[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 514/05 - IBM - Six Technical Support Bulletins



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 514/05 dated 08.07.05  Time: 14:30  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
IBM - Six Technical Support Bulletins:
     1.  Denial of service vulnerability in ftpd
     2.  Various communication protocol vulnerabilities
     3.  Buffer overflow vulnerability in diagTasksWebSM
     4.  Buffer overflow vulnerability in getlvname
     5.  Buffer overflow vulnerability in penable command
     6.  Buffer overflow vulnerability in invscout

Detail
====== 

Technical support bulletin summaries:

     1.  A vulnerability has been found in ftpd which allows a remote user to cause a 
         denial of service by using all available ephemeral ports.

     2.  This advisory addresses various vulnerabilities in the TCP, ICMP and IP
         protocols.

     3.  A vulnerability was discovered in the diagTasksWebSM command that allows a
         local user in the system group to gain root privileges. Exploits for this
         vulnerability may be publicly available. 

     4.  A vulnerability was discovered in the getlvname command that allows a
         local user in the system group to gain root privileges. Exploits for this
         vulnerability may be publicly available.

     5.  A vulnerability was discovered in the penable command that allows a
         local user in the system group to gain root privileges. Exploits for this
         vulnerability may be publicly available.

     6.  A vulnerability was discovered in the invscout command that allows a local
         user to gain root privileges. Exploits for this vulnerability may be
         publicly available.


Technical support bulletin content follows:


1.


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Wed Jul  6 08:38:14 CDT 2005

=========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:      A denial of service vulnerability in ftpd

PLATFORMS:          AIX 5.1, 5.2 and 5.3.

SOLUTION:           Apply the workaround, interim fix or APARs as
                    described below.

THREAT:             A remote user may cause performance degradation
                    or a denial of service.

CERT VU Number:     VU#118125
CVE Number:         N/A
=========================================================================
                           DETAILED INFORMATION


I.  Description
===============

The ftpd daemon provides the server function for the FTP protocol which
allows files to be transfered between two hosts. A vulnerability has been
found in ftpd which allows a remote user to cause a denial of service by
using all available ephemeral ports. This in turn will cause ftpd to
allocate an amount of memory for sockets which is disproportionate to what
it typically uses. Of these two issues, using all available ephemeral
ports and using more memory for sockets, the former poses a greater threat
because those ports will not be available to be used for other purposes.

This issue can be exploited by any user which can authenticate with ftpd.
If the system is configured to use anonymous ftp, the anonymous ftp user
can also exploit this vulnerability.

ftpd ships as part of the bos.net.tcp.client fileset. To determine if this
fileset is installed, execute the following command:

# lslpp -L bos.net.tcp.client

If the fileset is installed it will be listed along with its version
information, state, type and a description.


II. Impact
==========
A remote user may cause a denial of service or performance degradation.

III.  Solutions
===============

A. Official Fix

IBM provides the following fixes:

      APAR number for AIX 5.1.0: IY73498 (available approx.  09/07/05)
      APAR number for AIX 5.2.0: IY72942 (available approx.  09/05/05)
      APAR number for AIX 5.3.0: IY73497 (available approx.  09/05/05)

NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at
the latest maintenance level.

B. Interim Fix

Interim fixes are available for AIX 5.1.0, 5.2.0 and 5.3.0. The ifixes can
be downloaded via ftp from:

    ftp://aix.software.ibm.com/aix/efixes/security/ftpd_ifix.tar.Z

ftpd_ifix.tar.Z is a compressed tarball containing this advisory, three
ifix packages and cleartext PGP signatures for each package.


Verify you have retrieved the ifixes intact:
- - - --------------------------------------------
The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:

Filename                  sum         md5
======================================================================
IY73498_08.050701.epkg.Z  47978    94 0c92b7aae0c12b5779240d2a4dceeb26
IY72942_04.050701.epkg.Z  46458   104 c2cbf1618dad82ff621d5a28e2b1ff67
IY72942_05.050701.epkg.Z  37293   104 8482fcac5b46a191954ed163f9ed811f
IY72942_06.050701.epkg.Z  36063   104 6c9951a0fa5de3bc87179949c550669c
IY73497_01.050701.epkg.Z  51428   110 75f9ed3994ff69502ce552f2023f0249
IY73497_02.050701.epkg.Z  39327   110 e1872c5e87244e3b723ae58549adba9f


These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site address.
If those are OK, contact IBM AIX Security at security-alert@xxxxxxxxxxxxxx
and describe the discrepancy.

IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.

These ifixes have not been fully regression tested; thus, IBM does not
warrant the fully correct functioning of the ifix.  Customers install the
ifix and operate the modified version of AIX at their own risk.

Interim Fix Installation Instructions:
- - - --------------------------------------
These packages use the new Interim Fix Management Solution to install
and manage ifixes. More information can be found at:

     http://techsupport.services.ibm.com/server/aix.efixmgmt

To preview an epkg ifix installation execute the following command:

# emgr -e ipkg_name -p       # where ipkg_name is the name of the
                             # ifix package being previewed.

To install an epkg ifix package, execute the following command:

# emgr -e ipkg_name -X       # where ipkg_name is the name of the
                             # ifix package being installed.

The "X" flag will expand any filesystems if required.

Before the ifix is installed, ftpd should be stopped and once the ifix is
installed, it should be started again. By default the following command
can be used to stop ftpd:

# stopsrc -t ftp             # note that this will terminate
                             # current ftp connections.

The following command can be used to start ftpd:

# startsrc -t ftp

C. Workaround

There are several steps which can be taken to mitigate the risk posed by
this vulnerability:

1. Turn ftpd off if it is not needed. 
2. Do not allow anonymous FTP. A user with a valid username and password
   will still be able to exploit these issues but anonymous FTP users will
   not be able to.
3. Set the system wid network option "sockthresh" such that it will not
   consume a substantial amount of system memory. The appropriate value
   depends on the system in question.
4. Use the system wide network options "tcp_ephemeral_low" and
   "tcp_ephemeral_high" to specify a range of ephemeral ports. This will
   limit the range of ephemeral ports for the entire system. While this
   will not prevent a ftpd from using all available ephemeral ports, it
   will limit the amount of system resources that ephemeral ports can
   consume. 


IV. Obtaining Fixes
===================
AIX Version 5 APARs can be downloaded from:

     http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

     ftp://aix.software.ibm.com/aix/efixes/security


V.  Contact Information
========================

If you would like to receive AIX Security Advisories via email, please
visit:
    https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

     security-alert@xxxxxxxxxxxxxx

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@xxxxxxxxxxxxxx
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCy+g/xwSSvpORwfIRAgi1AJ9Rgv4AnmVMhc9a/8hJJwByZke3BwCdG3O3
Vpig/7q6e2ivwPAMfwADUxA=
=RjMX
- -----END PGP SIGNATURE-----




2.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Tue Apr 12 13:46:38 UTC 2005
| Updated: Fri Apr 22 13:30:03 UTC 2005
| Updated network option example
| Updated: Wed Jul  6 08:38:14 CDT 2005
| Added 5100-08 interim fix.
| Updated APAR availability info.
==========================================================================
VULNERABILITY SUMMARY

VULNERABILITY:      Various communication protocol vulnerabilities.

PLATFORMS:          AIX 5.1, 5.2 and 5.3

SOLUTION:           Apply the workarounds, ifixes or APARs as described
                    below.

THREAT:             Remote attackers may be able to cause performance
                    degradation or a denial of service.
                   

CERT VU Number: VU#222750, VU#415294
NISCC: Advisory #532967, #236929
CVE: CAN-2004-1060, CAN-2004-0791, CAN-2004-0230
US-CERT: TA04-111A
==========================================================================
                           DETAILED INFORMATION


I.  Description
===============
This advisory addresses various vulnerabilities in the TCP, ICMP and IP
protocols.


ICMP Vulnerabilities
- - --------------------
Vulnerabilities have been discovered in ICMP that can be exploited to reset
arbitrary TCP connections (blind connection-reset attacks, CAN-2004-0790)
or reduce the throughput between two hosts that rely on IP to communicate
(blind throughput-reduction attacks). The ICMP vulnerabilities correspond
to the vulnerabilities discussed in NISCC Advisory #532967 and CERT
Vulnerability Note VU#222750. AIX 5L is not vulnerable to the blind
connection-reset vulnerability. There are two known blind
throughput-reduction attacks: the ICMP Source Quench attack (CAN-2004-0791)
and the ICMP attack against the PMTU Discovery mechanism (CAN-2004-1060).
AIX is affected by both blind throughput-reduction attacks. A detailed
discussion of these ICMP vulnerabilities can be found in an IETF draft
which is currently available at
http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-03.txt.


TCP Vulnerabilities
- - -------------------
Vulnerabilities have been reported in TCP (US-CERT TA04-111A, CERT
VU#415294, NISCC Advisory #236929, CAN-2004-0230).

The vulnerabilities discussed include issues that allow an attacker to
cause arbitrary TCP connections to end prematurely (blind reset attack) or
inject arbitrary data into a TCP stream (blind data injection attack).
There are two variations of the blind reset attack. One variation, the
blind reset attack using the RST bit, allows an attacker to reset a
connection if the RST bit is set and the sequence number can be predicted.
The second variation, the blind reset attack using the SYN bit, allows an
attacker to tear down a connection if he sends a SYN packet to a host and
successfully associates this packet with a connection in the ESTABLISHED
state as described below. Note that several pre-conditions must exist for
an attacker to successfully exploit these vulnerabilities. First, the
attacker must guess source and destination IP addresses and port numbers.
Second, the attacker must craft a TCP packet with a sequence number within
a given range. Third, the TCP connection must exist long enough for an
attacker to predict a TCP sequence number.  Many applications use TCP in a
manner that makes it very difficult for an attacker to fulfill these
pre-conditions.  A detailed discussion of these TCP vulnerabilities can be
found in an IETF draft which is currently available at
http://www.ietf.org/internet-drafts/draft-ietf-tcpm-tcpsecure-02.txt.


IP Vulnerabilities
- - ------------------
IP Fragmentation attacks are attacks that send a large number of IP
fragments to a host in an attempt to cause performance degradation or a
denial of service.


II. Impact
==========

ICMP Vulnerabilities
- - --------------------
The blind throughput-reduction attacks can both be exploited to reduce the
throughput of a TCP connection.

TCP Vulnerabilities
- - -------------------
An attacker may cause an existing TCP connection to terminate prematurely
or inject arbitrary data into an existing TCP stream.

IP Vulnerabilities
- - ------------------
An attacker may cause performance degradation resulting in a denial of
service.


III.  Solutions
===============

A. Official Fix

IBM provides the following fixes:


ICMP Vulnerabilities
- - --------------------
| Updated: Wed Jul  6 08:38:14 CDT 2005
| Updated APAR availability info.
|      APAR number for AIX 5.1.0:  IY70028 (available approx. 09/07/05)
|      APAR number for AIX 5.2.0:  IY70027 (available)
|      APAR number for AIX 5.3.0:  IY70026 (available)

These fixes introduce a new network option that can be set using the "no"
(network options) command. The option name is "tcp_icmpsecure" and it can
be enabled using the following command:

# no -o tcp_icmpsecure=1

This option is off by default.

TCP Vulnerabilities
- - -------------------

      APAR number for AIX 5.1.0:  IY55950 (available)
      APAR number for AIX 5.2.0:  IY55949 (available)
      APAR number for AIX 5.3.0:  IY62006 (available)

These fixes introduce a new network option that can be set using the "no"
command. The option name is "tcp_tcpsecure" and it can be enabled using
the following command:

| Updated: Fri Apr 22 13:30:03 UTC 2005
| Updated network option example
|# no -o tcp_tcpsecure=X

Note that X must be a value between 0 and 7; this option is off by default.
The following table documents the effect for different values of X.

tcp_tcpsecure Value   Issue addressed
==========================================================================
0                     None
1                     Blind reset attack using the RST bit
2                     Blind reset attack using the SYN bit
3                     Both issues addressed by tcp_tcpsecure value 1 and 2
4                     Blind data injection attack
5                     Both issues addressed by tcp_tcpsecure value 1 and 4
6                     Both issues addressed by tcp_tcpsecure value 2 and 4
7                     Issues addressed by tcp_tcpsecure values 1, 2 and 4


IP Vulnerabilities
- - ------------------

      APAR number for AIX 5.1.0:  IY63365 (available)
      APAR number for AIX 5.2.0:  IY63364 (available)
      APAR number for AIX 5.3.0:  IY63363 (available)

These fixes introduce a new network option that can be set using the "no"
command. The option name is "ip_nfrag" and it can be enabled using the
following command:

# no -o ip_nfrag=X

ip_nfrag specifies the maximum number of fragments of an IP packet that can
be kept in the IP reassembly queue at any time. The default value of this
network option is 200 with which is a reasonable value for most
environments and which offers protection from IP fragmentation attacks.


NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at
the latest maintenance level.

B. Interim Fix

Interim fixes are available. The fixes can be downloaded via ftp from:

     ftp://aix.software.ibm.com/aix/efixes/security/icmp_efix.tar.Z

icmp_efix.tar.Z is a compressed tarball containing this advisory, four
ifix packages and a cleartext PGP signature for each ifix package. The
following table maps the ifix package to the AIX Maintenance Packages and
fileset prerequisites necessary to install the ifixes. The prerequisite
filesets must be installed on top of the listed AIX Maintenance Packages.
IY70027_04.040705.epkg.Z addresses the ICMP, TCP and IP vulnerabilities.
The other ifixes only address the ICMP vulnerabilities since the
prerequisites for these ifixes include fixes for the TCP vulnerabilities
and IP vulnerabilities.


| Updated: Wed Jul  6 08:38:14 CDT 2005
| Added 5100-08 interim fix.
Filename                    AIX Maintenance    Prerequisite
                            Package
==========================================================================
IY70028_07.040705.epkg.Z    5100-07            bos.net.tcp.client 5.1.0.66
|IY70027_07.062905.epkg.Z    5100-08           bos.net.tcp.client 5.1.0.67
IY70027_04.040705.epkg.Z    5200-04            bos.net.tcp.client 5.2.0.43
                                               bos.adt.include 5.2.0.43
IY70027_05.040705.epkg.Z    5200-05            bos.net.tcp.client 5.2.0.52
IY70026_01.040705.epkg.Z    5300-01            bos.net.tcp.client 5.3.0.10

Verify you have retrieved the ifixes intact:
- - - - --------------------------------------------
The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:

| Updated: Wed Jul  6 08:38:14 CDT 2005
| Added 5100-08 interim fix.
Filename                  sum           md5
========================================================================
IY70026_01.040705.epkg.Z  57890   572   c9d0d9b1c78fa30ec950d4199fbdfb91
IY70027_04.040705.epkg.Z  21321   538   21e413ec1dd25c5cb38b284988453747
IY70027_05.040705.epkg.Z  12738   541   dcea6831c314d4eb2791eff9cb9bd53a
IY70028_07.040705.epkg.Z  59897   518   84ec1447d0ad56cc9b053b757d160bc2
| IY70028_08.050706.epkg.Z  02144   518   eb0f7793d492d9fdce58d95a091f2e0e

These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site address.
If those are OK, contact IBM AIX Security at security-alert@xxxxxxxxxxxxxx
and describe the discrepancy.

IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.

These ifixes have not been fully regression tested; thus, IBM does not
warrant the fully correct functioning of the ifix. Customers install the
ifix and operate the modified version of AIX at their own risk.

Interim fix Installation Instructions:
- - --------------------------------------
Please note that these fix packages will require the prerequisites listed
above to install successfully and that a reboot is required for these
changes to take effect. After installing the ifix, it is necessary to 
tune the appropriate network options as described above.

These packages use the new Interim Fix Management Solution to install
and manage ifixes. More information can be found at:

     http://techsupport.services.ibm.com/server/aix.efixmgmt

To preview an epkg ifix installation execute the following command:

# emgr -e ipkg_name -p       # where ipkg_name is the name of the
                             # ifix package being previewed.

To install an epkg ifix package, execute the following command:

# emgr -e ipkg_name -X       # where ipkg_name is the name of the
                             # ifix package being installed.

The "X" flag will expand any filesystems if required.

C. Workaround

ICMP Vulnerabilities
- - --------------------
ICMP Source Quench blind throughput-reduction attack can be mitigated by
using firewall rules to block ICMP Source Quench packets.

TCP Vulnerabilities
- - - - -------------------
Ingress filtering can be caused to prevent IP source address spoofing.

Another approach is to use small tcp windows. This can be done by turning
the network option "rfc1323" off using the "no" command. This will not
ensure total protection against these vulnerabilities but it will reduce
the probability that they can be exploited.


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

     http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

     ftp://aix.software.ibm.com/aix/efixes/security


V.  Contact Information
========================

If you would like to receive AIX Security Advisories via email, please
visit:
     https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

     security-alert@xxxxxxxxxxxxxx

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@xxxxxxxxxxxxxx
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCzBSLxwSSvpORwfIRAthSAJsF4JzBx6gPCHcXsHre59SzCzxNvQCfecQc
c0uPRXXeU5w/WJtlVJVqA+w=
=kZm5
- -----END PGP SIGNATURE-----




3.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued:  Thu Jun  9 18:09:13 CDT 2005
|Updated: Wed Jul  6 08:38:14 CDT 2005
|Added APAR and interim fix information.

==========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:      A buffer overflow vulnerability in the diagTasksWebSM
                    command may allow any local user in the system group
                    to gain root privileges.

PLATFORMS:          AIX 5.1, 5.2 and 5.3.

|Updated: Tue Jul  5 10:41:13 CDT 2005
|Added APAR and interim fix information.
|SOLUTION:           Apply the APAR, interim fix or workaround as
|                    described below.

THREAT:             A local user in the system group may gain root
                    privileges.

CERT VU Number:     N/A
CVE Number:         N/A
=========================================================================
                           DETAILED INFORMATION


I.  Description
===============

A vulnerability was discovered in the diagTasksWebSM command that allows a
local user in the system group to gain root privileges. Exploits for this
vulnerability may be publicly available.

The command affected by this issue ships as part of the bos.diag.rte
fileset. To determine if this fileset is installed, execute the following
command:

# lslpp -L bos.diag.rte

If the fileset is installed it will be listed along with its version
information, state, type and a description.


II. Impact
==========

A local user in the system group may exploit this buffer overflow
vulnerability to gain root privileges.


III.  Solutions
===============

|Updated: Wed Jul  6 08:38:14 CDT 2005
|Added APAR and interim fix information.
|
|A. Official Fix
|
|IBM provides the following fixes:
|
|      APAR number for AIX 5.1.0: IY72706 (available approx. 09/07/05)
|      APAR number for AIX 5.2.0: IY72701 (available approx. 09/05/05)
|      APAR number for AIX 5.3.0: IY72704 (available approx. 09/05/05)
|
|NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at
|the latest maintenance level.
|
|B. Interim Fix
|
|Interim fixes are available for AIX 5.1.0, 5.2.0 and 5.3.0. The ifixes can be
|downloaded via ftp from:
|
|    ftp://aix.software.ibm.com/aix/efixes/security/diagTasks_ifix.tar.Z
|
|diagTasks_ifix.tar.Z is a compressed tarball containing this advisory,
|three ifix packages cleartext PGP signatures for each ifix package.
|
|
|Verify you have retrieved the fixes intact:
|--------------------------------------------
|The checksums below were generated using the "sum" and "md5sum" commands
|and are as follows:
|
|Filename                  sum           md5
|=======================================================================
|IY72706-08.050610.epkg.Z  62517     8   f07ad637797098cda26ec57ac68795a8
|IY72701-04.050610.epkg.Z  51315     8   01fb6b4b2704b43cc6066b86ec9437d8
|IY72701-05.050610.epkg.Z  00089     8   5a2b38c64064bc1eb37418109e3eadd1
|IY72701-06.050610.epkg.Z  59449     8   9334797c75e5aaabc97914c086e4b64a
|IY72704-01.050610.epkg.Z  13349     8   d6d7349833d1ed30974e23827141a741
|IY72704-02.050610.epkg.Z  24200     8   8e7b053ae10a0af71c42a4efa02d5bcc
|
|
|
|
|These sums should match exactly. The PGP signatures in the compressed
|tarball and on this advisory can also be used to verify the integrity of
|the various files they correspond to. If the sums or signatures cannot be
|confirmed, double check the command results and the download site
|address. If those are OK, contact IBM AIX Security at
|security-alert@xxxxxxxxxxxxxx and describe the discrepancy.
|
|IMPORTANT: If possible, it is recommended that a mksysb backup of the
|system is created. Verify it is both bootable, and readable before
|proceeding.
|
|These ifixes have not been fully regression tested; thus, IBM does not
|warrant the fully correct functioning of the ifix.  Customers install the
|ifix and operate the modified version of AIX at their own risk.
|
|Interim Installation Instructions:
|-------------------------------
|These packages use the new Interim Fix Management Solution to install
|and manage ifixes. More information can be found at:
|
|     http://techsupport.services.ibm.com/server/aix.efixmgmt
|
|To preview an epkg ifix installation execute the following command:
|
|# emgr -e ipkg_name -p       # where ipkg_name is the name of the
|                             # ifix package being previewed.
|
|To install an epkg ifix package, execute the following command:
|
|# emgr -e ipkg_name -X       # where ipkg_name is the name of the
|                             # ifix package being installed.
|
|The "X" flag will expand any filesystems if required.


C. Workaround

Setting the file mode bits to 500 will allow only the root user to execute
this command. This can be done by executing the following command as root:

#  chmod 500 /usr/lpp/diagnostics/bin/diagTasksWebSM

Verify that the file mode bits have been updated:

# cd /usr/lpp/diagnostics/bin
# ls -la diagTasksWebSM
- - -r-x------   1 root     system         5946 Mar 14 08:05 diagTasksWebSM


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

     http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

     ftp://aix.software.ibm.com/aix/efixes/security


V.  Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

     https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

     security-alert@xxxxxxxxxxxxxx

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@xxxxxxxxxxxxxx
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCy+V1xwSSvpORwfIRAlYIAJ0WijYks1Unn9NzG/cWf5WMnCt4rwCdEDlO
IuIkTeNHyh9va39ORaY8kiQ=
=Hec/
- -----END PGP SIGNATURE-----




4.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Jun  9 13:31:06 CDT 2005
|Updated: Wed Jul  6 08:38:14 CDT 2005
|Added APAR and interim fix information.

==========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:      A buffer overflow vulnerability in the getlvname
		    command may allow any local user in the system group
                    to gain root privileges.

PLATFORMS:          AIX 5.1, 5.2 and 5.3.

|Updated: Tue Jul  5 10:41:13 CDT 2005
|Added APAR and interim fix information.
|SOLUTION:           Apply the APAR, interim fix or workaround as
|                    described below.

THREAT:             A local users in the system group may gain root
                    privileges.

CERT VU Number:     N/A
CVE Number:         N/A
=========================================================================
                           DETAILED INFORMATION


I.  Description
===============

A vulnerability was discovered in the getlvname command that allows a
local user in the system group to gain root privileges. Exploits for this
vulnerability may be publicly available.

The command affected by this issue ships as part of the bos.rte.lvm
fileset. To determine if this fileset is installed, execute the following
command:

# lslpp -L bos.rte.lvm

If the fileset is installed it will be listed along with its version
information, state, type and a description.


II. Impact
==========

A local user in the system group may exploit this buffer overflow
vulnerability to gain root privileges.


III.  Solutions
===============

|Updated: Wed Jul  6 08:38:14 CDT 2005
|Added APAR and interim fix information.
|
|A. Official Fix
|
|IBM provides the following fixes:
|
|      APAR number for AIX 5.1.0: IY72713 (available approx. 09/07/05)
|      APAR number for AIX 5.2.0: IY72712 (available approx. 09/05/05)
|      APAR number for AIX 5.3.0: IY72711 (available approx. 09/05/05)
|
|NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at
|the latest maintenance level.
|
|B. Interim Fix
|
|Interim fixes are available for AIX 5.1.0, 5.2.0 and 5.3.0. The ifixes can be
|downloaded via ftp from:
|
|    ftp://aix.software.ibm.com/aix/efixes/security/getlvname_ifix.tar.Z
|
|getlvname_ifix.tar.Z is a compressed tarball containing this advisory,
|three ifix packages cleartext PGP signatures for each ifix package.
|
|
|Verify you have retrieved the fixes intact:
|--------------------------------------------
|The checksums below were generated using the "sum" and "md5sum" commands
|and are as follows:
|
|Filename                sum             md5
|=======================================================================
|IY72713_08.epkg.Z       36193    10     176efdc3bad9abfcec9462385824bc88
|IY72712_04.epkg.Z       03452    10     5ca19bc5e53622f762880ea5a0758130
|IY72712_05.epkg.Z       03452    10     5ca19bc5e53622f762880ea5a0758130
|IY72712_06.epkg.Z       03452    10     5ca19bc5e53622f762880ea5a0758130
|IY72711_01.epkg.Z       61042    10     55be2e253348dacf836d5c7e0788f882
|IY72711_02.epkg.Z       61042    10     55be2e253348dacf836d5c7e0788f882
|
|
|These sums should match exactly. The PGP signatures in the compressed
|tarball and on this advisory can also be used to verify the integrity of
|the various files they correspond to. If the sums or signatures cannot be
|confirmed, double check the command results and the download site
|address. If those are OK, contact IBM AIX Security at
|security-alert@xxxxxxxxxxxxxx and describe the discrepancy.
|
|IMPORTANT: If possible, it is recommended that a mksysb backup of the
|system is created. Verify it is both bootable, and readable before
|proceeding.
|
|These ifixes have not been fully regression tested; thus, IBM does not
|warrant the fully correct functioning of the ifix.  Customers install the
|ifix and operate the modified version of AIX at their own risk.
|
|Interim fix Installation Instructions:
|-------------------------------
|These packages use the new Interim Fix Management Solution to install
|and manage ifixes. More information can be found at:
|
|     http://techsupport.services.ibm.com/server/aix.efixmgmt
|
|To preview an epkg ifix installation execute the following command:
|
|# emgr -e ipkg_name -p       # where ipkg_name is the name of the
|                             # ifix package being previewed.
|
|To install an epkg ifix package, execute the following command:
|
|# emgr -e ipkg_name -X       # where ipkg_name is the name of the
|                             # ifix package being installed.
|
|The "X" flag will expand any filesystems if required.


C. Workaround

Setting the file mode bits to 500 will allow only the root user to execute
this command. This can be done by executing the following command as root:

# chmod 500 /usr/sbin/getlvname

Verify that the file mode bits have been updated:

# ls -la /usr/sbin/getlvname
- - - -r-x------   1 root     system   8392 May 16 14:30 /usr/sbin/getlvname


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

     http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

     ftp://aix.software.ibm.com/aix/efixes/security


V.  Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

     https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

     security-alert@xxxxxxxxxxxxxx

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@xxxxxxxxxxxxxx
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCy+QHxwSSvpORwfIRAmMTAJ4wSLNs50byZYi8yyEUZC8CK1qG4gCfbWHO
T5mHZZvWiAXT6ieicmwcJEk=
=fgA8
- -----END PGP SIGNATURE-----




5.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued:  Fri Jun 10 13:12:27 CDT 2005
|Updated: Wed Jul  6 08:38:14 CDT 2005
|Added APAR and interim fix information.

==========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:      A buffer overflow vulnerability in the penable command
                    may allow any local user in the system group to gain
                    root privileges.

PLATFORMS:          AIX 5.1, 5.2 and 5.3.

|Updated: Tue Jul  5 10:41:13 CDT 2005
|Added APAR and interim fix information.
|SOLUTION:           Apply the APAR, interim fix or workaround as
|                    described below.

THREAT:             A local user in the system group may gain root
                    privileges.

CERT VU Number:     N/A
CVE Number:         N/A
=========================================================================
                           DETAILED INFORMATION


I.  Description
===============

A vulnerability was discovered in the penable command that allows a
local user in the system group to gain root privileges. Exploits for this
vulnerability may be publicly available. penable is one of six hard links.
The other hard links are pdisable, pstart, phold, pdelay and pshare. These
commands are used to perform various port management functions.

The command affected by this issue ships as part of the bos.rte.control
fileset. To determine if this fileset is installed, execute the following
command:

# lslpp -w /usr/sbin/penable

If the fileset is installed it will be listed along with its version
information, state, type and a description.


II. Impact
==========

A local user in the system group may exploit this buffer overflow
vulnerability to gain root privileges.


III.  Solutions
===============

|Updated: Wed Jul  6 08:38:14 CDT 2005
|Added APAR and interim fix information.
|
|A. Official Fix
|
|IBM provides the following fixes:
|
|      APAR number for AIX 5.1.0: IY72763 (available approx. 09/07/05)
|      APAR number for AIX 5.2.0: IY72761 (available approx. 09/05/05)
|      APAR number for AIX 5.3.0: IY72760 (available approx. 09/05/05)
|
|NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at
|the latest maintenance level.
|
|B. Interim Fix
|
|Interim fixes are available for AIX 5.1.0, 5.2.0 and 5.3.0. The ifixes can be
|downloaded via ftp from:
|
|    ftp://aix.software.ibm.com/aix/efixes/security/pcmds_ifix.tar.Z
|
|pcmds_ifix.tar.Z is a compressed tarball containing this advisory,
|three ifix packages cleartext PGP signatures for each ifix package.
|
|
|Verify you have retrieved the fixes intact:
|-------------------------------------------
|The checksums below were generated using the "sum" and "md5sum" commands
|and are as follows:
|
|Filename                 sum           md5
|=======================================================================
|IY72763_08.050712.epkg.Z  39174    14  5b262860e6c56e6eeab0c515cd0fab1e
|IY72761_04.050712.epkg.Z  08179    14  ef54338195e2d7d4c3c4ac9cb09aac18
|IY72761_05.050712.epkg.Z  12396    14  a5442756aec069acd3af8e904f98e385
|IY72761_06.050712.epkg.Z  30256    14  d1cf370591d668653574fc31da44898c
|IY72760_01.050712.epkg.Z  43143    14  6e716322b411f6be36bfed2927d710f0
|IY72760_02.050712.epkg.Z  08844    14  f99274ea4c4bcff840568f6b850c488e
|
|
|
|
|These sums should match exactly. The PGP signatures in the compressed
|tarball and on this advisory can also be used to verify the integrity of
|the various files they correspond to. If the sums or signatures cannot be
|confirmed, double check the command results and the download site
|address. If those are OK, contact IBM AIX Security at
|security-alert@xxxxxxxxxxxxxx and describe the discrepancy.
|
|IMPORTANT: If possible, it is recommended that a mksysb backup of the
|system is created. Verify it is both bootable, and readable before
|proceeding.
|
|These ifixes have not been fully regression tested; thus, IBM does not
|warrant the fully correct functioning of the ifix.  Customers install the
|ifix and operate the modified version of AIX at their own risk.
|
|Interim Installation Instructions:
|-------------------------------
|These packages use the new Interim Fix Management Solution to install
|and manage ifixes. More information can be found at:
|
|     http://techsupport.services.ibm.com/server/aix.efixmgmt
|
|To preview an epkg ifix installation execute the following command:
|
|# emgr -e ipkg_name -p       # where ipkg_name is the name of the
|                             # ifix package being previewed.
|
|To install an epkg ifix package, execute the following command:
|
|# emgr -e ipkg_name -X       # where ipkg_name is the name of the
|                             # ifix package being installed.
|
|The "X" flag will expand any filesystems if required.

C. Workaround

Setting the file mode bits to 500 will allow only the root user to execute
this command. This can be done by executing the following command as root:

# chmod 500 /usr/sbin/penable

Since penable, pdisable, pstart, phold, pdelay and pshare are hard links to
the same file, they will all be affected by this change.

Verify that the file mode bits have been updated:

# ls -la /usr/sbin/penable
- - -r-x------   6 root     system        19366 May 16 14:30 /usr/sbin/penable


IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

     http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

     ftp://aix.software.ibm.com/aix/efixes/security


V.  Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

     https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

     security-alert@xxxxxxxxxxxxxx

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@xxxxxxxxxxxxxx
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCy+EKxwSSvpORwfIRAvPOAJ9kwvCTYLwVJh7QO9I+fUKVZlKaJACfYJu6
7WNEJfWUSi0hTkJcKYDtPAE=
=aayG
- -----END PGP SIGNATURE-----




6.




- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Jun  9 13:31:06 CDT 2005
|Updated: Wed Jul  6 08:38:14 CDT 2005
|Added APAR and interim fix information.
=========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:      A buffer overflow vulnerability in the invscout command
                    allows any local user to get root privileges.

PLATFORMS:          AIX 5.1, 5.2 and 5.3.

|Updated: Tue Jul  5 10:41:13 CDT 2005
|Added APAR and interim fix information.
|SOLUTION:           Apply the APAR, interim fix or workaround as
|                    described below.

THREAT:             A local user may gain root privileges.

CERT VU Number:     N/A
CVE Number:         N/A
=========================================================================
                           DETAILED INFORMATION


I.  Description
===============

A vulnerability was discovered in the invscout command that allows a local
user to gain root privileges. Exploits for this vulnerability may be
publicly available.

The command affected by this issue ships as part of the invscout.rte
fileset. To determine if this fileset is installed, execute the following
command:

# lslpp -L invscout.rte

If the fileset is installed it will be listed along with its version
information, state, type and a description.


II. Impact
==========
Any local user can exploit this buffer overflow vulnerability to gain root
privileges.


III.  Solutions
===============

|Updated: Wed Jul  6 08:38:14 CDT 2005
|Added APAR and interim fix information.
|
|A. Official Fix
|
|IBM provides the following fixes:
|
|      APAR number for AIX 5.1.0: IY72752 (available approx. 09/07/05)
|      APAR number for AIX 5.2.0: IY72751 (available approx. 09/05/05)
|      APAR number for AIX 5.3.0: IY72759 (available approx. 09/05/05)
|
|NOTE: Affected customers are urged to upgrade to 5.1.0, 5.2.0 or 5.3.0 at
|the latest maintenance level.
|
|B. Interim Fix
|
|Interim fixes are available for AIX 5.1.0, 5.2.0 and 5.3.0. The ifixes can be
|downloaded via ftp from:
|
|    ftp://aix.software.ibm.com/aix/efixes/security/is_ifix.tar.Z
|
|is_ifix.tar.Z is a compressed tarball containing this advisory,
|three ifix packages cleartext PGP signatures for each ifix package.
|
|
|Verify you have retrieved the fixes intact:
|--------------------------------------------
|The checksums below were generated using the "sum" and "md5sum" commands
|and are as follows:
|
|Filename                 sum           md5
|=======================================================================
|IY72752_08.061305.epkg.Z  34974   474  38aee925bf6eede37df70f9b5b971e6b
|IY72751_04.061305.epkg.Z  33419   487  9474c2ed6e094c9499864d737987ffa9
|IY72751_05.061305.epkg.Z  18418   487  125f7995ec962d75c89e375391e13d2f
|IY72751_06.061305.epkg.Z  09287   487  b7601fd84acaeb28f4364f4a514de1a8
|IY72759_01.061305.epkg.Z  22671   487  a8259947ad953424c562a920f76e4ada
|IY72759_02.061305.epkg.Z  48313   487  e04e958160589a83e249ad1f4c2ff50e
|
|
|These sums should match exactly. The PGP signatures in the compressed
|tarball and on this advisory can also be used to verify the integrity of
|the various files they correspond to. If the sums or signatures cannot be
|confirmed, double check the command results and the download site
|address. If those are OK, contact IBM AIX Security at
|security-alert@xxxxxxxxxxxxxx and describe the discrepancy.
|
|IMPORTANT: If possible, it is recommended that a mksysb backup of the
|system is created. Verify it is both bootable, and readable before
|proceeding.
|
|These ifixes have not been fully regression tested; thus, IBM does not
|warrant the fully correct functioning of the ifix.  Customers install the
|ifix and operate the modified version of AIX at their own risk.
|
|Interim Fix Installation Instructions:
|-------------------------------
|These packages use the new Interim Fix Management Solution to install
|and manage ifixes. More information can be found at:
|
|     http://techsupport.services.ibm.com/server/aix.efixmgmt
|
|To preview an epkg ifix installation execute the following command:
|
|# emgr -e ipkg_name -p       # where ipkg_name is the name of the
|                             # ifix package being previewed.
|
|To install an epkg ifix package, execute the following command:
|
|# emgr -e ipkg_name -X       # where ipkg_name is the name of the
|                             # ifix package being installed.
|
|The "X" flag will expand any filesystems if required.


C. Workaround

Setting the file mode bits to 500 will allow only the root user to execute
this command. This can be done by executing the following command as root:

# chmod 500 /usr/sbin/invscout

Verify that the file mode bits have been updated:

# ls -la /usr/sbin/invscout
- - - - -r-x------   1 root     system       465974 Mar 17 11:25 /usr/sbin/invscout



IV. Obtaining Fixes
===================

AIX Version 5 APARs can be downloaded from:

     http://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html

Security related Interim Fixes can be downloaded from:

     ftp://aix.software.ibm.com/aix/efixes/security


V.  Contact Information
=======================

If you would like to receive AIX Security Advisories via email, please
visit:

     https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

     security-alert@xxxxxxxxxxxxxx

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@xxxxxxxxxxxxxx
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x9391C1F2.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCy98ExwSSvpORwfIRAuX+AJ43tELbRCLz0FKAJ1aM48wRTvavawCeMqL3
m0xfrAhbmDviqwMj06Pg8VI=
=iD+t
- -----END PGP SIGNATURE-----



- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of IBM for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQs5/rIpao72zK539AQFgXAP/XDRgxO9WnFaN+5DIabj+GAqsez8wFn1v
/kkDaMQn2cugSS49d61DZGxxt987EqHzaF7whqwK4bfXGre/Rbkl8uMqI95ogDd1
cGq55s4S1F5KjI4raC62l4OPMDMOWk5iagkegaaZ8EU5RxmNiD33LyUJBtc/2vjc
+iEOKKny4dk=
=O0ig
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________