-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Wed Nov 26 09:16:12 CST 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX 6.1 multiple security vulnerabilities PLATFORMS: AIX 6.1 SOLUTION: Apply the fix as described below. THREAT: A local attacker may gain elevated privileges. CVE Number: n/a The most recent version of this document is available at: http://aix.software.ibm.com/aix/efixes/security/aix61_advisory.asc =============================================================================== DETAILED INFORMATION I. DESCRIPTION There are multiple vulnerabilities in AIX 6.1: a) If the netcd daemon is running, a buffer overflow is created in the setuid root program /usr/sbin/ndp, resulting in privilege escalation. Track with the following APAR numbers: IZ35181 IZ35170 IZ35209. b) There is a buffer overflow in the privileged command /usr/sbin/autoconf6, resulting privilege escaltion if RBAC (role based access control) is in use and a user has the aix.network.config.tcpip authorization.. Track with the following APAR numbers: IZ34753 IZ34393 IZ30231. c) The privileged command /usr/bin/enq can remove any file on the system if a print queue is defined in /etc/qconfig. . Track with the following APAR numbers: IZ34785 IZ34481 IZ33088. d) The privileged command /usr/bin/crontab grants elevated privileges to the editor if a user has the aix.system.config.cron authorization. Track with the following APAR numbers: IZ34783 IZ34478 IZ30248. The following files are vulnerable: /usr/sbin/ndp /usr/sbin/autoconf6 /usr/bin/enq /usr/bin/crontab II. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L bos.net.tcp.client \ bos.adt.prof \ bos.rte.libc \ bos.rte.printers \ bos.rte.cron The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------ bos.net.tcp.client 6.1.0.0 6.1.0.6 bos.adt.prof 6.1.0.0 6.1.0.7 bos.rte.libc 6.1.0.0 6.1.0.7 bos.rte.printers 6.1.0.0 6.1.0.1 bos.rte.cron 6.1.0.0 6.1.0.0 bos.net.tcp.client 6.1.1.0 6.1.1.2 bos.adt.prof 6.1.1.0 6.1.1.2 bos.rte.libc 6.1.1.0 6.1.1.2 bos.rte.printers 6.1.1.0 6.1.1.0 bos.rte.cron 6.1.1.0 6.1.1.1 bos.net.tcp.client 6.1.2.0 6.1.2.0 bos.adt.prof 6.1.2.0 6.1.2.0 bos.rte.libc 6.1.2.0 6.1.2.0 III. SOLUTIONS A. APARS IBM has assigned the following APARs to these problems: AIX Level APAR numbers Availability --------------------------------------------------- 6.1.0 IZ35181 IZ34753 IZ34785 IZ34783 Now 6.1.1 IZ35170 IZ34393 IZ34481 IZ34478 Now 6.1.2 IZ35209 IZ30231 IZ33088 IZ30248 Now Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ35181 http://www.ibm.com/support/docview.wss?uid=isg1IZ34753 http://www.ibm.com/support/docview.wss?uid=isg1IZ34785 http://www.ibm.com/support/docview.wss?uid=isg1IZ34783 http://www.ibm.com/support/docview.wss?uid=isg1IZ35170 http://www.ibm.com/support/docview.wss?uid=isg1IZ34393 http://www.ibm.com/support/docview.wss?uid=isg1IZ34481 http://www.ibm.com/support/docview.wss?uid=isg1IZ34478 http://www.ibm.com/support/docview.wss?uid=isg1IZ35209 http://www.ibm.com/support/docview.wss?uid=isg1IZ30231 http://www.ibm.com/support/docview.wss?uid=isg1IZ33088 http://www.ibm.com/support/docview.wss?uid=isg1IZ30248 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. The fixes are also available in the following service packs: AIX 6.1 TL0 Service Pack 7 AIX 6.1 TL1 Service Pack 3 AIX 6.1 TL2 Service Pack 1 B. FIXES Fixes are available. The fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security/aix61_fix.tar ftp://aix.software.ibm.com/aix/efixes/security/aix61_fix.tar The links above are to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Fix (*.U) ------------------------------------------------------------------- 6.1.0 bos.adt.prof.6.1.0.8.U bos.net.tcp.client.6.1.0.7.U bos.rte.cron.6.1.0.1.U bos.rte.libc.6.1.0.8.U bos.rte.printers.6.1.0.2.U 6.1.1 bos.adt.prof.6.1.1.3.U bos.net.tcp.client.6.1.1.3.U bos.rte.cron.6.1.1.2.U bos.rte.libc.6.1.1.3.U bos.rte.printers.6.1.1.1.U 6.1.2 bos.adt.prof.6.1.2.1.U bos.net.tcp.client.6.1.2.1.U bos.rte.libc.6.1.2.0.U To extract the fixes from the tar file: tar xvf aix61_fix.tar cd aix61_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "csum -h SHA1" (sha1sum) command and are as follows: csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ 166b1f5808b8cf74ecfd2b9a2793f3e7bbb08365 bos.adt.prof.6.1.0.8.U 22a8597cf4ee92004f80e41d13bdfc0d6cf4afb0 bos.adt.prof.6.1.1.3.U aca884ff7e34d5eb556b958e8aa18013d7895f5d bos.adt.prof.6.1.2.1.U d12bcdc6083fb41dbe550929dd05b30099d10690 bos.net.tcp.client.6.1.0.7.U b1c84d681760ad7eba6e7582b0ce8a683b1fb206 bos.net.tcp.client.6.1.1.3.U 334542307bfd4980bb4fca9fd787d46eb65eb2f2 bos.net.tcp.client.6.1.2.1.U 1901b56c0aeb54e1ef7054bcc4e8c54073fb3129 bos.rte.cron.6.1.0.1.U bb3a956f1cc70150d1f99a08138348addea9a158 bos.rte.cron.6.1.1.2.U 150fdd6fd8fc3fd856390c78a979560efb708d7f bos.rte.libc.6.1.0.8.U b3370f80430cbb3a9ca3c1cb33da32085cfb8e3e bos.rte.libc.6.1.1.3.U 0f04ac1b9eec74550fd7ff51dfd762eff55e1f0d bos.rte.libc.6.1.2.0.U 3126a986c1ead766bf4e91b8585f9a191ed9cfa5 bos.rte.printers.6.1.0.2.U 92aff483c92ec8490bad59f7bc3f0f55f3c00cf7 bos.rte.printers.6.1.1.1.U To verify the sums, use the text of this advisory as input to csum or sha1sum. For example: csum -h SHA1 -i Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security and describe the discrepancy at the following address: security-alert@austin.ibm.com C. FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. IV. WORKAROUNDS a) Stop the netcd daemon and remove the setuid and setgid bits from /usr/sbin/ndp: stopsrc -s netcd chmod 555 /usr/sbin/ndp b) Remove the aix.network.config.tcpip authorization from user roles. c) Remove the setuid and setgid bits from /usr/bin/enq: chmod 555 /usr/bin/enq d) Remove the aix.system.config.cron authorization from user roles. V. OBTAINING FIXES AIX security fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VI. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www.ibm.com/systems/support and click on the "My notifications" link. To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0xADA6EB4D Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VII. ACKNOWLEDGMENTS IBM discovered and fixed these vulnerabilities as part of its commitment to secure the AIX operating system. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFJLXD5P9Qud62m600RAjm2AJ973tmjPi5zTwU+VP1BjROUYgt55wCfU3o6 88bMCxMWGwQXOM9cBbb/MEk= =oIQr -----END PGP SIGNATURE-----