Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

               ESB-2008.0993 -- [Linux][HP-UX][Solaris][AIX]
 Veritas File System Quick I/O for Database Utility Information Disclosure
                              22 October 2008


        AusCERT Security Bulletin Summary

Product:              Veritas File System (VxFS)
Publisher:            Symantec
Operating System:     Solaris
                      Linux variants
Impact:               Access Privileged Data
                      Access Confidential Data
Access:               Existing Account
CVE Names:            CVE-2008-3248

Original Bulletin:  

Revision History:     October 22 2008: Added CVE
                      October 22 2008: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

   20 October, 2008
   Veritas File System Quick I/O for Database Utility Information
   Disclosure and Elevation of Privilege

   Revision History


   Remote Access                  No
   Local Access                   Yes
   Authentication Required        Yes
   Exploit publicly available     Not Required

   A potential for sensitive information to be disclosed has been
   identified and resolved in the Quick I/O for Database feature of
   Veritas File System (VxFS). Quick I/O for Database is a mechanism
   allowing fast concurrent access to improve performance.

   Product(s) Affected

   Product         Version         Platform     Solution(s)
   Veritas File                    Solaris,
   System (VxFS)   All Supported   Linux, AIX   5.0 MP3
   Veritas File
   System (VxFS)   All Supported   HP-UX        See Recommended

   Security Objectives notified Symantec of the potential for
   unauthorized information disclosure in the Quick I/O for Database
   feature in VxFS.

   The first issue is the exposure of uninitialized file system blocks
   (which may contain sensitive information) by the qiomkfile command.
   The qiomkfile command allocates file system blocks to a new file
   without initializing those blocks, so the contents of the blocks
   becomes readable by any user that can read the new file. This is
   intended to be a performance optimization for databases, but if those
   blocks formerly belonged to a file containing sensitive information,
   then that information can be accessed via the new file that now owns
   the blocks. The VxFS operation performing this allocation without
   initialization is restricted to privileged users, but the qiomkfile
   command is set-uid root so non-privileged but authorized users could
   potentially circumvent the security restriction on the allocation
   operation by using this command.

   A second issue is an unauthorized file content disclosure in the
   qioadmin utility for the Quick I/O for Database feature. A user with
   authorized system access and sufficient privileges to run the qioadmin
   utility can supply any filename of a file on the system to qioadmin
   and redirect the file content to standard error. The qioadmin utility
   is set-uid root which could allow non-privileged but authorized users
   to circumvent system file permission restrictions to gain access to
   privileged system information.

   In Symantecs recommended installation an affected system should have
   limited or no exposure to the general internal network and no exposure
   outside of the corporate network which greatly reduces the risk of
   unauthorized access.

   Symantec Response
   Symantec Engineers have verified and resolved these issues.

   Symantec recommends customers apply the latest product update
   available for their supported product versions to enhance their
   security posture and protect against potential security threats of
   this nature.

   Symantec knows of no exploitation of or adverse customer impact from
   this issue.

   Additional information concerning updates for affected products can be
   found at:

   Recommended Workarounds
   If a customer is unable to or chooses not to apply the recommended
   update at this time, the following workarounds are applicable:
    A. Workaround for the qioadmin file disclosure issue:
        Remove the set-uid flag for qioadmin
        chmod u-s /opt/VRTS/bin/qioadmin

    B. Workarounds for the qiomkfile uninitialized file system block
         1. To only allow root users to execute this utility remove the
            set-uid flag for qiomkfile
                 chmod u-s /opt/VRTS/bin/qiomkfile

         2. To retain set-uid root for qiomkfile but restrict group
            execute permissions to some particular Unix group, e.g.,
                 chgrp oracledba /opt/VRTS/bin/qiomkfile
                 chmod 4750 /opt/VRTS/bin/qiomkfile

                 Under this workaround, Users in the "oracledba" group
                 will still be able to run qiomkfile effectively, but
                 users that arent in the oracledba group will not be able
                 to use qiomkfile.

                 NOTE: since the blocks in the files that qiomkfile
                 creates will still be uninitialized, those files should
                 have permissions such that only trusted users will be
                 able to access them.

         3. turn off the flag for qiomkfile (as in workaround 1 above)
            and use a utility like sudo to give individual users or
            groups permission to execute qiomkfile as root. this is
            similar to workaround 2, but the access control mechanism of
            sudo is more flexible than that of Unix permissions.

   Best Practices
   As part of normal best practices, Symantec strongly recommends:
     * Restrict access to administration or management systems to
       privileged users.
     * Restrict remote access, if required, to trusted/authorized systems
     * Run under the principle of least privilege where possible to limit
       the impact of exploit by threats.
     * Keep all operating systems and applications updated with the
       latest vendor patches.
     * Follow a multi-layered approach to security. Run both firewall and
       anti-malware applications, at a minimum, to provide multiple
       points of detection and protection to both inbound and outbound
     * Deploy network and host-based intrusion detection systems to
       monitor network traffic for signs of anomalous or suspicious
       activity. This may aid in detection of attacks or malicious
       activity related to exploitation of latent vulnerabilities.

   Symantec would like to thank Derek Callaway with Security
   Objectives for reporting these issues and for providing full
   coordination while Symantec resolved them.

   SecurityFocus has assigned a Bugtraq ID (BID) to these issues for
   inclusion in the SecurityFocus vulnerability data base. BID 31678 has
   been assigned to the qiomkfile uninitialized file system blocks issue
   and BID 31679 to the qioadmin unauthorized file disclosure issue. The
   BIDs can be found at http://www.securityfocus.com/bid/31678 and
   These issues are candidates for inclusion in the Common
   Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org),
   which standardizes names for security problems. CVE-2008-3248 has been
   assigned to the qiomkfile uninitialized file system blocks issue.
   A CVE Candidate number has been requested from the Common
   Vulnerabilities and Exposures (CVE) initiative for the qioadmin issue.
   This advisory will be revised accordingly upon receipt of the CVE
   Candidate number.

   Symantec takes the security and proper functionality of its products
   very seriously. As founding members of the Organization for Internet
   Safety (OISafety), Symantec follows the principles of responsible
   disclosure. Symantec also subscribes to the vulnerability guidelines
   outlined by the National Infrastructure Advisory Council (NIAC).
   Please contact secure@symantec.com if you feel you have discovered
   a potential or actual security issue with a Symantec product. A
   Symantec Product Security team member will contact you regarding your

   Symantec has developed a Product Vulnerability Handling Process
   document outlining the process we follow in addressing suspected
   vulnerabilities in our products. We support responsible disclosure of
   all vulnerability information in a timely manner to protect Symantec
   customers and the security of the Internet as a result of
   vulnerability. This document is available from the location provided

   Symantec strongly recommends using encrypted email for reporting
   vulnerability information to secure@symantec.com. The Symantec
   Product Security PGP key can be obtained from the location provided
   Symantec-Product-Vulnerability-Response Symantec Vulnerability
   Response Policy Symantec Product Vulnerability Management PGP Key
   Symantec Product Vulnerability Management PGP Key

   Copyright (c) 2008 by Symantec Corp.
   Permission to redistribute this alert electronically is granted as
   long as it is not edited in any way unless authorized by Symantec
   Security Response. Reprinting the whole or part of this alert in any
   medium other than electronically requires permission from

   The information in the advisory is believed to be accurate at the time
   of publishing based on currently available information. Use of the
   information constitutes acceptance for use in an AS IS condition.
   There are no warranties with regard to this information. Neither the
   author nor the publisher accepts any liability for any direct,
   indirect, or consequential loss or damage arising from use of, or
   reliance on, this information.

   Symantec, Symantec products, Symantec Security Response, and
   secure@symantec.com are registered trademarks of Symantec Corp.
   and/or affiliated companies in the United States and other countries.
   All other registered and unregistered trademarks represented in this
   document are the sole property of their respective companies/owners.

   Last modified on: Monday, 20-Oct-08 17:26:28

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.

Comment: http://www.auscert.org.au/render.html?it=1967