Date: 12 September 2001
References: ESB-2001.268 ESB-2001.461
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2001.397 -- IBM SECURITY ADVISORY
Buffer Overflow Vulnerabilities in lpd
12 September 2001
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: lpd
Vendor: IBM
Operating System: AIX 4.3
AIX 5.1
Impact: Root Compromise
Denial of Service
Access Required: Remote
Ref: ESB-2001.268
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
Fri Sep 7 11:18:24 CDT 2001
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Buffer Overflow Vulnerabilities in lpd
PLATFORMS: IBM AIX 4.3 and 5.1
SOLUTION: Apply the emergency-fixes described below.
THREAT: Malicious user could obtain root privileges, or cause
a denial of service (DoS).
CERT Advisory: See CERT CA-2001-15 for info on
Solaris vulnerability. Also see the posting,
http://xforce.iss.net/alerts/advise94.php, at the
Internet Security Systems site for info on BSD
implementations of lpd.
CVE Candidate: CAN-2001-0670
CAN-2001-0671
===========================================================================
DETAILED INFORMATION
I. Description
The Line Printer daemon, lpd, shipped with AIX contains several
buffer overflow vulnerabilities that potentially allow a malicious
remote user to gain root privileges.
Two of the three vulnerabilities found require the attacker's system
be listed in /etc/hosts.lpd or /etc/hosts.equiv. The third requires
that the malicious user have control over the victim's domain name
server (DNS).
II. Impact
A malicious local or remote user can use a well-crafted exploit code
to gain root privileges on the attacked system, compromising the
integrity of the system and its attached local network.
If the malicious user is unable to gain root access, he or she could
still cause a system crash (DoS) via this vulnerability.
III. Solutions
A. Official fix
IBM is working on the following fixes which will be available soon:
AIX 4.3: APAR #IY23037
AIX 5.1: APAR #IY23041
NOTE: Fix will not be provided for versions prior to 4.3 as these
are no longer supported by IBM. Affected customers are urged to
upgrade to 4.3.3 at the latest maintenance level, or to 5.1, when it
becomes available.
B. How to minimize the vulnerability
WORKAROUND
None recommended.
IBM advises customers to disable the line printer daemon until an
efix or official APAR is installed.
In general, customers are advised to disable all unused daemon
services as good security practice.
EMERGENCY FIX (efix):
Temporary fixes for AIX 4.3.x and 5.1 systems are available.
The temporary fixes can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/lpd_efix.tar.Z
The efix tarball consists of two patched lpd binaries, one for AIX
4.3.x systems (lpd.43) and one for AIX 5.1 (scheduled for release
soon; binary is lpd.51). A copy of this Advisory is also included.
These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX at
their own risk.
To proceed with efix installation:
First, verify the MD5 cryptographic hash sums of each efix files you
obtain from unpacking the efix tarball with those given below. These
should match exactly; if they do not, double check the hash results
and the download site address. If OK, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
Filename sum md5
=================================================================
lpd.43X.tar 11225 20 3c7e6f0ef29b6147835213253de8f1bf
lpd.51B.tar 35507 80 38bc7f7516d76b8a89914fdab97e1377
Efix Installation Instructions:
-------------------------------
1. Become root, if not already done.
2. In a scratch or tmp directory, uncompress and untar the efix:
a. uncompress lpd_efix.tar.Z
b. tar -xvf lpd_efix.tar
3. If you are running an AIX 4.3.x system, copy the lpd.43 file to
/usr/sbin. Do the same if you have AIX 5.1 running, except copy the
lpd.51 file.
4. Stop the lpd daemon if it is currently running:
a. stopsrc -s lpd
5. Make a backup copy of the existing lpd binary package in case
something goes wrong with the installation of the efix:
a. cp /usr/sbin/lpd /usr/sbin/lpd.original
6. Now copy the efix binary to take the place of the original lpd:
a. cp /usr/sbin/lpd.43 (or lpd.51, as appropriate)
/usr/sbin/lpd.
7. Check to be certain that the new lpd is executable by root and is
assigned proper permissions otherwise.
8. Restart the lpd daemon:
a. startsrc -s lpd
IV. Obtaining Fixes
IBM AIX APARs may be ordered using Electronic Fix Distribution (via
the FixDist program), or from the IBM Support Center. For more
information on FixDist, and to obtain fixes via the Internet, please
reference
http://techsupport.services.ibm.com/rs6k/fixes.html
or send email to "aixserv@austin.ibm.com" with the word "FixDist" in
the "Subject:" line.
To facilitate ease of ordering all security related APARs for each
AIX release, security fixes are periodically bundled into a
cumulative APAR. For more information on these cumulative APARs
including last update and list of individual fixes, send email to
"aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in
the "Subject:" line.
V. Acknowledgements
Many thanks to Internet Security Services (ISS) for identifying these
vulnerabilities in lpd, and to the CERT/CC for preparing and
distributing the Vulnerability Notes provided to us vendors.
VI. Contact Information
Comments regarding the content of this announcement can be directed
to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
note to aixserv@austin.ibm.com with a subject of "subscribe
Security". To cancel your subscription, use a subject of
"unsubscribe Security". To see a list of other available
subscriptions, use a subject of "help".
IBM and AIX are a registered trademark of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
- -----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQA/AwUBO51SPcXrSKQHhgFwEQLSAQCglnEAvxiWRujJvjLTc1C4W6Gu1OEAoNAJ
v5NsLwb8f7D/EkUSjvjRS9Qj
=HoWQ
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBO59sYyh9+71yA2DNAQH5RAP+N5/BnDh6BkdmKmsMq5epZdY3ot2cYyrK
dlYfQxlEXAtX9Fhz2Q1y7Xo+VEbOfaO1j0lGzX22fORuSgrw+vMYrCU3EsO8SQ4J
Y97AK74hBOi9VgZaTIv/QzveB+Nw1mAP3apHOau5L88wCS1zDGr+UzoG/qDKIBoE
eZIvjrdVaxg=
=Ba7w
-----END PGP SIGNATURE-----
|