Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > February 2006 > Two IBM SECURITY ADVISORIES: 1. AIX 5.3 : Security advisories (2006.02.13) - A symlink vulnerability in lscfg may cause a denial of service 2. AIX 5.3 : Security advisories (2006.02.13) - A local user may cause a system crash

February 2006

Two IBM SECURITY ADVISORIES: 1. AIX 5.3 : Security advisories (2006.02.13) - A symlink vulnerability in lscfg may cause a denial of service 2. AIX 5.3 : Security advisories (2006.02.13) - A local user may cause a system crash

ID: 00128
Ref: 126/2006
Date: 14 February 2006:14:53:23
Version: 1
Title: Two IBM SECURITY ADVISORIES: 1. AIX 5.3 : Security advisories (2006.02.13) - A symlink vulnerability in lscfg may cause a denial of service 2. AIX 5.3 : Security advisories (2006.02.13) - A local user may cause a system crash
Abstract:
Vendors affected: IBM
Operating systems affected: IBM
Applications affected: IBM
Title
=====

Two IBM SECURITY ADVISORIES:

1. AIX 5.3 : Security advisories (2006.02.13) - A symlink vulnerability in lscfg
may cause a denial of service

2. AIX 5.3 : Security advisories (2006.02.13) - A local user may cause a system crash

Detail
======

1. A symlink vulnerability was discovered in the lscfg command that allows a
local user to overwrite arbitrary system files. This could lead to data
destruction or a denial of service. Successful exploitation of this issue
would require the root user to execute the vulnerable command and
unintentionally write to the source file of a symbolic link created by the
local user.

2. A vulnerability was discovered that allows any local user to cause a system
crash. This issue is in the AIX 5300-03 unix_mp and unix_64 kernels. These
kernels ship as part of the bos.mp and bos.mp64 filesets respectively. The
affected VRMF levels are 5.3.0.30 through 5.3.0.33 inclusively.




1.



---------------------------------------------------------------------------

AIX 5.3 : Security advisories (2006.02.13)

A symlink vulnerability in lscfg may cause a denial of service

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Mon Feb 13 10:20:46 CST 2006

==========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: A symlink vulnerability may cause a denial of service

PLATFORMS: AIX 5.2 and AIX 5.3

SOLUTION: Apply the APARs or workaround as described below.

THREAT: A local user may cause a denial of service

CERT VU Number: CVE-2006-0667
CVE Number: N/A
=========================================================================
DETAILED INFORMATION


I. Description
===============
A symlink vulnerability was discovered in the lscfg command that allows a
local user to overwrite arbitrary system files. This could lead to data
destruction or a denial of service. Successful exploitation of this issue
would require the root user to execute the vulnerable command and
unintentionally write to the source file of a symbolic link created by the
local user.

The lscfg command ships as part of the devices.chrp.base.rte fileset. To
determine what level of this fileset is installed, execute the following
command:

#lslpp -L devices.chrp.base.rte

The fileset will be listed along with its version information, state, type
and a description.

This issue was introduced to AIX 5.2 in 5200-03 (devices.chrp.base.rte
5.2.0.30) and to AIX 5.3 in 5300-00 (devices.chrp.base.rte 5.3.0.0).


II. Impact
==========

A local user may cause data destruction or a denial of service.


III. Solutions
===============

A. Official Fix

IBM provides the following fixes:

AIX Version APAR Number Availability Corresponding Filesets
- - ------------------------------------------------------------------------------
5.2.0 IY77624 available devices.chrp.base.rte 5.2.0.85
5.3.0 IY77638 available devices.chrp.base.rte 5.3.0.40


NOTE: Affected customers are urged to upgrade to 5.2.0 or 5.3.0 at the
latest Technology Level.

B. Workaround

Remove the setuid bit from the lscfg command. This can be done by executing
the following command:

# chmod 700 /usr/sbin/lscfg

Verify that the permission mode bits have been updated:

# ls -la /usr/sbin/lscfg
- - -rwx------ 1 root system 50794 Oct 11 2004 /usr/sbin/lscfg

Note that only the root user will be able to execute the lscfg command.


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

http://www-03.ibm.com/servers/eserver/support/unixservers/aixfixes.html

Security related Interim Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD8NtxxwSSvpORwfIRAhkzAJ96r/nd0dvS3WV7Rm9iIVax+hLtlgCfV+Z/
A/FThtOZ8LScnzALa/4X408=
=sXoQ
- -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------
IBM and AIX are trademarks or registered trademarks of the International Business Machines Corporation in the United States or other countries, or both.



2.



AIX 5.3 : Security advisories (2006.02.13)

A local user may cause a system crash

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Mon Feb 13 10:13:12 CST 2006

==========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: A local user may cause a system crash

PLATFORMS: AIX 5300-03

SOLUTION: Apply the APAR as described below.

THREAT: A local user may cause a system crash.

CERT VU Number: N/A
CVE Number: CVE-2006-0666
=========================================================================
DETAILED INFORMATION


I. Description
===============

A vulnerability was discovered that allows any local user to cause a system
crash. This issue is in the AIX 5300-03 unix_mp and unix_64 kernels. These
kernels ship as part of the bos.mp and bos.mp64 filesets respectively. The
affected VRMF levels are 5.3.0.30 through 5.3.0.33 inclusively.

To determine what level of these filesets are installed, execute the
following command:

#lslpp -L bos.mp bos.mp64

Each fileset will be listed along with its version information, state, type
and a description.


II. Impact
==========

A local user may cause a system crash.


III. Solutions
===============

A. Official Fix

IBM provides the following fixes:

AIX Version APAR Number Availability Corresponding Filesets
- - ------------------------------------------------------------------------------
5.3.0 IY79595 available bos.mp64 5.3.0.40
bos.mp 5.3.0.40

NOTE: Affected customers are urged to upgrade to 5.3.0 at the latest
Technology Level.


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

http://www-03.ibm.com/servers/eserver/support/unixservers/aixfixes.html

Security related Interim Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD8NF4xwSSvpORwfIRAh0lAJ9Gq3YDpldYVkImZBz3B7MP9zdTywCfUFEj
L+SInGHInuNGqOD7QUHd4vU=
=231U
- -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |