm.5.3.0.63.U csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ d9929214a4d85b986fb2e06c9b265c768c7178a9 IY98331_05.071212.epkg.Z 0f5fbcdfbbbf505366dad160c8dec1c1ce75285e IY98340_5a.071211.epkg.Z cf2cda3b8d19b73d06b69eeec7e4bae192bec689 IY98340_5b.071211.epkg.Z 9d8727b5733bc34b8daba267b82864ef17b7156f IY99537_05.071212.epkg.Z e7a366956ae7a08deb93cbd52bbbbf451d0f5565 IZ00559_8a.071212.epkg.Z 1898733cdf6098e4f54ec36132a03ebbe0682a7e IZ00559_8b.071212.epkg.Z f68c458c817f99730b193ecbd02ae24b9e51cc67 IZ00559_9a.071211.epkg.Z 185954838c439a3c7f8e5b769aa6cc7d31123b59 IZ00559_9b.071211.epkg.Z 6244138dc98f3fd16928b2bbcba3c5b4734e9942 IZ10828_08.071212.epkg.Z 98bfaf44ba4bc6eba452ea074e276b8e87b41c9d IZ10828_09.071212.epkg.Z 2a9c0dd75bc79eba153d0a4e966d930151121d45 IZ10828_10.071212.epkg.Z 96706ec5afd792852350d433d1bf8d8981b67336 bos.clvm.enh.5.2.0.107.U 91f6d3a4d9ffd15d258f4bda51594dbce7011d8a bos.clvm.enh.5.3.0.61.U 4589a5bca998f437aac5c3bc2c222eaa51490dab bos.rte.lvm.5.2.0.107.U 3449afd795c24594c7a0c496f225c7148b4071ab bos.rte.lvm.5.3.0.63.U To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. FIX AND INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d . -p all To install a fix package: installp -a -d . -X all Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. VI. WORKAROUNDS There are two workarounds available. A. OPTION 1 Change the permissions of these commands to remove the setuid bit using the following commands: chmod 500 /usr/sbin/lchangevg chmod 500 /usr/sbin/ldeletepv chmod 500 /usr/sbin/putlvodm chmod 500 /usr/sbin/lvaryoffvg chmod 500 /usr/sbin/lvgenminor chmod 500 /usr/sbin/tellclvmd NOTE: chmod will disable functionality of these commands for all users except root. B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7) Use the File Permissions Manager (fpm) command to manage setuid and setgid programs. fpm documentation can be found in the AIX 6 Security Redbook at: http://www.redbooks.ibm.com/abstracts/sg247430.html An fpm level of high will remove the setuid bit from the affected commands. For example: fpm -l high -p # to preview changes fpm -l high # to execute changes NOTE: Please review the documentation before execution. fpm will disable functionality of multiple commands for all users except root. VII. OBTAINING FIXES AIX security related fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xA6A36CCC Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. IX. ACKNOWLEDGMENTS IBM discovered and fixed this vulnerability as part of its commitment to secure the AIX operating system. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFH1snN8lficKajbMwRApPrAJ9yjY259En1VgQHknBDZ3EaB1KLNwCZAf3/ AviHtDb0FIUEr/Uzww/xJeo= =8AKd - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQCVAwUBR9nRgSh9+71yA2DNAQIrkgP+Kg99jlJLvspMQQ4yhDfBjV3lIQQJruX3 v65bBQqgfx5sqRObB0Rdzt2lcqwyZEvO0iLm1LxTGODUJmB3C9T5gA1A2f0dmywO jGtsBMTFOpTxgMJWfdOOEKAvX4HzY9eDH8nxojT0rANoI7vNI8p9uPDklZXvaq4c pCwp7lX1ELc= =95f3 -----END PGP SIGNATURE-----