Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > February 2005 > IBM Security Advisories

February 2005

IBM Security Advisories

ID: 00156
Ref: 140/2005
Date: 22 February 2005:14:21:58
Version: 1
Title: IBM Security Advisories
Abstract:
Vendors affected: IBM
Operating systems affected: IBM
Applications affected: IBM
- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Mon Feb 7 14:45:13 CST 2005
|Updated: Thu Feb 10 09:11:29 CST 2005
|Added mkdev and rmdev
|Added interim fix information

==========================================================================
VULNERABILITY SUMMARY
|Updated: Thu Feb 10 09:11:29 CST 2005
|Added mkdev and rmdev
|VULNERABILITY: A format string vulnerability in the mkdev, rmdev
| and chdev commands may allow a local user in the
| system group to gain root privileges.

PLATFORMS: AIX 5.1, 5.2 and 5.3.

|Updated: Thu Feb 10 09:11:29 CST 2005
|Added interim fix information
|SOLUTION: Apply the workaround, interim fix or APARs as
| described below.

THREAT: A local user may gain root privileges.

CERT VU Number: N/A
CVE Number: N/A
==========================================================================
DETAILED INFORMATION


I. Description
===============
|Updated: Thu Feb 10 09:11:29 CST 2005
|Added mkdev and rmdev
|Format string vulnerabilities in the mkdev, rmdev and chdev commands
|were discovered. These vulnerability may allow a local user in the
|system group to gain root privileges.

The commands affected by this issue ship as part of the bos.rte.methods fileset. To determine if this fileset is installed, execute the following
command:

If the fileset is installed it will be listed along with its version information, state, type and a description.


II. Impact
==========
A local user in the system group may gain root privileges.

III. Solutions
===============

A. Official Fix

IBM provides the following fixes:

APAR number for AIX 5.1.0: IY67741 (available approx. 03/23/05)
APAR number for AIX 5.2.0: IY67455 (available approx. 04/15/05)
APAR number for AIX 5.3.0: IY67654 (available approx. 04/15/05)

NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at the latest maintenance level.

|Updated Thu Feb 10 09:11:29 CST 2005
|Added interim fix information
|B. Emergency Fix
|
|Efixes are available for AIX 5.1.0, 5.2.0 and 5.3.0. The efixes can be
|downloaded via ftp from:
|
| ftp://aix.software.ibm.com/aix/efixes/security/dev_efix.tar.Z
|
|dev_efix.tar.Z is a compressed tarball containing this advisory, three
|efix packages cleartext PGP signatures for each efix package.
|
|
|Verify you have retrieved the efixes intact:
|----------------------------------------------
|The checksums below were generated using the "sum" and "md5sum"
|commands and are as follows:
|
|Filename sum md5
|======================================================================
|IY67741.050209.epkg.Z 07350 39 314e11508582e6c406416c9028d5cab4
|IY67455.050209.epkg.Z 19517 41 4dd644283c8708728aacf9fb52839d46
|IY67654.050209.epkg.Z 63018 45 fb86a416d5c775cd58a2a105d5314458
|
|
|These sums should match exactly. The PGP signatures in the compressed
|tarball and on this advisory can also be used to verify the integrity
|of the various files they correspond to. If the sums or signatures
|cannot be confirmed, double check the command results and the download
|site address. If those are OK, contact IBM AIX Security at
|security-alert@austin.ibm.com and describe the discrepancy.
|
|IMPORTANT: If possible, it is recommended that a mksysb backup of the
|system is created. Verify it is both bootable, and readable before
|proceeding.
|
|These efixes have not been fully regression tested; thus, IBM does not
|warrant the fully correct functioning of the efix. Customers install
|the efix and operate the modified version of AIX at their own risk.
|
|Efix Installation Instructions:
|-------------------------------
|These packages use the new Emergency Fix Management Solution to install
|and manage efixes. More information can be found at:
|
| http://techsupport.services.ibm.com/server/aix.efixmgmt
|
|To preview an epkg efix installation execute the following command:
|
|# emgr -e epkg_name -p # where epkg_name is the name of the
| # efix package being previewed.
|
|To install an epkg efix package, execute the following command:
|
|# emgr -e epkg_name -X # where epkg_name is the name of the
| # efix package being installed.
|
|The "X" flag will expand any filesystems if required.

C. Workaround

Setting the file mode bits to 500 will allow only the root user to execute the chdev command. This can be done by executing the following command as
root:

# chmod 500 /usr/sbin/chdev

Verify that the file mode bits have been changed to 500:

# ls -la /usr/sbin/chdev
- - - -r-x------ 1 root system 22238 2003-05-02 01:19 /usr/sbin/chdev

|Updated: Thu Feb 10 09:11:29 CST 2005
|Added mkdev and rmdev
|These steps should be repeated for the mkdev and rmdev commands.

IV. Obtaining Fixes
===================
AIX Version 5 APARs can be downloaded from:

http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Emergency Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Acknowledgments
====================
This vulnerability was reported by iDEFENSE.


VI. Contact Information
========================

If you would like to receive AIX Security Advisories via email, please
visit:

https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely with the AIX Security Team send email to security-alert@austin.ibm.com with a subject of "get key". The key can also be downloaded from a PGP Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders.
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCC49MxwSSvpORwfIRAt+NAJ9MbFEu9gTbF5DtnTqAcPz30pEq2gCfTqtR
kIFAL7I6jqIoS8X3elgx52A=
=p2xN
- - -----END PGP SIGNATURE-----

***************************************************************************************

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


IBM SECURITY ADVISORY

First Issued: Mon Feb 14 13:26:10 CST 2005

==========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: A local user may gain root privileges through the
perl interpreter.

PLATFORMS: AIX 5.2, AIX 5.3

SOLUTION: Apply the workaround or efix as described below.

THREAT: A local user may gain root access to a system.

CERT VU Number: None.
CVE Number: CAN-2005-0155, CAN-2005-0156
==========================================================================
DETAILED INFORMATION


I. Description
===============

Two vulnerabilities were discovered in the perl language interpreter that may allow a local user to gain root privileges. The perl interpreter is installed by default in AIX 5.2 and AIX 5.3. Versions of AIX prior to 5.2 do not have perl installed by default and are not vulnerable. Also, these vulnerabilities occur only in perl with versions 5.8.0 through 5.8.6.

CAN-2005-0155
The first vulnerability is through the sperl program which runs perl as an suid root process. This perl facility is not installed by default on AIX, but the same vulnerability may exist if perl is invoked by another suid root program.

CAN-2005-0156
The second vulnerability is in the perl interpreter itself and is a buffer overflow. This is only specific to perl built with threads support, which is supported in the AIX perl package.

The perl language ships in the perl.rte filesets. To determine if this fileset is installed, execute the following command:

# lslpp -L perl.rte

If the fileset is installed, it will be listed along with its version information, state, type and a description.


II. Impact
==========
A local attacker may gain root access to a system.


III. Solutions
===============

A. Official Fix

Since perl is not an IBM product, only efixes are supplied.


B. Emergency Fix

Efixes are available for AIX 5.3 and AIX 5.2. The efixes can be downloaded via ftp from:

ftp://aix.software.ibm.com/aix/efixes/security/perl58x.tar.Z

perl58x.tar.Z is a compressed tarball containing this advisory, two efix packages for 5.2 and 5.3 and a cleartext PGP signature for each efix package. The efix package named buff580.021105.epkg.Z contains the fix for perl version 5.8.0 and is for AIX 5.2. The efix package named buff582.021105.epkg.Z contains the fix for perl version 5.8.2 and is for AIX 5.3.

Verify you have retrieved the efixes intact:
- - - - ---------------------------------------------
The checksums below were generated using the "sum" and "md5sum" commands and are as follows:

Filename sum md5
=====================================================================
buff580.021105.epkg.Z 20378 5375 8b9cb20e48d4826122bbb047fa0a17ae
buff582.020705.epkg.Z 05026 5580 922e3c706d11d4a464227b92ce8d588e

These sums should match exactly. The PGP signatures in the compressed tarball and on this advisory can also be used to verify the integrity of the various files they correspond to. If the sums or signatures cannot be confirmed, double check the command results and the download site address. If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy.

IMPORTANT: If possible, it is recommended that a mksysb backup of the system is created. Verify it is both bootable, and readable before proceeding.

These efixes have not been fully regression tested; thus, IBM does not warrant the fully correct functioning of the efix. Customers install the efix and operate the modified version of AIX at their own risk.

Efix Installation Instructions:
- - - - --------------------------------
These packages use the new Emergency Fix Management Solution to install and manage efixes. More information can be found at:

http://techsupport.services.ibm.com/server/aix.efixmgmt

To preview an epkg efix installation execute the following command:

# emgr -e epkg_name -p # where epkg_name is the name of the
# efix package being previewed.

To install an epkg efix package, execute the following command:

# emgr -e epkg_name -X # where epkg_name is the name of the
# efix package being installed.

It is strongly recommended that this efix be mount installed before doing a regular install. A mount install will mount the patched binaries over existing system binaries. If any issues arise, the efix can be unmounted or the system can be rebooted to revert of the original system files. The mount an epkg efix package, execute the following command:

# emgr -e epkg_name -m # where epkg_name is the name of the
# efix package being installed.

The "X" flag will expand any filesystems if required.

C. Workaround

For the first vulnerability, the workaround would be to disable the suid bit on any programs on your system that could be executed by a regular user and also invoked the perl interpreter. Note that this is specific to your system and does not apply to programs in the perl.rte package. This may also cause your setuid programs to not function as expected.

# chmod u-s perl_suid_program


For the second vulnerability, the workaround would be to disable the perl interpreter altogether. Note that this will disable any perl programs you have on your system. The "x" represents the perl version which is "0" for AIX 5.2 and "2" for AIX 5.3 .

# chmod 000 /usr/opt/perl5/bin/perl
# chmod 000 /usr/opt/perl5/bin/perl5.8.x
# chmod 000 /usr/opt/perl5/bin/perl_64bit
# chmod 000 /usr/opt/perl5/bin/perl5.8.x_64bit


IV. Obtaining Fixes
====================

Security related Emergency Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Acknowledgments
====================

The perl vulnerabilities were discovered by Kevin Kinisterre.

This issue was brought to our attention by Campo Weijerman of IBM Netherlands.

This document was written by Kent Stuiber.


V. Contact Information
========================

If you would like to receive AIX Security Advisories via email, please
visit:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely with the AIX Security Team send email to security-alert@austin.ibm.com with a subject of "get key". The key can also be downloaded from a PGP Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders.

- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (AIX)

iD8DBQFCFmGExwSSvpORwfIRAhPUAJ9hNpKVdybRIxjSC+9BVPWaCmL/bACaAtaS
Y9flN509Xk7QBVhurJYxkcI=
=J0DK
- - -----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |