-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue Mar 11 10:01:36 CDT 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX nddstat family environment variable error PLATFORMS: AIX 5.2, 5.3, 6.1 SOLUTION: Apply the fix or workaround as described below. THREAT: A local attacker may execute arbitrary code. CVE Number: n/a Reboot required? NO Workarounds? YES Protected by FPM? YES (high, medium, or low) Protected by SED? NO =============================================================================== DETAILED INFORMATION I. DESCRIPTION The nddstat family of commands contains an environment variable handling error. A local attacker may exploit this error to execute arbitrary code with root privileges because the commands are setuid root. The following files are vulnerable: /usr/sbin/atmstat /usr/sbin/entstat /usr/sbin/fddistat /usr/sbin/hdlcstat /usr/sbin/tokstat II. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L devices.common.IBM.atm.rte \ devices.common.IBM.ethernet.rte \ devices.common.IBM.hdlc.rte \ devices.common.IBM.fddi.rte \ devices.common.IBM.tokenring.rte The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ----------------------------------------------------------- devices.common.IBM.atm.rte 5.2.0.50 5.2.0.51 devices.common.IBM.atm.rte 5.2.0.95 5.2.0.95 devices.common.IBM.atm.rte 5.2.0.95 5.2.0.96 devices.common.IBM.atm.rte 5.3.0.50 5.3.0.50 devices.common.IBM.atm.rte 5.3.0.60 5.3.0.61 devices.common.IBM.atm.rte 5.3.7.0 5.3.7.0 devices.common.IBM.atm.rte 6.1.0.0 6.1.0.0 devices.common.IBM.ethernet.rte 5.2.0.85 5.2.0.85 devices.common.IBM.ethernet.rte 5.2.0.95 5.2.0.95 devices.common.IBM.ethernet.rte 5.2.0.105 5.2.0.107 devices.common.IBM.ethernet.rte 5.3.0.50 5.3.0.50 devices.common.IBM.ethernet.rte 5.3.0.60 5.3.0.62 devices.common.IBM.ethernet.rte 5.3.7.0 5.3.7.1 devices.common.IBM.ethernet.rte 6.1.0.0 6.1.0.1 devices.common.IBM.fddi.rte 5.2.0.30 5.2.0.30 devices.common.IBM.fddi.rte 5.2.0.95 5.2.0.95 devices.common.IBM.fddi.rte 5.2.0.95 5.2.0.95 devices.common.IBM.fddi.rte 5.3.0.50 5.3.0.50 devices.common.IBM.fddi.rte 5.3.0.50 5.3.0.50 devices.common.IBM.fddi.rte 5.3.0.50 5.3.0.50 devices.common.IBM.hdlc.rte 5.2.0.10 5.2.0.10 devices.common.IBM.hdlc.rte 5.2.0.95 5.2.0.95 devices.common.IBM.hdlc.rte 5.2.0.95 5.2.0.95 devices.common.IBM.hdlc.rte 5.3.0.50 5.3.0.50 devices.common.IBM.hdlc.rte 5.3.0.50 5.3.0.50 devices.common.IBM.hdlc.rte 5.3.7.0 5.3.7.0 devices.common.IBM.hdlc.rte 6.1.0.0 6.1.0.0 devices.common.IBM.tokenring.rte 5.2.0.30 5.2.0.30 devices.common.IBM.tokenring.rte 5.2.0.95 5.2.0.95 devices.common.IBM.tokenring.rte 5.2.0.95 5.2.0.95 devices.common.IBM.tokenring.rte 5.3.0.50 5.3.0.50 devices.common.IBM.tokenring.rte 5.3.0.50 5.3.0.50 devices.common.IBM.tokenring.rte 5.3.7.0 5.3.7.0 devices.common.IBM.tokenring.rte 6.1.0.0 6.1.0.0 III. SOLUTIONS A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR number Availability --------------------------------------------------- 5.2.0 IZ16991 Now 5.3.0 IZ17058 3/17/2008 5.3.7 IZ17059 3/17/2008 6.1.0 IZ16975 Now Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ16991 http://www.ibm.com/support/docview.wss?uid=isg1IZ17058 http://www.ibm.com/support/docview.wss?uid=isg1IZ17059 http://www.ibm.com/support/docview.wss?uid=isg1IZ16975 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/nddstat_fix.tar The link above is to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Fix (*.U) and Interim Fix (*.Z) ------------------------------------------------------------------- 5.2.0 TL8 IZ16991_8a.080306.epkg.Z IZ16991_8b.080306.epkg.Z IZ16991_8c.080306.epkg.Z IZ16991_8d.080306.epkg.Z IZ16991_8e.080306.epkg.Z 5.2.0 TL9 IZ16991_9a.080306.epkg.Z IZ16991_9b.080306.epkg.Z IZ16991_9c.080306.epkg.Z IZ16991_9d.080306.epkg.Z IZ16991_9e.080306.epkg.Z 5.2.0 TL10 devices.common.IBM.atm.rte.5.2.0.97.U devices.common.IBM.ethernet.rte.5.2.0.108.U devices.common.IBM.fddi.rte.5.2.0.96.U devices.common.IBM.hdlc.rte.5.2.0.96.U devices.common.IBM.tokenring.rte.5.2.0.96.U 5.3.0 TL5 IZ17058_5a.080306.epkg.Z IZ17058_5b.080306.epkg.Z IZ17058_5c.080306.epkg.Z IZ17058_5d.080306.epkg.Z IZ17058_5e.080306.epkg.Z 5.3.0 TL6 IZ17058_6a.080306.epkg.Z IZ17058_6b.080306.epkg.Z IZ17058_6c.080306.epkg.Z IZ17058_6d.080306.epkg.Z IZ17058_6e.080306.epkg.Z 5.3.0 TL7 IZ17059_7a.080306.epkg.Z IZ17059_7b.080306.epkg.Z IZ17059_7c.080306.epkg.Z IZ17059_7d.080306.epkg.Z IZ17059_7e.080306.epkg.Z 6.1.0 devices.common.IBM.atm.rte.6.1.0.1.U devices.common.IBM.ethernet.rte.6.1.0.2.U devices.common.IBM.hdlc.rte.6.1.0.1.U devices.common.IBM.tokenring.rte.6.1.0.1.U To extract the fixes from the tar file: tar xvf nddstat_fix.tar cd nddstat_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------ 53686 1363 atm.rte.5.2.0.97.U 10325 25 atm.rte.6.1.0.1.U 15289 396 ethernet.rte.5.2.0.108.U 22432 129 ethernet.rte.6.1.0.2.U 48254 42 fddi.rte.5.2.0.96.U 33569 20 hdlc.rte.5.2.0.96.U 35035 22 hdlc.rte.6.1.0.1.U 02819 57 tokenring.rte.5.2.0.96.U 57875 24 tokenring.rte.6.1.0.1.U 08519 18 IZ16991_8a.080306.epkg.Z 16435 19 IZ16991_8b.080306.epkg.Z 01458 17 IZ16991_8c.080306.epkg.Z 06627 15 IZ16991_8d.080306.epkg.Z 35832 17 IZ16991_8e.080306.epkg.Z 36064 18 IZ16991_9a.080306.epkg.Z 11623 19 IZ16991_9b.080306.epkg.Z 45551 17 IZ16991_9c.080306.epkg.Z 40138 15 IZ16991_9d.080306.epkg.Z 59776 17 IZ16991_9e.080306.epkg.Z 54366 19 IZ17058_5a.080306.epkg.Z 11671 19 IZ17058_5b.080306.epkg.Z 49694 18 IZ17058_5c.080306.epkg.Z 34372 17 IZ17058_5d.080306.epkg.Z 20566 17 IZ17058_5e.080306.epkg.Z 23319 19 IZ17058_6a.080306.epkg.Z 60392 20 IZ17058_6b.080306.epkg.Z 15769 18 IZ17058_6c.080306.epkg.Z 63261 17 IZ17058_6d.080306.epkg.Z 28206 18 IZ17058_6e.080306.epkg.Z 60970 19 IZ17059_7a.080306.epkg.Z 02919 20 IZ17059_7b.080306.epkg.Z 62108 18 IZ17059_7c.080306.epkg.Z 52386 17 IZ17059_7d.080306.epkg.Z 32268 18 IZ17059_7e.080306.epkg.Z cksum filename ------------------------------------------ 2977679174 1395712 atm.rte.5.2.0.97.U 3586647696 25600 atm.rte.6.1.0.1.U 1871589933 405504 ethernet.rte.5.2.0.108.U 3810839561 132096 ethernet.rte.6.1.0.2.U 2308602268 43008 fddi.rte.5.2.0.96.U 1079970021 20480 hdlc.rte.5.2.0.96.U 2470393603 22528 hdlc.rte.6.1.0.1.U 302314036 58368 tokenring.rte.5.2.0.96.U 2234336109 24576 tokenring.rte.6.1.0.1.U 2484809175 17503 IZ16991_8a.080306.epkg.Z 2365916858 19223 IZ16991_8b.080306.epkg.Z 1229509259 17289 IZ16991_8c.080306.epkg.Z 4200613508 15200 IZ16991_8d.080306.epkg.Z 2503444817 16985 IZ16991_8e.080306.epkg.Z 955167659 17501 IZ16991_9a.080306.epkg.Z 2466035120 19228 IZ16991_9b.080306.epkg.Z 1971773075 17295 IZ16991_9c.080306.epkg.Z 3393887566 15196 IZ16991_9d.080306.epkg.Z 1368755465 16990 IZ16991_9e.080306.epkg.Z 1911176163 19216 IZ17058_5a.080306.epkg.Z 2449935365 19451 IZ17058_5b.080306.epkg.Z 3215953030 17466 IZ17058_5c.080306.epkg.Z 1595223683 17053 IZ17058_5d.080306.epkg.Z 3666703913 17358 IZ17058_5e.080306.epkg.Z 1328517438 19186 IZ17058_6a.080306.epkg.Z 3674604030 19529 IZ17058_6b.080306.epkg.Z 1085139383 17569 IZ17058_6c.080306.epkg.Z 4140465697 17235 IZ17058_6d.080306.epkg.Z 2010320015 17543 IZ17058_6e.080306.epkg.Z 2624580258 19172 IZ17059_7a.080306.epkg.Z 762491607 19547 IZ17059_7b.080306.epkg.Z 4064419777 17573 IZ17059_7c.080306.epkg.Z 3751266901 17239 IZ17059_7d.080306.epkg.Z 2021263771 17517 IZ17059_7e.080306.epkg.Z csum -h MD5 (md5sum) filename ---------------------------------------------------------- 99befbb0608f3f19ba31ddd06c0e3ee5 atm.rte.5.2.0.97.U 423a3d4bc846b09b238e600b436be0ca atm.rte.6.1.0.1.U ff1b20fa99311224208be69a757de9ee ethernet.rte.5.2.0.108.U 211e387feb1ae3b2c8f936068de5c60d ethernet.rte.6.1.0.2.U 56284a52153fc1d20315b71cf9a0de0f fddi.rte.5.2.0.96.U 9e81a891ea6b406b165e5a9024241c7d hdlc.rte.5.2.0.96.U b353997c80555d349b519de10eb2c244 hdlc.rte.6.1.0.1.U 6cda672a5371539e2d1c2cf06f0872f9 tokenring.rte.5.2.0.96.U 67dc1b0b9e95e72ad6655f0ead46ccb3 tokenring.rte.6.1.0.1.U d9cdbe062aba68b2c756b3e0e9eb6598 IZ16991_8a.080306.epkg.Z 99770175de8ea0d16beeb591a9f08a76 IZ16991_8b.080306.epkg.Z 9dabb3047673533ed7892c779915186a IZ16991_8c.080306.epkg.Z 8751dc6c05eba9c04f195c0525133adc IZ16991_8d.080306.epkg.Z 1ff2c51206bcbdf955b27b5aec5ee578 IZ16991_8e.080306.epkg.Z 95e1a156e31e9f798fffdb440a3d6d24 IZ16991_9a.080306.epkg.Z effb74656bb80a481dea3ed0557bea57 IZ16991_9b.080306.epkg.Z 7098143faaea7a868c6cba91c3c7efa3 IZ16991_9c.080306.epkg.Z a966283b7f6c04374f750d5a92cd90fa IZ16991_9d.080306.epkg.Z 41d93e2f1e07bf8500df0370a95b7f2f IZ16991_9e.080306.epkg.Z 7f4bb6dcf59fa1430bbed8e290a98e06 IZ17058_5a.080306.epkg.Z 334eb6ad284b4e6f9345a7664e1ef9f8 IZ17058_5b.080306.epkg.Z 4a21d9deda002c642cf8df95250da373 IZ17058_5c.080306.epkg.Z d27d29b43e71eb047280966168f656e8 IZ17058_5d.080306.epkg.Z 5b6d741bbd10adb319a9290df76d4815 IZ17058_5e.080306.epkg.Z b3933b23b9f998575563354f838d1abf IZ17058_6a.080306.epkg.Z 9534e3d239f14058b87b856bdc9cb8ca IZ17058_6b.080306.epkg.Z 7e685ce1d13ed48cb783dd825dd76db0 IZ17058_6c.080306.epkg.Z d1b4a6f69ab836e6d4430a677a9f2390 IZ17058_6d.080306.epkg.Z be0b017e1f1cb30e3a0de8db7476ab80 IZ17058_6e.080306.epkg.Z 17c66bb5981e4c8d6143423d1664301d IZ17059_7a.080306.epkg.Z f6634ba7b4cf59d10524c04bc245bffa IZ17059_7b.080306.epkg.Z b5ec2de592875f9c16269c9aedfba1cd IZ17059_7c.080306.epkg.Z 995c8efbd3ce853e733730ee43cd96fd IZ17059_7d.080306.epkg.Z 5dd668bb407836763829f1c6d5a38ffa IZ17059_7e.080306.epkg.Z csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ 6e13d75620a7535925801d83c2cdbaf0a8f6c2b8 atm.rte.5.2.0.97.U c7ca2ae619c0ed06d42ddf17c9140ac3f67359b0 atm.rte.6.1.0.1.U 33e9ea17604444e0d1853d0e16ee627e1364b430 ethernet.rte.5.2.0.108.U 94fc8037116141b602ecbbe56990b00a6480d313 ethernet.rte.6.1.0.2.U 4e2cb524de53efcef5a0f22a69ed03b43f034a97 fddi.rte.5.2.0.96.U 1bb826adae974991690f6493c334b5870358d36a hdlc.rte.5.2.0.96.U 6993b0f39e3a431b1ef6fdf2cc66bbdfefb34925 hdlc.rte.6.1.0.1.U 3c230f35ad5de5c2b0d1b8f35eb00eaaca5b1fb9 tokenring.rte.5.2.0.96.U 1f1e5cee6ea02b142990a2416261e25af53100d4 tokenring.rte.6.1.0.1.U 1f037d9bf175f02f4d17b0b4de4b5ca0646f0ec4 IZ16991_8a.080306.epkg.Z 0233a83d96759dd3b29094deaeb1e742c078a879 IZ16991_8b.080306.epkg.Z 0152e24bcd83c7baabbec2cb319d4fc80e91bc9c IZ16991_8c.080306.epkg.Z e4d73e22f7da781c2f0e54316ae07a153af4edf7 IZ16991_8d.080306.epkg.Z de6634059d76368a012cf3346b0a597f6335dedf IZ16991_8e.080306.epkg.Z 6f829cad191090176fa114eb35ae64b44f14b1f8 IZ16991_9a.080306.epkg.Z 02be500d0939fbbe3b6e0e60a757d08a5be0ba7c IZ16991_9b.080306.epkg.Z 07387b971fd7c05370101dea075c06138ee71d31 IZ16991_9c.080306.epkg.Z ba9b309eb39e3a425be3ab6bbf5eefbc1b6fe0e4 IZ16991_9d.080306.epkg.Z 22b3e9a071b4053c41018d6bf0c738cb36490b10 IZ16991_9e.080306.epkg.Z 702798d0ccb786d7bdb32b479645e4de24fb8ca8 IZ17058_5a.080306.epkg.Z 7e80a6a748a375256108032c7dd44f4eebc86999 IZ17058_5b.080306.epkg.Z 51b9d18daf8da727f3f1e66ecf835853d608faa6 IZ17058_5c.080306.epkg.Z 924cd69454c55170fb070c2ee10cc2b471683af4 IZ17058_5d.080306.epkg.Z ec5d1de2b624bfef43c73046b49713421a73a76e IZ17058_5e.080306.epkg.Z c2e477467b3d3884b0cd72ec3271aec978bca6c4 IZ17058_6a.080306.epkg.Z 43891ec55d3daee98585fa4047591fa0d6e4d62e IZ17058_6b.080306.epkg.Z bae5b8d756c740b61159f33f518eb689a2aab22f IZ17058_6c.080306.epkg.Z c6a3325f69d8f2419c7748398461d01a799ae161 IZ17058_6d.080306.epkg.Z 81b36492f1a63795dba9cd7ef7d2f6b3c7eb0aa3 IZ17058_6e.080306.epkg.Z 51969438338959746649f5e54d119d2d8f1bd2f1 IZ17059_7a.080306.epkg.Z a2b29ee5e7ecd67419300cc68284306d2c41832f IZ17059_7b.080306.epkg.Z 5c26fa266f7e707fef9b5c02eb27a0c83e70bcd2 IZ17059_7c.080306.epkg.Z f034df79cdcdf29c1ccbbf9320ed59ab04f74d78 IZ17059_7d.080306.epkg.Z a2ed509001cabdbca612f7662eeb49b4fbb30cbd IZ17059_7e.080306.epkg.Z To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. FIX AND INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. IV. WORKAROUNDS There are two workarounds available. A. OPTION 1 Change the permissions of these commands to remove the setuid bit using the following commands: chmod 500 /usr/sbin/atmstat chmod 500 /usr/sbin/entstat chmod 500 /usr/sbin/fddistat chmod 500 /usr/sbin/hdlcstat chmod 500 /usr/sbin/tokstat NOTE: chmod will disable functionality of these commands for all users except root. B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7) Use the File Permissions Manager (fpm) command to manage setuid and setgid programs. fpm documentation can be found in the AIX 6 Security Redbook at: http://www.redbooks.ibm.com/abstracts/sg247430.html An fpm level of high, medium, or low will remove the setuid bit from the affected commands. For example: fpm -l high -p # to preview changes fpm -l high # to execute changes NOTE: Please review the documentation before execution. fpm will disable functionality of multiple commands for all users except root. V. OBTAINING FIXES AIX security fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VI. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xA6A36CCC Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VII. ACKNOWLEDGMENTS IBM discovered and fixed this vulnerability as part of its commitment to secure the AIX operating system. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFH1tgk8lficKajbMwRAkDvAJ47p63UrOWQX9gbpEKw3h3ljKfe4QCcCC/6 QpjqA7bxju7Qn7cQMFJa1zU= =CD11 -----END PGP SIGNATURE-----