[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 135/04 - IBM SECURITY ADVISORY



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice -135/04 dated 23.03.04  Time: 11:33  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Vulnerability in rexecd may allow root access.


Detail
====== 

A vulnerability was discovered in the rexecd daemon that may allow remote user
to gain root privileges. 

This vulnerability can cause user information of the connecting user to be
potentially be overwritten with that of another user. The connection would 
proceed with the overwritten data and the connecting user would then have 
the privileges of the other user.


                  ESB-2004.0227 -- IBM SECURITY ADVISORY
               Vulnerability in rexecd may allow root access
                               23 March 2004


Product:                rexecd
Publisher:              IBM
Operating System:       AIX 4.3.3
Impact:                 Root Compromise
Access Required:        Remote

- - --------------------------BEGIN INCLUDED TEXT--------------------

- - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


IBM SECURITY ADVISORY

First Issued: Mon Mar 8 09:43:27 CST 2004


===========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: Vulnerability in rexecd may allow root access 

PLATFORMS: AIX 4.3.3

SOLUTION: Apply the APAR listed below.

THREAT: A remote attacker may gain root privileges.

CERT VU Number: n/a
CVE Number: n/a ===========================================================================
DETAILED INFORMATION


I. Description
===============
A vulnerability was discovered in the rexecd daemon that may allow remote user to gain root privileges. 

This vulnerability can cause user information of the connecting user to be potentially be overwritten with that of another user. The connection would proceed with the overwritten data and the connecting user would then have the privileges of the other user.

This may be dependent on the type of authentication defined for the connecting user. It is possible, but not certain, that the connecting user may gain root privileges.

Note that this only applies to AIX 4.3.3.

rexecd ships as part of the bos.net.tcp.client fileset. To determine if this fileset is installed, execute the following command:

# lslpp -L bos.net.tcp.client

This vulnerability is in filesets 4.3.3.91 and below.



II. Impact
==========

A remote attacker may gain root privileges.



III. Solutions
===============

A. Official Fix
IBM provides the following fixes:

APAR number for AIX 4.3.3: IY53507

NOTE: Affected customers are urged to upgrade to 5.1.0 or 5.2.0 at the latest maintenance level.


B. Workaround
The rexec daemon runs under the control of the inetd daemon.
To disable the rexecd daemon, as root enter:

# smitty rminetdconf

Scan through the list of subservers. If rexecd is not
listed it is not enabled. If it is listed, place the cursor
on the name and press enter.

To make the change effective enter:

# refresh -s inetd



IV. Obtaining Fixes
===================

AIX Version 4.3.3 and Version 5 APARs can be downloaded from the eServer pSeries Fix Central web site:

http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp

Security related Emergency Fixes can be downloaded from:

ftp://aix.software.ibm.com/aix/efixes/security


V. Acknowledgements 
===================

This document written by Kent Stuiber.



VI. Contact Information
========================

If you would like to receive AIX Security Advisories via email, please visit: https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

security-alert@xxxxxxxxxxxxxx

To request the PGP public key that can be used to communicate securely with the AIX Security Team send email to security-alert@xxxxxxxxxxxxxx with a subject of "get key". The key can also be downloaded from a PGP Public Key Server. The key id is 0x3AE561C3.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders.

- - - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (AIX)

iD8DBQFATgq0+0ah+jrlYcMRAtikAJ9jcm3tv5Can1ku+8Oy0Pak5bt4SwCfUKbj
nZXVOs/gOJ4NN4q+3VLeAF8=
=B3BF
- - - -----END PGP SIGNATURE-----
- - -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: IBM MSS Advisory Service

iD8DBQFATiKcxetIpAeGAXARAiY/AJ0XNpf4VBZUTohSnhaN6orMwwUykACdErjw
8g5mbe/Xt2PH8WyUDh5eiqE=
=IhWW
- - -----END PGP SIGNATURE-----

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of IBM for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQGAg1Ipao72zK539AQFJXwP+OUqj9xmhbcAeCfdwxq09aRjooxufL02m
+hBfByIo3nUS2D7xvzNJ901XiVcVG8Xo+gzNOVBhDXfKXzKiqXQMFOsb8JeBgkFs
oTNUiIAstyo2UpITKiQotmoczxWqFUqUS2ZwfTEgsdV561yrRiOtP5JR/o1fFUe+
Ku0ujYt0SM4=
=uFRA
-----END PGP SIGNATURE-----