Operating System:

[AIX]

Published:

14 December 2011

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.1252
          A vulnerability has been discovered in AIX which allows
                          deletion of vital files
                             14 December 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           AIX
Publisher:         IBM
Operating System:  AIX
Impact/Access:     Modify Arbitrary Files -- Existing Account
                   Create Arbitrary Files -- Existing Account
                   Delete Arbitrary Files -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-1384  

Original Bulletin: 
   http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=5654&myns=paix53&mync=E

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Dec 8 12:46:23 CST 2011

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/invscout_advisory2.asc 
===============================================================================
                            VULNERABILITY SUMMARY

VULNERABILITY: AIX inventory scout file deletion and symlink vulnerability

PLATFORMS: AIX 5.3, 6.1, and 7.1, and earlier releases

SOLUTION: Apply the fix described below.

THREAT: See below.

CVE Number: CVE-2011-1384

Reboot required? NO 
Workarounds? YES 
Protected by FPM? NO 
Protected by SED? NO
===============================================================================
                            DETAILED INFORMATION

I. DESCRIPTION

    A vulnerability exists in the inventory scout code which may allow a user
to delete vital system files and allow an attacker to cause the software to 
operate on unauthorized files.

II. CVSS

    CVSS Base Score: 6.3 CVSS Temporal Score: See 
http://xforce.iss.net/xforce/xfdb/71615 for the current score CVSS 
Environmental Score*: Undefined

III. PLATFORM VULNERABILITY ASSESSMENT

    To determine if your system is vulnerable, run the following command:

    # lslpp -l | grep invscout.rte

    The following filesets are vulnerable:

    AIX 7.1, 6.1, 5.3: all versions less than 2.2.0.19

    NOTE: The invscout.rte is based on an independent service release and is 
not tied to any particular version or release of AIX.

IV. SOLUTIONS

    A. APARS

        IBM has assigned the following APARs to this problem:

        AIX Level APAR number Availability 
- --------------------------------------------------- 5.3 IV11643 available 6.1
IV11643 available 7.1 IV11643 available

        Subscribe to the APARs here:

        http://www.ibm.com/support/docview.wss?uid=isg1IV11643

        By subscribing, you will receive periodic email alerting you to the 
status of the APAR, and a link to download the fix once it becomes available.

     B. FIX

        IMPORTANT: If possible, it is recommended that a mksysb backup of the
system be created. Verify it is both bootable and readable before proceeding.

        To preview a fix installation:

        installp -a -d fix_name -p all # where fix_name is the name of the # 
fix package being previewed. To install a fix package:

        installp -a -d fix_name -X all # where fix_name is the name of the # 
fix package being installed.

        Interim fixes have had limited functional and regression testing but 
not the full regression testing that takes place for Service Packs; thus, IBM
does not warrant the fully correct functionality of an interim fix.

V. WORKAROUNDS

    a) Remove the setuid bit from the following:

        chmod 555 /opt/IBMinvscout/bin/invscoutClient_VPD_Survey chmod 555 
/opt/IBMinvscout/sbin/invscout_lsvpd

 NOTE: chmod will disable functionality of these commands for all users except
root.

VII. CONTACT INFORMATION

    If you would like to receive AIX Security Advisories via email, please 
visit:

        http://www.ibm.com/systems/support

    and click on the "My notifications" link.

    To view previously issued advisories, please visit:

        http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

    Comments regarding the content of this announcement can be directed to:

        security-alert@austin.ibm.com

    To request the PGP public key that can be used to communicate securely 
with the AIX Security Team you can either:

        A. Send an email with "get key" in the subject line to:

            security-alert@austin.ibm.com

        B. Download the key from a PGP Public Key Server. The key ID is:

            0x28BFAA12

    Please contact your local IBM AIX support center for any assistance.

    eServer is a trademark of International Business Machines Corporation. 
IBM, AIX and pSeries are registered trademarks of International Business 
Machines Corporation. All other trademarks are property of their respective 
holders.

VIII. ACKNOWLEDGMENTS

    This vulnerability was reported by Jakub Wartak.

IX. REFERENCES:

    Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html On-line 
Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 X-Force 
Vulnerability Database: http://xforce.iss.net/xforce/xfdb/71615 CVE-2011-1384:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1384

- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX)

iD8DBQFO4Q5Q4fmd+Ci/qhIRAv/7AJsGbBdVsp5R88+6H4PALNkRyAi9ygCeKxvn 
ticRWITpxesdpzuKHl2Q7aU= =JeLt -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTuhAsu4yVqjM2NGpAQLT0Q/8CgIVlV/WVhJDOAe/ln8DW0Y1e0ZFhqvH
BN3A5rG7tS7arDAea8LBWKhZo9xOnYR8QsMjQmRpYD9qmdpgsRlS6Q6GfZ6KNIOq
yhHyT/bXejSZD6erVf9AY8Hvm7MP/JE3sXKl+YR2KJw5NxmS38ioKPOXE4Dy7xiT
m14PAhoihlaEsNQs7LO15f60CuBUmh3U3LogsmkQN4Ar2Qfwb4lDjHjdKIEqGGrI
n4jad7bPXUcQDt11U62bw0kC/QdcGUceZF7RCBfxAaNi4viPrI2u6kFRqewaDj+D
aRQSWIa5Ai7MRve26PMpmph2MZJkUAvJhUTsTCQffECUSS+4ffhhVaRziVWcasBj
qDBokpQ9BvwQ93nhEhgpqlOXIDhDV2V2rDJny81HuyXWw85OvscQN2Oe7YhW46n+
ocEnnloC9KpBZNxk4oWK9h/A7lEnn3cK6E9HTSwnoFuS9pRlwryXKBCF8W4POUYA
zGXgAGZomrDDcWOmEqdTeVnB1K9cd88GKe4hcFxQUODMlPtxPUsElxBinYkx1Wo7
Xoy2EK7ibSThpb3C/hQCUEC9DVe8CW95eF6a4ht1XGqH+AexTdrx1Wr92QPOEj4M
HBUdI5zjoxVKiWi6qfi4dOttAOkx/XBkhwbzbgKMcbe9EUhwE1mQ0y90AXH9OI+2
9hpe2qXhCVQ=
=yMNK
-----END PGP SIGNATURE-----