-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Tue Jan 22 14:02:18 CST 2008 | Updated: Mon May 19 12:39:28 CDT 2008 | Added previous fix for piomkpq =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX pioout buffer overflow PLATFORMS: AIX 5.2, 5.3, 6.1 SOLUTION: Apply the fix or workaround as described below. THREAT: A local attacker may execute arbitrary code with root privileges. CERT VU Number: n/a CVE Number: CVE-2007-5764 =============================================================================== DETAILED INFORMATION I. OVERVIEW The pioout command is at the end of pipelines invoked by the piobe command (the print job manager) to print a file or a burst page on a printer. The primary fileset for the pioout command is 'printers.rte'. The pioout command contains a buffer overflow vulnerability II. DESCRIPTION Buffer overflow vulnerabilities exist in the 'printers.rte' fileset commands listed below. A local attacker may execute arbitrary code with root privileges because the commands are setuid root. The following commands are vulnerable: /usr/lib/lpd/pio/etc/pioout | The fix for piomkpq for IZ01121 and IZ01122 was not included with | this fix package, therefore it has been repackged and included as | described below. A local attacker who is a member of the printq | group may execute arbitrary code with root privileges because the | piomkpq command is setuid root. | | The following command is vulnerable: | | /usr/lib/lpd/pio/etc/piomkpq III. IMPACT The successful exploitation of this vulnerability allows a non-privileged user to execute code with root privileges. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L printers.rte The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------ printers.rte 5.2.0.0 5.2.0.106 printers.rte 5.3.0.0 5.3.0.62 printers.rte 5.3.7.0 5.3.7.0 printers.rte 6.1.0.0 6.1.0.0 V. SOLUTIONS A. APARS IBM provides the following fixes: AIX Level APAR number Availability ---------------------------------------------------- | 5.2.0 IZ10840 Available now | 5.3.0 IZ10841 Available now | 5.3.7 IZ10842 Available now | 6.1.0 IZ10844 Available now Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ10840 http://www.ibm.com/support/docview.wss?uid=isg1IZ10841 http://www.ibm.com/support/docview.wss?uid=isg1IZ10842 http://www.ibm.com/support/docview.wss?uid=isg1IZ10844 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/pioout_ifix.tar The link above is to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Interim Fix ------------------------------------------------------------------- 5.2.0 TL8 IZ10840_08.080109.epkg.Z | IZ01121_8a.080519.epkg.Z 5.2.0 TL9 IZ10840_09.080109.epkg.Z | IZ01121_9a.080519.epkg.Z 5.2.0 TL10 IZ10840_10.080109.epkg.Z | IZ01121_0a.080519.epkg.Z 5.3.0 TL5 IZ10841_05.080109.epkg.Z | IZ01122_5a.080519.epkg.Z 5.3.0 TL6 IZ10841_06.080109.epkg.Z | IZ01122_6a.080519.epkg.Z 5.3.7 IZ10842_07.080109.epkg.Z 6.1.0 IZ10844_00.080109.epkg.Z To extract the fixes from the tar file: tar xvf pioout_ifix.tar cd pioout_ifix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------ | 22845 18 IZ01121_0a.080519.epkg.Z | 27825 18 IZ01121_8a.080519.epkg.Z | 52914 18 IZ01121_9a.080519.epkg.Z | 23487 19 IZ01122_5a.080519.epkg.Z | 25291 20 IZ01122_6a.080519.epkg.Z 20943 29 IZ10840_08.080109.epkg.Z 52998 29 IZ10840_09.080109.epkg.Z 12113 29 IZ10840_10.080109.epkg.Z 04259 29 IZ10841_05.080109.epkg.Z 31137 31 IZ10841_06.080109.epkg.Z 19224 31 IZ10842_07.080109.epkg.Z 62266 33 IZ10844_00.080109.epkg.Z cksum filename ------------------------------------------ | 3181035232 18094 IZ01121_0a.080519.epkg.Z | 4069503402 18073 IZ01121_8a.080519.epkg.Z | 233628670 18084 IZ01121_9a.080519.epkg.Z | 3067551047 19283 IZ01122_5a.080519.epkg.Z | 1626338984 19514 IZ01122_6a.080519.epkg.Z 4026553893 29373 IZ10840_08.080109.epkg.Z 746458370 29370 IZ10840_09.080109.epkg.Z 1141412719 29360 IZ10840_10.080109.epkg.Z 2786630976 29255 IZ10841_05.080109.epkg.Z 4255456850 30746 IZ10841_06.080109.epkg.Z 103088591 30748 IZ10842_07.080109.epkg.Z 3267320718 33099 IZ10844_00.080109.epkg.Z csum -h MD5 (md5sum) filename ---------------------------------------------------------- | 7b96c7ca884d15a3c44a093d59c94fbe IZ01121_0a.080519.epkg.Z | 6ab51f43996f20f7d191f4c4a24f4724 IZ01121_8a.080519.epkg.Z | 7f03dc7434bef902fbf2310dc5d6d48b IZ01121_9a.080519.epkg.Z | 23d0a3dd801fce835f573ada9b40fe5b IZ01122_5a.080519.epkg.Z | d2806ec501124aad33aa18eb31ff0e9a IZ01122_6a.080519.epkg.Z 558bc9071b94c69a80fa7c775dd47f88 IZ10840_08.080109.epkg.Z 71a315af40a5697c91ff0bb500bf0aa9 IZ10840_09.080109.epkg.Z 5a8c8cd6922a2479201859be07fdda42 IZ10840_10.080109.epkg.Z 677c2d0064e7e32ca8dfc4f92b1cc977 IZ10841_05.080109.epkg.Z 21337af76a41a0f8c097e376bbaa1406 IZ10841_06.080109.epkg.Z 0b3de29dfb23bb6c2e089a606303a75c IZ10842_07.080109.epkg.Z bf4eb2807f0b30ab877d5b4a15315a9b IZ10844_00.080109.epkg.Z csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ | 02d1e6513e76588dd7a29d3fe120e62841a4d91a IZ01121_0a.080519.epkg.Z | de071d960335417f64cca9ed5dd9b063f297f80a IZ01121_8a.080519.epkg.Z | c04d3c4aa9918e21d243e032c7ec0bdef3519f22 IZ01121_9a.080519.epkg.Z | db4572950f88a575fb71563db7a72456e76d1e9c IZ01122_5a.080519.epkg.Z | f6b2357af7b3e8a4adb53a35301b319a3a8c5e45 IZ01122_6a.080519.epkg.Z 75614ca3db4e3a83ec6051e7d2ff1fe51a66768e IZ10840_08.080109.epkg.Z 0a965047dc28569ddee8d698191f70b3b1b152ca IZ10840_09.080109.epkg.Z bfb3c9c9f2cf3831ed903ec8d11acd278e58ae3f IZ10840_10.080109.epkg.Z cde96156eeb70759ae58e970e960a1277f689753 IZ10841_05.080109.epkg.Z b41b4fa9dd8f7e6c889bb17580c9bac76e04bc72 IZ10841_06.080109.epkg.Z f39a8edb911c9663e7a9e7064510485eed9d7e44 IZ10842_07.080109.epkg.Z c831eba7c637f3375a6fe66377666db573da1abd IZ10844_00.080109.epkg.Z To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. VI. WORKAROUNDS There are two workarounds available. A. OPTION 1 Change the permissions of these commands to remove the setuid bit using the following commands: chmod 500 /usr/lib/lpd/pio/etc/pioout | chmod 500 /usr/lib/lpd/pio/etc/piomkpq NOTE: chmod will disable functionality of these commands for all users except root. B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7) Use the File Permissions Manager (fpm) command to manage setuid and setgid programs. fpm documentation can be found in the AIX 6 Security Redbook at: http://www.redbooks.ibm.com/abstracts/sg247430.html An fpm level of high will remove the setuid bit from the affected commands. For example: fpm -l high -p # to preview changes fpm -l high # to execute changes NOTE: Please review the documentation before execution. fpm will disable functionality of multiple commands for all users except root. VII. OBTAINING FIXES AIX security related fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VIII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: | 0xADA6EB4D Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. IX. ACKNOWLEDGMENTS iDefense Labs reported this vulnerability. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFINEdPP9Qud62m600RAnYvAKDMWieuHzdT4/ItA0fk/i6aCVqzWACgqsYI WfBhx2hp0B15jFQ8mgQkiI8= =MQsq -----END PGP SIGNATURE-----