Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > January 2007 > AIX 5.3 : Security advisories (2007.01.08)

January 2007

AIX 5.3 : Security advisories (2007.01.08)

ID: 00022
Ref: 19/2007
Date: 09 January 2007:16:14:42
Version: 1
Title: AIX 5.3 : Security advisories (2007.01.08)
Abstract: Multiple vulnerabilities in ftpd
Vendors affected: IBM
Operating systems affected: IBM
Applications affected: IBM
AIX 5.3 : Security advisories (2007.01.08)

Multiple vulnerabilities in ftpd

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY


First Issued: Mon Jan 8 11:00:00 CST 2007
==========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: Multiple vulnerabilities in ftpd

PLATFORMS: AIX 5.2 and 5.3.

SOLUTION: Apply the APAR, interim fix or workaround as
described below.

THREAT: Password disclosure and denial of service
vulnerabilities in ftpd.

CERT VU Number: n/a
CVE Number: n/a
==========================================================================
DETAILED INFORMATION


I. Description
===============

Two vulnerabilities were discovered in ftpd. First, a password disclosure vulnerability exists in ftpd. Affected user accounts will be listed in /etc/ftpaccess.ctl on the "puseronly" or "pgrouponly" lines. "puseronly"
and "pgrouponly" are used to designate password protected anonymous users and password protected anonymous groups respectively. If /etc/ftpaccess.ctl does not exist or if both the "puseronly" and "pgrouponly" lines do not exist, ftpd is not affected by this vulnerability. An authorized local user may be able to gain access to passwords for "puseronly" and "pgrouponly"
users. This issue affects AIX 5300-03 and later releases.

The following table shows the vulnerable versions of bos.net.tcp.client which are affected by the password disclosure vulnerability:

AIX Release Lower Upper
Level Level
===========================================
AIX 5.2 n/a n/a
AIX 5.3 5.3.0.30 5.3.0.53

Second, a denial of service vulnerability has been found in ftpd which allows a remote user to cause a denial of service by exhausting available ephemeral ports.

The following table shows the vulnerable versions of bos.net.tcp.client which are affected by the denial of service vulnerability:

AIX Release Lower Upper
Level Level
===========================================
AIX 5.2 5.2.0.0 5.2.0.98
AIX 5.3 5.3.0.0 5.3.0.53


II. Impact
==========

A password disclosure vulnerability in ftpd may allow a local authorized user to gain access to passwords for password protected anonymous users and groups.

A vulnerability in ftpd may allow a remote authorized user to cause a denial of service.

III. Solutions
===============

A. APARs

IBM provides the following fixes:

APAR number for AIX 5.2.0: IY91787 (available approx. 01/24/07)
APAR number for AIX 5.3.0: IY89168 (available)

NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level.

B. Interim Fix

Interim fixes are available. The interim fixes can be downloaded via ftp
from:

ftp://aix.software.ibm.com/aix/efixes/security/ftpd2_ifix.tar.Z

This is a compressed tarball containing this advisory, interim fix packages and cleartext PGP signatures for each package.


Verify you have retrieved the fixes intact:
+------------------------------------------
The checksums below were generated using the "sum" and "md5sum" commands and are as follows:


Filename sum md5
=========================================================================
IY91787_07.061115.epkg.Z 46904 104 c5133ce9a80b9c5b828933b57620f6f7
IY91787_08.061115.epkg.Z 41655 107 ca7cdd5ac6e455f41f4eb61cc1dbc8bd
IY91787_09.061211.epkg.Z 45473 106 19c4e727c283d352391dac4cd8f76d32
IY89168_03.061115.epkg.Z 55003 109 84a52fe979a0516f47827989cbb55fd2
IY89168_04.061115.epkg.Z 45154 112 7af2a4496287f74d7a8aef4bd8ab4ddb

See the table below to determine which AIX Technology Level a given interim fix maps to.

These sums should match exactly. The PGP signatures in the compressed tarball and on this advisory can also be used to verify the integrity of the various files they correspond to. If the sums or signatures cannot be confirmed, double check the command results and the download site address.
If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy.

The interim fixes include prerequisite checking. This will ensure the correct mapping between the interim fixes and AIX Technology Levels. The following table shows the prerequisite fileset levels required for the fixes above. The fileset levels listed are for bos.rte.methods.

Interim Fileset Level Fileset Level AIX
Fix (lower limit) (upper limit) Level
=====================================================================
IY91787_07.061115.epkg.Z 5.2.0.77 5.2.0.77 5200-07
IY91787_08.061115.epkg.Z 5.2.0.85 5.2.0.88 5200-08
IY91787_09.061211.epkg.Z 5.2.0.95 5.2.0.98 5200-09
IY89168_03.061115.epkg.Z 5.3.0.30 5.3.0.32 5300-03
IY89168_04.061115.epkg.Z 5.3.0.40 5.3.0.44 5300-04

IMPORTANT: If possible, it is recommended that a mksysb backup of the system is created. Verify it is both bootable, and readable before proceeding.

Customers may contact IBM support if any issues arise with these interim fixes.


Interim Installation Instructions:
+---------------------------------
These packages use the new Interim Fix Management Solution to install and manage interim fixes. More information can be found at:

http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

To preview an epkg interim fix installation execute the following command:

# emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.

To install an epkg interim fix package, execute the following command:

# emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.

The "X" flag will expand any filesystems if required.

C. Workaround

The password disclosure vulnerability can be mitigated by ensuring that only trusted users have access to messages generated by syslogd for ftpd.

The denial of service vulnerability can be mitigated by setting the nofiles_hard resource limit for users. This will limit the number of ephemeral ports a given user can have open at a given time. This vulnerability can also be mitigated by using the "no" (network options) command to manage relevant network tuning parameters. The relevant parameters are sockthresh, tcp_ephemeral_high and tcp_ephemeral_low. The sockthresh parameter specifies the maximum amount of network memory that can be allocated for sockets. By lowering this value, system administrators can limit the number of sockets the system will create. The tcp_ephemeral_high and tcp_ephemeral_low parameters can be used together to limit to number of ephemeral ports the system will use at a given time.


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html

Security related Interim Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely with the AIX Security Team send email to security-alert@austin.ibm.com with a subject of "get key". The key can also be downloaded from a PGP Public Key Server. The key id is 0x1B14F299.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFomUCofN/JhsU8pkRAkhNAJ4zEmbiJ4Um2waS09UZwBu53QEC7ACfZR0R
fvDzN/PXuO2GGWaql4tvGRQ=
=y7Yg
- -----END PGP SIGNATURE-----



- ---------------------------------------------------------------------

Related URLs:

Find end of support dates for AIX and software running on AIX
http://www.ibm.com/services/sl/products

Visit Unix Servers Support for a wide array of technical resources.
http://www.ibm.com/servers/eserver/support/unixservers

Download fixes for AIX V5 and 4.3 OS, Java, Compilers:
http://www-912.ibm.com/eserver/support/fixes/

Update your Subscription Service profile
http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoe?mode=2

Unsubscribe from Subscription Service
http://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoe?mode=3

Sign up for customized weekly newsletter from IBM
https://isource.ibm.com/world/index.shtml

- ----------------------------------------------------------------------
IBM and AIX are trademarks or registered trademarks of the International Business Machines Corporation in the United States or other countries, or both.

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |