IBM SECURITY ADVISORY First Issued: Fri Sep 11 15:15:59 CDT 2015 |Updated: Tue Nov 1 11:52:05 CDT 2016 |Update: New iFixes provided to correct a non-security related issue. If | you are not experiencing issues with the original fixes, then please | disregard these new fixes. The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/powerha_advisory.asc https://aix.software.ibm.com/aix/efixes/security/powerha_advisory.asc ftp://aix.software.ibm.com/aix/efixes/security/powerha_advisory.asc Security Bulletin: PowerHA SystemMirror privilege escalation vulnerability (CVE-2015-5005) =============================================================================== SUMMARY: PowerHA SystemMirror privilege escalation vulnerability (CVE-2015-5005) =============================================================================== VULNERABILITY DETAILS: CVEID: CVE-2015-5005 DESCRIPTION: IBM PowerHA SystemMirror has a systems management feature (CSPOC) which includes an option to allow users to change their password cluster-wide. Once added to this list, a non-root user may be able to exploit a vulnerability in one of the scripts shipped with the product to switch user (su) to the root user. CVSS Base Score: 8.5 CVSS Temporal Score: See http://exchange.xforce.ibmcloud.com/vulnerabilities/106286 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H) Affected Products and Versions PowerHA SystemMirror for AIX version 6.1 PowerHA SystemMirror for AIX version 7.1 The following filesets are vulnerable: Fileset Lower Level Upper Level --------------------------------------------- cluster.es.client.rte 6.1.0.0 6.1.0.11 cluster.es.cspoc.cmds 6.1.0.0 6.1.0.15 cluster.es.cspoc.rte 6.1.0.0 6.1.0.14 cluster.es.client.rte 7.1.2.0 7.1.2.3 cluster.es.cspoc.cmds 7.1.2.0 7.1.2.6 cluster.es.cspoc.rte 7.1.2.0 7.1.2.6 cluster.es.client.rte 7.1.3.0 7.1.3.2 cluster.es.cspoc.cmds 7.1.3.0 7.1.3.3 cluster.es.cspoc.rte 7.1.3.0 7.1.3.3 Note: to find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide. Example: lslpp -l cluster.es.client.rte REMEDIATION: A. APARS IBM has assigned the following APARs to this problem: Level APAR Availability ------------------------------- 6.1.0 IV77007 9/22/2015 7.1.2 IV76943 9/22/2015 7.1.3 IV76946 9/22/2015 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IV77007 http://www.ibm.com/support/docview.wss?uid=isg1IV76943 http://www.ibm.com/support/docview.wss?uid=isg1IV76946 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES | A fix is available for versions 6.1.0 and 7.1.3. Customers using other releases are encouraged to migrate to a supported release. The fix can be downloaded via ftp or http from: ftp://aix.software.ibm.com/aix/efixes/security/powerha_fix.tar http://aix.software.ibm.com/aix/efixes/security/powerha_fix.tar https://aix.software.ibm.com/aix/efixes/security/powerha_fix.tar | The iFix, IV77444s0a.161027.epkg.Z , contained within the tar file | is compatible across 7.1.3. | The iFix, IV77007m0a.161027.epkg.Z , contained within the tar file | is compatible across 6.1.0. | Original iFix information (these iFixes are no longer included in | the tar file but remain valid security fixes): The iFix, IV76943.160412.epkg.Z , contained within the tar file is compatible across 7.1.2, and 7.1.3. The iFix, IV76943_61.160412.epkg.Z , contained within the tar file is compatible across 6.1.0. To extract the fix from the tar file: tar xvf powerha_fix.tar cd powerha_fix C. FIX AND INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. The ifix is installed using the emgr command. See the man page for emgr for command format and options. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. WORKAROUNDS AND MITIGATIONS: The vulnerability only exists if the root user has configured the option to allow users to change their passwords cluster wide. To avoid this vulnerability, the root user should temporarily disable this function until a fix is installed. To disable this function, use the smit fastpath "smitty cl_manageusers" and delete the list of users, then verify and synchronize the cluster configuration. =============================================================================== CONTACT US: Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com REFERENCES: CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5005 ACKNOWLEDGEMENTS: Kristian Erik Hermansen of Undisclosed Ventures. CHANGE HISTORY: First Issued: Fri Sep 11 15:15:59 CDT 2015 Updated: Mon Sep 14 15:42:46 CDT 2015 Update: Clarified impacted upper level filesets, APARs, and iFix information Updated: Mon Nov 30 09:18:10 CST 2015 Update: Added acknowledgment. Updated: Fri Feb 12 12:31:32 CST 2016 Update: Updated PowerHA 6.1.0 iFix. Updated: Thu Apr 14 09:57:45 CDT 2016 Update: Updated iFixes for new emgr compatibility. | Updated: Tue Nov 1 11:52:05 CDT 2016 | Update: New iFixes provided to correct a non-security related issue. If | you are not experiencing issues with the original fixes, then please | disregard these new fixes. =============================================================================== *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.