-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Wed Sep 3 09:53:43 CDT 2008 | Updated: Fri Jan 23 13:00:06 CST 2009 | Some customers have experienced problems with installation of the | interim fix due to an extraneous message catalog file. Therefore we | have removed the catalog file from the interim fix. =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX swcons file ownership/permission vulnerability. PLATFORMS: AIX 5.2, 5.3, 6.1 SOLUTION: Apply the fix or workaround as described below. THREAT: An local attacker in the system group may create files owned by root with arbitrary contents. CERT VU Number: n/a CVE Number: n/a Reboot required? NO Workarounds? YES Protected by FPM? YES (high, medium, or low) Protected by SED? NO NOTE: This issue was initially fixed in October 2007. We have found security issues in the original fix, so a new set of APARs and interim fixes is being released. =============================================================================== DETAILED INFORMATION I. OVERVIEW The AIX Console command 'swcons' is a utility for redirecting, temporarily, the system console output to a specified device or file. This command contains a vulnerability that allows a local attacker to create files owned by root that have insecure permissions allowing for arbitrary content creation within the file. II. DESCRIPTION A file permission/ownership vulnerability exists in the 'bos.rte.console' fileset command listed below whereby a local attacker may create arbitrary contents within a file owned by root using the 'swcons' command. The local attacker must be a member of the 'system' group (gid=0) to execute this command. The following commands are vulnerable: /usr/sbin/swcons III. IMPACT The successful exploitation of this vulnerability allows a user in the system group to execute code with root privileges. IV. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L bos.rte.console The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level --------------------------------------------------- bos.rte.console 5.2.0.0 5.2.0.107 bos.rte.console 5.3.0.0 5.3.0.51 bos.rte.console 5.3.0.60 5.3.0.62 bos.rte.console 5.3.7.0 5.3.7.0 bos.rte.console 5.3.8.0 5.3.8.0 bos.rte.console 6.1.0.0 6.1.0.0 bos.rte.console 6.1.1.0 6.1.1.0 V. SOLUTIONS A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR number Availability ---------------------------------------------------- 5.2.0 IZ18335 Now 5.3.0 IZ18339 10/29/2008 5.3.7 IZ18338 10/29/2008 5.3.8 IZ18334 10/29/2008 6.1.0 IZ18341 11/19/2008 6.1.1 IZ28943 11/19/2008 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ18335 http://www.ibm.com/support/docview.wss?uid=isg1IZ18339 http://www.ibm.com/support/docview.wss?uid=isg1IZ18338 http://www.ibm.com/support/docview.wss?uid=isg1IZ18334 http://www.ibm.com/support/docview.wss?uid=isg1IZ18341 http://www.ibm.com/support/docview.wss?uid=isg1IZ28943 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security/swcons_fix.tar ftp://aix.software.ibm.com/aix/efixes/security/swcons_fix.tar The links above are to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Fix ---------------------------------------------------- 5.2.0 TL10 IZ18335_10.080826.epkg.Z 5.3.0 TL5 IZ18339_05.080826.epkg.Z 5.3.0 TL6 IZ18339_06.080826.epkg.Z 5.3.7 IZ18338_07.080826.epkg.Z 5.3.8 IZ18334_08.080826.epkg.Z 6.1.0 IZ18341_00.080826.epkg.Z 6.1.1 IZ28943_01.080826.epkg.Z To extract the fixes from the tar file: tar xvf swcons_fix.tar cd swcons_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------ | 55125 30 IZ18334_08.090123.epkg.Z | 56672 30 IZ18335_10.090123.epkg.Z | 16082 30 IZ18338_07.090123.epkg.Z | 36259 30 IZ18339_05.090123.epkg.Z | 18412 30 IZ18339_06.090123.epkg.Z | 64884 33 IZ18341_00.090123.epkg.Z | 52182 33 IZ28943_01.090123.epkg.Z cksum filename ----------------------------------------- | 1377601187 30386 IZ18334_08.090123.epkg.Z | 3118813312 30189 IZ18335_10.090123.epkg.Z | 992459188 30249 IZ18338_07.090123.epkg.Z | 2265837457 30165 IZ18339_05.090123.epkg.Z | 3266968116 30444 IZ18339_06.090123.epkg.Z | 2162351571 32790 IZ18341_00.090123.epkg.Z | 2060295169 32829 IZ28943_01.090123.epkg.Z csum -h MD5 (md5sum) filename ---------------------------------------------------------- | e52c2313e910bf04b0e390f533758c4b IZ18334_08.090123.epkg.Z | 5ef7dedb87b1d43f797e318e684ed0f3 IZ18335_10.090123.epkg.Z | 2ab95941ff372d557feeb7082b9b3295 IZ18338_07.090123.epkg.Z | 623f2e6a48885dae263bef662e3762c1 IZ18339_05.090123.epkg.Z | e2c4b14835d3c0726fab685afa6bf708 IZ18339_06.090123.epkg.Z | 26192d7df5204d6b8801aedc5bb8466a IZ18341_00.090123.epkg.Z | c6ea8d793585501d638a3e135c2214be IZ28943_01.090123.epkg.Z csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ | 9453f5628133d4c4b321d9f7bc112f850ad9d2aa IZ18334_08.090123.epkg.Z | 2906bb806eb7fc27deea018b2f170f50bd876310 IZ18335_10.090123.epkg.Z | 5812a6d96ea4e92b8338cfde39727b0633ff51b4 IZ18338_07.090123.epkg.Z | 1ce01687eb325f189f8e34a1de7cc0deba040ecb IZ18339_05.090123.epkg.Z | bcb612b3f8437c03d9d64189aa05f9cc02836c51 IZ18339_06.090123.epkg.Z | 04141ee56901044aa2a9db688eb75669f91b95f1 IZ18341_00.090123.epkg.Z | 043ea07b2870e71e728fd3276d9694dc7403bbfd IZ28943_01.090123.epkg.Z To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security and describe the discrepancy at the following address: security-alert@austin.ibm.com C. INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. VI. WORKAROUNDS There are two workarounds available. A. OPTION 1 Change the permissions of these commands to remove the setuid bit using the following commands: chmod 500 /usr/sbin/swcons NOTE: chmod will disable functionality of these commands for all users except root. B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7) Use the File Permissions Manager (fpm) command to manage setuid and setgid programs. fpm documentation can be found in the AIX 6 Security Redbook at: http://www.redbooks.ibm.com/abstracts/sg247430.html An fpm level of high, medium, or low will remove the setuid bit from the affected commands. For example: fpm -l high -p # to preview changes fpm -l high # to execute changes NOTE: Please review the documentation before execution. fpm will disable functionality of multiple commands for all users except root. VII. OBTAINING FIXES AIX security fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VIII. CONTACT INFORMATION | If you would like to receive AIX Security Advisories via email, | please visit: | | http://www.ibm.com/systems/support | | and click on the "My notifications" link. | | To view previously issued advisories, please visit: | | http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd | | Comments regarding the content of this announcement can be | directed to: | | security-alert@austin.ibm.com | | To obtain the PGP public key that can be used to communicate | securely with the AIX Security Team you can either: | | A. Download the key from our web page: | | http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt | | B. Download the key from a PGP Public Key Server. The key ID is: | | 0xADA6EB4D | | Please contact your local IBM AIX support center for any | assistance. | | eServer is a trademark of International Business Machines | Corporation. IBM, AIX and pSeries are registered trademarks of | International Business Machines Corporation. All other trademarks | are property of their respective holders. IX. ACKNOWLEDGMENTS This vulnerability was reported by iDefense Labs. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFJehY6P9Qud62m600RAjJyAJ9QMlwo6fMrRsyZZoGbX2TMr1As1ACg125S 6YPiFrj3jatRoE7mx3ZW798= =1t0v -----END PGP SIGNATURE-----