-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue Aug 4 09:33:44 CDT 2009 | Updated: Tue Oct 27 08:17:20 CDT 2009 | Fixed broken APAR links in advisory | Updated PLATFORMS summary The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/libC_advisory.asc or ftp://aix.software.ibm.com/aix/efixes/security/libC_advisory.asc VULNERABILITY SUMMARY VULNERABILITY: AIX libC _LIB_INIT_DBG file creation vulnerability | PLATFORMS: AIX 5.3, 6.1, and earlier releases SOLUTION: Apply the fix as described below. THREAT: A local user may execute arbitrary code as root. Reboot required? NO Workarounds? NO Protected by FPM? NO Protected by SED? NO DETAILED INFORMATION I. DESCRIPTION There is a an error in the handling of the _LIB_INIT_DBG and _LIB_INIT_DBG_FILE environment variables in a debugging component of the XL C++ runtime library. A local user can exploit this error when executing setuid root programs linked with the XL C++ runtime library, and thereby create arbirtrary, world writeable files owned by root. The successful exploitation of this vulnerability allows a local user to create arbitrary files and execute arbitrary code as the root user. Note that in AIX 6.1 the debugging component moved from libC.a to libc.a. This means that the fix is delivered by updating the XL C++ runtime on AIX 5.3 and earlier, and by updating the bos.rte.libc fileset on AIX 6.1. The following libraries are vulnerable: AIX 5.3 and earlier: /usr/lpp/xlC/lib/libC.a AIX 6.1: /usr/ccs/lib/libc.a /usr/ccs/lib/libp/libc.a II. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: FOR AIX 5.3: lslpp -L xlC.rte The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ---------------------------------------------------- xlC.rte all earlier levels are vulnerable xlC.rte 8.0.0.0 8.0.0.14 xlC.rte 9.0.0.0 9.0.0.9 xlC.rte 10.1.0.0 10.1.0.2 FOR AIX 6.1: lslpp -L bos.rte.libc bos.adt.prof The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------ bos.rte.libc 6.1.0.0 6.1.0.11 bos.rte.libc 6.1.1.0 6.1.1.6 bos.rte.libc 6.1.2.0 6.1.2.5 bos.rte.libc 6.1.3.0 6.1.3.2 bos.adt.prof 6.1.0.0 6.1.0.10 bos.adt.prof 6.1.1.0 6.1.1.5 bos.adt.prof 6.1.2.0 6.1.2.4 bos.adt.prof 6.1.3.0 6.1.3.1 III. SOLUTIONS A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR number Availability --------------------------------------------------- 5.3 (XL C++ V8) IZ54593 now 5.3 (XL C++ V9) IZ54090 now 5.3 (XL C++ V10.1) IZ54091 now 6.1.0 IZ56203 09/23/09 6.1.1 IZ56204 09/23/09 6.1.2 IZ56205 09/23/09 6.1.3 IZ56206 09/23/09 Subscribe to the APARs here: | http://www.ibm.com/support/docview.wss?uid=swg1IZ54593 | http://www.ibm.com/support/docview.wss?uid=swg1IZ54090 | http://www.ibm.com/support/docview.wss?uid=swg1IZ54091 http://www.ibm.com/support/docview.wss?uid=isg1IZ56203 http://www.ibm.com/support/docview.wss?uid=isg1IZ56204 http://www.ibm.com/support/docview.wss?uid=isg1IZ56205 http://www.ibm.com/support/docview.wss?uid=isg1IZ56206 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are now available. The fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security/libC_fix.tar http://aix.software.ibm.com/aix/efixes/security/libC_fix.tar The links above are to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. AIX Level Fix ------------------------------------------------------------ 5.3 (XL C++ V8) xlc.rte.80.aix51.jul2009.tar.Z 5.3 (XL C++ V9) xlc.rte.90.aix52-53TL5.jul2009.tar.Z 5.3 (XL C++ V10.1) xlc.rte.101.aix53TL6-61.jul2009.tar.Z AIX Level Interim Fix ------------------------------------------------------------ 6.1.0 IZ56203_00.090729.epkg.Z IZ56203_0p.090729.epkg.Z 6.1.1 IZ56204_01.090729.epkg.Z IZ56204_1p.090729.epkg.Z 6.1.2 IZ56205_02.090729.epkg.Z IZ56205_2p.090729.epkg.Z 6.1.3 IZ56206_03.090729.epkg.Z IZ56206_3p.090729.epkg.Z To extract the fixes from the tar file: tar xvf libC_fix.tar cd libC_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "csum -h SHA1" (sha1sum) commands and are as follows: csum -h SHA1 (sha1sum) filename bd05ed8be99b17fc2514abb560512203f803c584 IZ56203_00.090729.epkg.Z 95dd367e34e29367a59ef31e8831d4caf5d3ba37 IZ56203_0p.090729.epkg.Z b961b2749bac9be4d73031e8b51e736735d616eb IZ56204_01.090729.epkg.Z 8d44459ae801dcbfede8fa887b13283ba7c71527 IZ56204_1p.090729.epkg.Z 5734021d511b35f66fd053f993bc7e639c141d61 IZ56205_02.090729.epkg.Z 7944630ef47e75cee2654015e3bc86bc43537b92 IZ56205_2p.090729.epkg.Z e410652ce23c264c6485f5ad2360d5340fb21425 IZ56206_03.090729.epkg.Z dd72be7daf79a31b5932685c291688069a5efbb6 IZ56206_3p.090729.epkg.Z 765531ddb8accb4dabc195dd4aea0c6195f4ea77 xlc.rte.101.aix53TL6-61.jul2009.tar.Z 102c28fb84a9ef3307f5a8cc45d963b5d5e07111 xlc.rte.80.aix51.jul2009.tar.Z 920799bbf1f135f7a7287cbc725097d99a931676 xlc.rte.90.aix52-53TL5.jul2009.tar.Z To verify the sums, use the text of this advisory as input to csum or sha1sum. For example: csum -h SHA1 -i Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security and describe the discrepancy at the following address: security-alert@austin.ibm.com C. FIX INSTALLATION (AIX 5.3 and earlier) Please refer to the fix installation notes for the XL C++ runtime here: http://www-01.ibm.com/support/docview.wss?uid=swg21215669 D. INTERIM FIX INSTALLATION (AIX 6.1) IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. IV. WORKAROUNDS There are no workarounds. V. OBTAINING FIXES AIX security fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security or ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VI. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www.ibm.com/systems/support and click on the "My notifications" link. To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0xADA6EB4D Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VII. ACKNOWLEDGMENTS This vulnerability was reported by Karol Wiesek and iDefense Labs. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFK5vP4P9Qud62m600RArSlAKCKz2ECJxf4WM6FzJG9Y69rswB1TQCfRhiT UDhB+zXmeIlx3ffCakmEI9U= =kOhw -----END PGP SIGNATURE-----