Date: 28 November 2008
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2008.1079 -- [AIX]
AIX 6.1 multiple security vulnerabilities
28 November 2008
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: AIX 6.1
Publisher: IBM
Operating System: AIX
Impact: Root Compromise
Increased Privileges
Delete Arbitrary Files
Access: Existing Account
Original Bulletin:
http://aix.software.ibm.com/aix/efixes/security/aix61_advisory.asc
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Wed Nov 26 09:16:12 CST 2008
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX 6.1 multiple security vulnerabilities
PLATFORMS: AIX 6.1
SOLUTION: Apply the fix as described below.
THREAT: A local attacker may gain elevated privileges.
CVE Number: n/a
The most recent version of this document is available at:
http://aix.software.ibm.com/aix/efixes/security/aix61_advisory.asc
===============================================================================
DETAILED INFORMATION
I. DESCRIPTION
There are multiple vulnerabilities in AIX 6.1:
a) If the netcd daemon is running, a buffer overflow is created in
the setuid root program /usr/sbin/ndp, resulting in privilege
escalation.
Track with the following APAR numbers: IZ35181 IZ35170 IZ35209.
b) There is a buffer overflow in the privileged command
/usr/sbin/autoconf6, resulting privilege escaltion if RBAC (role
based access control) is in use and a user has the
aix.network.config.tcpip authorization..
Track with the following APAR numbers: IZ34753 IZ34393 IZ30231.
c) The privileged command /usr/bin/enq can remove any file on the
system if a print queue is defined in /etc/qconfig.
.
Track with the following APAR numbers: IZ34785 IZ34481 IZ33088.
d) The privileged command /usr/bin/crontab grants elevated
privileges to the editor if a user has the aix.system.config.cron
authorization.
Track with the following APAR numbers: IZ34783 IZ34478 IZ30248.
The following files are vulnerable:
/usr/sbin/ndp
/usr/sbin/autoconf6
/usr/bin/enq
/usr/bin/crontab
II. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L bos.net.tcp.client \
bos.adt.prof \
bos.rte.libc \
bos.rte.printers \
bos.rte.cron
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
------------------------------------------------
bos.net.tcp.client 6.1.0.0 6.1.0.6
bos.adt.prof 6.1.0.0 6.1.0.7
bos.rte.libc 6.1.0.0 6.1.0.7
bos.rte.printers 6.1.0.0 6.1.0.1
bos.rte.cron 6.1.0.0 6.1.0.0
bos.net.tcp.client 6.1.1.0 6.1.1.2
bos.adt.prof 6.1.1.0 6.1.1.2
bos.rte.libc 6.1.1.0 6.1.1.2
bos.rte.printers 6.1.1.0 6.1.1.0
bos.rte.cron 6.1.1.0 6.1.1.1
bos.net.tcp.client 6.1.2.0 6.1.2.0
bos.adt.prof 6.1.2.0 6.1.2.0
bos.rte.libc 6.1.2.0 6.1.2.0
III. SOLUTIONS
A. APARS
IBM has assigned the following APARs to these problems:
AIX Level APAR numbers Availability
---------------------------------------------------
6.1.0 IZ35181 IZ34753 IZ34785 IZ34783 Now
6.1.1 IZ35170 IZ34393 IZ34481 IZ34478 Now
6.1.2 IZ35209 IZ30231 IZ33088 IZ30248 Now
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ35181
http://www.ibm.com/support/docview.wss?uid=isg1IZ34753
http://www.ibm.com/support/docview.wss?uid=isg1IZ34785
http://www.ibm.com/support/docview.wss?uid=isg1IZ34783
http://www.ibm.com/support/docview.wss?uid=isg1IZ35170
http://www.ibm.com/support/docview.wss?uid=isg1IZ34393
http://www.ibm.com/support/docview.wss?uid=isg1IZ34481
http://www.ibm.com/support/docview.wss?uid=isg1IZ34478
http://www.ibm.com/support/docview.wss?uid=isg1IZ35209
http://www.ibm.com/support/docview.wss?uid=isg1IZ30231
http://www.ibm.com/support/docview.wss?uid=isg1IZ33088
http://www.ibm.com/support/docview.wss?uid=isg1IZ30248
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
The fixes are also available in the following service packs:
AIX 6.1 TL0 Service Pack 7
AIX 6.1 TL1 Service Pack 3
AIX 6.1 TL2 Service Pack 1
B. FIXES
Fixes are available. The fixes can be downloaded from:
http://aix.software.ibm.com/aix/efixes/security/aix61_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/aix61_fix.tar
The links above are to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
AIX Level Fix (*.U)
-------------------------------------------------------------------
6.1.0 bos.adt.prof.6.1.0.8.U
bos.net.tcp.client.6.1.0.7.U
bos.rte.cron.6.1.0.1.U
bos.rte.libc.6.1.0.8.U
bos.rte.printers.6.1.0.2.U
6.1.1 bos.adt.prof.6.1.1.3.U
bos.net.tcp.client.6.1.1.3.U
bos.rte.cron.6.1.1.2.U
bos.rte.libc.6.1.1.3.U
bos.rte.printers.6.1.1.1.U
6.1.2 bos.adt.prof.6.1.2.1.U
bos.net.tcp.client.6.1.2.1.U
bos.rte.libc.6.1.2.0.U
To extract the fixes from the tar file:
tar xvf aix61_fix.tar
cd aix61_fix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "csum -h SHA1"
(sha1sum) command and are as follows:
csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
166b1f5808b8cf74ecfd2b9a2793f3e7bbb08365 bos.adt.prof.6.1.0.8.U
22a8597cf4ee92004f80e41d13bdfc0d6cf4afb0 bos.adt.prof.6.1.1.3.U
aca884ff7e34d5eb556b958e8aa18013d7895f5d bos.adt.prof.6.1.2.1.U
d12bcdc6083fb41dbe550929dd05b30099d10690 bos.net.tcp.client.6.1.0.7.U
b1c84d681760ad7eba6e7582b0ce8a683b1fb206 bos.net.tcp.client.6.1.1.3.U
334542307bfd4980bb4fca9fd787d46eb65eb2f2 bos.net.tcp.client.6.1.2.1.U
1901b56c0aeb54e1ef7054bcc4e8c54073fb3129 bos.rte.cron.6.1.0.1.U
bb3a956f1cc70150d1f99a08138348addea9a158 bos.rte.cron.6.1.1.2.U
150fdd6fd8fc3fd856390c78a979560efb708d7f bos.rte.libc.6.1.0.8.U
b3370f80430cbb3a9ca3c1cb33da32085cfb8e3e bos.rte.libc.6.1.1.3.U
0f04ac1b9eec74550fd7ff51dfd762eff55e1f0d bos.rte.libc.6.1.2.0.U
3126a986c1ead766bf4e91b8585f9a191ed9cfa5 bos.rte.printers.6.1.0.2.U
92aff483c92ec8490bad59f7bc3f0f55f3c00cf7 bos.rte.printers.6.1.1.1.U
To verify the sums, use the text of this advisory as input to
csum or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security and describe the
discrepancy at the following address:
security-alert@austin.ibm.com
C. FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview a fix installation:
installp -a -d fix_name -p all # where fix_name is the name of the
# fix package being previewed.
To install a fix package:
installp -a -d fix_name -X all # where fix_name is the name of the
# fix package being installed.
IV. WORKAROUNDS
a) Stop the netcd daemon and remove the setuid and setgid bits
from /usr/sbin/ndp:
stopsrc -s netcd
chmod 555 /usr/sbin/ndp
b) Remove the aix.network.config.tcpip authorization from user roles.
c) Remove the setuid and setgid bits from /usr/bin/enq:
chmod 555 /usr/bin/enq
d) Remove the aix.system.config.cron authorization from user roles.
V. OBTAINING FIXES
AIX security fixes can be downloaded from:
http://aix.software.ibm.com/aix/efixes/security
AIX fixes can be downloaded from:
http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
VI. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www.ibm.com/systems/support
and click on the "My notifications" link.
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt
B. Download the key from a PGP Public Key Server. The key ID is:
0xADA6EB4D
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
VII. ACKNOWLEDGMENTS
IBM discovered and fixed these vulnerabilities as part of its
commitment to secure the AIX operating system.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFJLXD5P9Qud62m600RAjm2AJ973tmjPi5zTwU+VP1BjROUYgt55wCfU3o6
88bMCxMWGwQXOM9cBbb/MEk=
=oIQr
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSS9IqSh9+71yA2DNAQKIIgP/UPESzFup5bwofJzIm3BRps9jo1K0tACF
w+LhgvRxAcvxcodNIS1o5A50YcMHQoHLNgB3ckhkmKntujnAeAGwvzbnXU1SitOl
aFmFW9pFlkQsoULcz9GT0VQKHCUicl+/xo5WL5yi6h+MzprryYUkShJTe5xdjGCn
fKYKZf6/0HY=
=sj8k
-----END PGP SIGNATURE-----
|