[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[IBM] Schwachstelle in bellmail - ibm2007103101
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgende Warnung des IBM Managed Security
Services. Wir geben diese Informationen unveraendert an Sie weiter.
CVE-2007-4623 - Buffer Overflow in bellmail sendrmt()
In der sendrmt() Funktion des AIX bellmail Kommandos laesst sich ein
Buffer Overflow ausloesen, da die Grenzen verschiedener Buffer bei
Kopieroperationen nicht ausreichend ueberprueft werden. Da bellmail
SetUID root installiert ist, koennen lokale Angreifer die
Schwachstelle dazu ausnutzen, beliebigen Code mit root-Rechten
auszufuehren, indem sie das "m" Kommando von bellmail mit entsprechend
manipulierten Parametern aufrufen.
Betroffen sind die folgenden Software Pakete und Plattformen:
Fileset bos.net.tcp.client auf AIX 5.2.0 von Version 5.2.0.0 -
5.2.0.108 ohne APAR IZ05066
Fileset bos.net.tcp.client auf AIX 5.3.0 von Version 5.3.0.0 -
5.3.0.64 ohne APAR IZ05065
Die Verfuegbarkeit von APAR IZ05065 ist fuer den 27. 11. 2007 angekuendigt.
AIX 5.2, 5.3
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Andreas Bunten, DFN-CERT
- --
Andreas Bunten (CSIRT), +49 40 808077-555
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Heidenkampsweg 41, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Thu Oct 25 13:07:10 CDT 2007
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX bellmail buffer overflow vulnerability
PLATFORMS: AIX 5.2, 5.3
SOLUTION: Apply the APAR, interim fix or workaround as described
below.
THREAT: An local attacker may run arbitrary code with root privileges.
CERT VU Number: n/a
CVE Number: n/a
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
The bellmail command is a mail user-agent which provides
facilities for creating, receiving, sending, and filing mail. The
primary fileset for the AIX mail system is 'bos.net.tcp.client'.
The bellmail command provided by this fileset contains a buffer
overflow vulnerability.
II. DESCRIPTION
A buffer overflow vulnerability exists in the 'bos.net.tcp.client'
fileset command listed below. A local attacker may execute
arbitrary code with root privileges because the command is setuid
root.
The following 'bos.net.tcp.client' command is vulnerable:
/usr/bin/bellmail
III. IMPACT
The successful exploitation of this vulnerability allows a
non-privileged user to execute code with root privileges.
IV. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, run the following
command:
# lslpp -l bos.net.tcp.client
The following fileset levels are vulnerable:
AIX Fileset AIX Level Lower Level Upper Level
----------------------------------------------------------------
bos.net.tcp.client 5.2.0 5.2.0.0 5.2.0.108
bos.net.tcp.client 5.3.0 5.3.0.0 5.3.0.64
NOTE: IBM only supports the latest two releases (AIX 5.2 & 5.3)
and the latest three Technology Levels (AIX 5.2 TL08, TL09, TL10 &
AIX 5.3 TL04, TL05, TL06). Affected customers are urged to
upgrade to the latest applicable Technology Level and Service
Pack.
V. SOLUTIONS
A. APARS
IBM provides the following fixes:
AIX Level APAR number Availability
--------------------------------------------------------------------
5.2.0 IZ05066 10/31/2007
5.3.0 IZ05065 11/27/2007
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ05066
http://www.ibm.com/support/docview.wss?uid=isg1IZ05065
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
AIX Version 5 APARs can be downloaded from:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
B. INTERIM FIXES
Interim fixes are available. The interim fix can be
downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/bellmail_ifix.tar
The link above is to a tar file containing this signed
advisory, interim fix packages, and PGP signatures for each
package. The interim fixes below include prerequisite
checking. This will enforce the correct mapping between the
fixes and AIX Technology Levels.
AIX Fileset AIX Release & Interim fix
Technology Level
-----------------------------------------------------------------
bos.net.tcp.client 5300-04 IZ05065_04.070921.epkg.Z
bos.net.tcp.client 5300-05 IZ05065_05.070921.epkg.Z
bos.net.tcp.client 5300-06 IZ05065_06.070921.epkg.Z
bos.net.tcp.client 5200-08 IZ05066_08.070921.epkg.Z
bos.net.tcp.client 5200-09 IZ05066_09.070921.epkg.Z
bos.net.tcp.client 5200-10 IZ05066_10.071008.epkg.Z
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
These interim fixes have not been fully regression tested;
thus, IBM does not warrant the fully correct functionality of
the interim fix.
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
------------------------------------
53897 18 IZ05065_04.070921.epkg.Z
36257 18 IZ05065_05.070921.epkg.Z
41386 19 IZ05065_06.070921.epkg.Z
22253 18 IZ05066_08.070921.epkg.Z
55810 18 IZ05066_09.070921.epkg.Z
08386 18 IZ05066_10.071008.epkg.Z
cksum filename
-----------------------------------------
1462307653 18282 IZ05065_04.070921.epkg.Z
1941701035 18341 IZ05065_05.070921.epkg.Z
558094167 18534 IZ05065_06.070921.epkg.Z
1673433776 18297 IZ05066_08.070921.epkg.Z
1286782305 18296 IZ05066_09.070921.epkg.Z
377353885 18238 IZ05066_10.071008.epkg.Z
csum -h MD5 (md5sum) filename
----------------------------------------------------------
798961b599a98b251c0d1f3d635058a8 IZ05065_04.070921.epkg.Z
6a6b5b7273b31a61aad8a8d9a286c6a0 IZ05065_05.070921.epkg.Z
e513796cb5b0a1ee0833e1337a1a3d6c IZ05065_06.070921.epkg.Z
1d82c757fc76425e66377607939c52a7 IZ05066_08.070921.epkg.Z
9b119ea3d4e8e50e1ec0546b55261b04 IZ05066_09.070921.epkg.Z
5b1fea18b0f6d960a07eaf5f4650378a IZ05066_10.071008.epkg.Z
csum -h SHA1 (sha1sum) filename
------------------------------------------------------------------
d3ce86b17cfb0f3462c347714d9b95ee9011a195 IZ05065_04.070921.epkg.Z
12c9ba95a26bf16675626c2730913c391400d226 IZ05065_05.070921.epkg.Z
80df55dfb518218a0f43afb5a6768be8def31963 IZ05065_06.070921.epkg.Z
1a7662a7ae7ac45d7643580e7743d8a296f0d41e IZ05066_08.070921.epkg.Z
03c0a8a333d1e5a2cfdd756cd94a46dbc312a77e IZ05066_09.070921.epkg.Z
95af794cb39c4deed41c96af12f9bc89a110ba4f IZ05066_10.071008.epkg.Z
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the
compressed tarball and on this advisory can also be used to
verify the integrity of the various files they correspond to.
If the sums or signatures cannot be confirmed, double check
the command results and the download site address. If those
are OK, contact IBM AIX Security at
security-alert@xxxxxxxxxxxxxx and describe the discrepancy.
C. INTERIM FIX INSTALLATION
These packages use the new Interim Fix Management Solution to
install and manage interim fixes. More information can be
found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an epkg interim fix installation execute the
following command:
# emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an epkg interim fix package, execute the following
command:
# emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
The "X" flag will expand any filesystems if required.
VI. WORKAROUNDS
Change the permissions of this command to remove the setuid bit
using the following command:
# chmod 500 /usr/bin/bellmail
NOTE: This will disable functionality of this command for all
users except root.
VII. OBTAINING FIXES
AIX Version 5 APARs can be downloaded from:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
Security related Interim Fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@xxxxxxxxxxxxxx
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@xxxxxxxxxxxxxx
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
This vulnerability was reported by iDefense Labs.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFHINuj8lficKajbMwRArGIAJ4+pWj28pDduIinbsDxGCZiDO2ctACdEcfh
PCkQOU0NM5GRp58vAGJyfEc=
=Aa0D
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRyhcmhYd1iQZmhQQAQFdJQf/cIPtXHLaEnaPaeKteoucnC6k+pyTiJ1m
NVXRNzn9Q+sEE4yD0WqEGsV8myaDZz4rXI/dFb6Ay5cEIztLfUePOIUsAmMJYgWS
53hTzM9Q4d4zVCk6QPql5Z/LVgVEqf5eTl3mtkuBN+4mM9nQ3hfNsmqLz3SqqXmC
IwhOE1gjZntzMPGt9Zjdk8jhGf77id3MaSGcfua5yLedIiYwXdqD+t9AlMwZAoWC
W0Tpr3UIb/YcA/b6r+oWa+h3NY1amhkm+Mgu+4vrWO0aIn9ZZSJXMrJjLjXnN2Vc
5U5cuHMgsyoL4JUhWXOErMX7V6tqujOLUGm5InmWdzkjXqJiO0310w==
=AS0T
-----END PGP SIGNATURE-----