Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.0993 -- [Linux][HP-UX][Solaris][AIX]
Veritas File System Quick I/O for Database Utility Information Disclosure
22 October 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Veritas File System (VxFS)
Publisher: Symantec
Operating System: Solaris
Linux variants
AIX
HP-UX
Impact: Access Privileged Data
Access Confidential Data
Access: Existing Account
CVE Names: CVE-2008-3248
Original Bulletin:
http://securityresponse.symantec.com/avcenter/security/Content/2008.10.20.html
Revision History: October 22 2008: Added CVE
October 22 2008: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
SYM08-018
20 October, 2008
Veritas File System Quick I/O for Database Utility Information
Disclosure and Elevation of Privilege
Revision History
None
Severity
Medium
Remote Access No
Local Access Yes
Authentication Required Yes
Exploit publicly available Not Required
Overview
A potential for sensitive information to be disclosed has been
identified and resolved in the Quick I/O for Database feature of
Veritas File System (VxFS). Quick I/O for Database is a mechanism
allowing fast concurrent access to improve performance.
Product(s) Affected
Product Version Platform Solution(s)
Veritas File Solaris,
System (VxFS) All Supported Linux, AIX 5.0 MP3
(http://entsupport.symantec.com/docs/310872)
Veritas File
System (VxFS) All Supported HP-UX See Recommended
Workarounds
Details
Security Objectives notified Symantec of the potential for
unauthorized information disclosure in the Quick I/O for Database
feature in VxFS.
The first issue is the exposure of uninitialized file system blocks
(which may contain sensitive information) by the qiomkfile command.
The qiomkfile command allocates file system blocks to a new file
without initializing those blocks, so the contents of the blocks
becomes readable by any user that can read the new file. This is
intended to be a performance optimization for databases, but if those
blocks formerly belonged to a file containing sensitive information,
then that information can be accessed via the new file that now owns
the blocks. The VxFS operation performing this allocation without
initialization is restricted to privileged users, but the qiomkfile
command is set-uid root so non-privileged but authorized users could
potentially circumvent the security restriction on the allocation
operation by using this command.
A second issue is an unauthorized file content disclosure in the
qioadmin utility for the Quick I/O for Database feature. A user with
authorized system access and sufficient privileges to run the qioadmin
utility can supply any filename of a file on the system to qioadmin
and redirect the file content to standard error. The qioadmin utility
is set-uid root which could allow non-privileged but authorized users
to circumvent system file permission restrictions to gain access to
privileged system information.
In Symantecs recommended installation an affected system should have
limited or no exposure to the general internal network and no exposure
outside of the corporate network which greatly reduces the risk of
unauthorized access.
Symantec Response
Symantec Engineers have verified and resolved these issues.
Symantec recommends customers apply the latest product update
available for their supported product versions to enhance their
security posture and protect against potential security threats of
this nature.
Symantec knows of no exploitation of or adverse customer impact from
this issue.
Additional information concerning updates for affected products can be
found at:
http://entsupport.symantec.com/docs/310872
Recommended Workarounds
If a customer is unable to or chooses not to apply the recommended
update at this time, the following workarounds are applicable:
A. Workaround for the qioadmin file disclosure issue:
Remove the set-uid flag for qioadmin
chmod u-s /opt/VRTS/bin/qioadmin
B. Workarounds for the qiomkfile uninitialized file system block
issue:
1. To only allow root users to execute this utility remove the
set-uid flag for qiomkfile
chmod u-s /opt/VRTS/bin/qiomkfile
2. To retain set-uid root for qiomkfile but restrict group
execute permissions to some particular Unix group, e.g.,
oracledba
chgrp oracledba /opt/VRTS/bin/qiomkfile
chmod 4750 /opt/VRTS/bin/qiomkfile
Under this workaround, Users in the "oracledba" group
will still be able to run qiomkfile effectively, but
users that arent in the oracledba group will not be able
to use qiomkfile.
NOTE: since the blocks in the files that qiomkfile
creates will still be uninitialized, those files should
have permissions such that only trusted users will be
able to access them.
3. turn off the flag for qiomkfile (as in workaround 1 above)
and use a utility like sudo to give individual users or
groups permission to execute qiomkfile as root. this is
similar to workaround 2, but the access control mechanism of
sudo is more flexible than that of Unix permissions.
Best Practices
As part of normal best practices, Symantec strongly recommends:
* Restrict access to administration or management systems to
privileged users.
* Restrict remote access, if required, to trusted/authorized systems
only.
* Run under the principle of least privilege where possible to limit
the impact of exploit by threats.
* Keep all operating systems and applications updated with the
latest vendor patches.
* Follow a multi-layered approach to security. Run both firewall and
anti-malware applications, at a minimum, to provide multiple
points of detection and protection to both inbound and outbound
threats.
* Deploy network and host-based intrusion detection systems to
monitor network traffic for signs of anomalous or suspicious
activity. This may aid in detection of attacks or malicious
activity related to exploitation of latent vulnerabilities.
Credit
Symantec would like to thank Derek Callaway with Security
Objectives for reporting these issues and for providing full
coordination while Symantec resolved them.
References
SecurityFocus has assigned a Bugtraq ID (BID) to these issues for
inclusion in the SecurityFocus vulnerability data base. BID 31678 has
been assigned to the qiomkfile uninitialized file system blocks issue
and BID 31679 to the qioadmin unauthorized file disclosure issue. The
BIDs can be found at http://www.securityfocus.com/bid/31678 and
http://www.securityfocus.com/bid/31679.
These issues are candidates for inclusion in the Common
Vulnerabilities and Exposures (CVE) list (http://cve.mitre.org),
which standardizes names for security problems. CVE-2008-3248 has been
assigned to the qiomkfile uninitialized file system blocks issue.
A CVE Candidate number has been requested from the Common
Vulnerabilities and Exposures (CVE) initiative for the qioadmin issue.
This advisory will be revised accordingly upon receipt of the CVE
Candidate number.
___________________________________________________________
Symantec takes the security and proper functionality of its products
very seriously. As founding members of the Organization for Internet
Safety (OISafety), Symantec follows the principles of responsible
disclosure. Symantec also subscribes to the vulnerability guidelines
outlined by the National Infrastructure Advisory Council (NIAC).
Please contact secure@symantec.com if you feel you have discovered
a potential or actual security issue with a Symantec product. A
Symantec Product Security team member will contact you regarding your
submission.
Symantec has developed a Product Vulnerability Handling Process
document outlining the process we follow in addressing suspected
vulnerabilities in our products. We support responsible disclosure of
all vulnerability information in a timely manner to protect Symantec
customers and the security of the Internet as a result of
vulnerability. This document is available from the location provided
below.
Symantec strongly recommends using encrypted email for reporting
vulnerability information to secure@symantec.com. The Symantec
Product Security PGP key can be obtained from the location provided
below.
Symantec-Product-Vulnerability-Response Symantec Vulnerability
Response Policy Symantec Product Vulnerability Management PGP Key
Symantec Product Vulnerability Management PGP Key
_________________________________________________________________
Copyright (c) 2008 by Symantec Corp.
Permission to redistribute this alert electronically is granted as
long as it is not edited in any way unless authorized by Symantec
Security Response. Reprinting the whole or part of this alert in any
medium other than electronically requires permission from
secure@symantec.com.
Disclaimer
The information in the advisory is believed to be accurate at the time
of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and
secure@symantec.com are registered trademarks of Symantec Corp.
and/or affiliated companies in the United States and other countries.
All other registered and unregistered trademarks represented in this
document are the sole property of their respective companies/owners.
Last modified on: Monday, 20-Oct-08 17:26:28
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSP7A1yh9+71yA2DNAQJN3gP+Jn9OW8mWGTu4B9cbeTNlV58pYXGQdhd2
pBjSCcXCX1l29n5vY6hIc6po5WxH8mYbCNIh9IYZ3Avi2tpi4r5tZNpoE6KK1HGe
MD0VSzqTv4bieceGpUAowyAoJMWF8nZ/Z0kNr4GQUrui4gAA+K8xRDuxcp18QdHu
6xYYiDPRVFk=
=3E2e
-----END PGP SIGNATURE-----