This file contains summary information on AIX security alerts published
by the Computer Emergency Response Team (CERT), and the IBM Emergency
Response Team (ERS). The full text of these alerts can be obtained from
this mail server by requesting the 'CERT' and 'ERS' files. This
information (and more) is available from CERT and ERS directly on the
world-wide web at the following URLs:
CERT: http://www.cert.org/
The fixes mentioned in this document are available from FixDist.
Information on obtaining and using FixDist is available by requesting
the 'FixDist' document from this mail server, or at the following URL
on the world-wide web:
http://service.software.ibm.com/aix.us/fixes
The 'Security_APARs' document on this mail server contains a list of
security related APARs for which fixes are available as of April 1997.
===============================================================================
===============================================================================
Topic: lquerylv buffer overflow
1. Description
A buffer overflow exploit in the lquerylv command has been made
public.
2. Fixes
AIX 3.2: APAR IX66230 (PTF U447739)
AIX 4.1: APAR IX66231
AIX 4.2: APAR IX66232
===============================================================================
===============================================================================
CERT* Advisory CA-97.16
Original issue date: May 29, 1997
Last revised: ---
Topic: ftpd Signal Handling Vulnerability
-----------------------------------------------------------------------------
1. Description
AUSCERT has received information concerning a vulnerability in some
vendor and third party versions of the Internet File Transfer Protocol
server, ftpd(8).
This vulnerability is caused by a signal handling routine increasing
process privileges to root, while still continuing to catch other
signals. This introduces a race condition which may allow regular,
as well as anonymous ftp, users to access files with root privileges.
Depending on the configuration of the ftpd server, this may allow
intruders to read or write to arbitrary files on the server.
This attack requires an intruder to be able to make a network
connection to a vulnerable ftpd server.
Sites should be aware that the ftp services are often installed by
default. Sites can check whether they are allowing ftp services by
checking, for example, /etc/inetd.conf:
# grep -i '^ftp' /etc/inetd.conf
Note that on some systems the inetd configuration file may have a
different name or be in a different location. Please consult your
documentation if the configuration file is not found in
/etc/inetd.conf.
If your site is offering ftp services, you may be able to determine
the version of ftpd by checking the notice when first connecting.
The vulnerability status of specific vendor and third party ftpd
servers can be found in Section 3.
Information involving this vulnerability has been made publicly
available.
2. Impact
Regular and anonymous users may be able to access arbitrary files with
root privileges. Depending on the configuration, this may allow
anonymous, as well as regular, users to read or write to arbitrary
files on the server with root privileges.
3. Workarounds/Solution
The version of ftpd shipped with AIX is vulnerable to the conditions
described in the advisory. The following APARs will be available
shortly:
AIX 3.2: APAR IX65536
AIX 4.1: APAR IX65537
AIX 4.2: APAR IX65538
===============================================================================
===============================================================================
CERT* Advisory CA-97.13
Original issue date: May 7, 1997
Last revised: --
Topic: Vulnerability in xlock
-----------------------------------------------------------------------------
I. Description
xlock is a program that allows a user to "lock" an X terminal. A buffer
overflow condition exists in some implementations of xlock. It is
possible attain unauthorized access to a system by engineering a
particular environment and calling a vulnerable version of xlock that has
setuid or setgid bits set. Information about vulnerable versions must be
obtained from vendors. Some vendor information can be found in Appendix A
of this advisory.
Exploitation information involving this vulnerability has been made
publicly available.
II. Fixes
AIX 3.2: APAR IX68189
AIX 4.1: APAR IX68190
AIX 4.2: APAR IX68191
===============================================================================
===============================================================================
CERT* Advisory CA-97.11
Original issue date: May 1, 1997
Last revised: --
Topic: Vulnerability in libXt
-----------------------------------------------------------------------------
I. Description
There have been discussions on public mailing lists about buffer
overflows in the Xt library of the X Windowing System made freely
available by The Open Group (and previously by the now-defunct X
Consortium). During these discussions, exploitation scripts were made
available for some platforms.**
The specific problem outlined in those discussions was a buffer overflow
condition in the Xt library and the file xc/lib/Xt/Error.c. It was
possible for a user to execute arbitrary instructions as a privileged
user using a program built by this distribution with setuid or setgid
bits set.
Note that in this case a root compromise was only possible when
programs built from this distribution (e.g., xterm) were setuid
root.
II. Impact
Platforms that have X applications built with the setuid or setgid
bits set may be vulnerable to buffer overflow conditions. These
conditions can make it possible for a local user to execute arbitrary
instructions as a privileged user without authorization. Access to an
account on the system is necessary for exploitation.
III. Fixes
AIX 3.2: APARs IX61784 IX67047 IX66713 (PTFs U445908 U447740)
AIX 4.1: APARs IX61031 IX66736 IX66449
AIX 4.2: APARs IX66824 IX66352
===============================================================================
===============================================================================
VULNERABILITY: Buffer overflows in NLS environment variables
PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x
SOLUTION: Apply the fixes described below.
THREAT: If exploited, this condition may permit unauthorized
super-user access to the system
-------------------------------------------------------------------------------
I. Description
There are buffer overflows in the way that AIX handles certain
NLS environment variables.
II. Impact
Unprivileged users may gain root access. An exploit has been published
detailing this vulnerability.
III. Fixes
AIX 3.2: APAR IX67405 (PTFs U447656 U447671 U447676 U447682 U447705 U447723)
AIX 4.1: APAR IX67407
AIX 4.2: APAR IX67377
---------------
A temporary patch is available via anonymous ftp from:
ftp://testcase.software.ibm.com/aix/fromibm/README.NLS_security_fix
ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.42.tar
ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.41.tar
ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.32.tar
MD5 checksums:
MD5 (NLS_security_fix.32.tar) = 8382b9907e1c52ba01bb0d54a6398e09
MD5 (NLS_security_fix.41.tar) = 2935f43ebd86e8c64bfae3a533f152f7
MD5 (NLS_security_fix.42.tar) = e3c26df51d27701d5784225da945de8e
===============================================================================
===============================================================================
VULNERABILITY: LIBPATH not ignored for setgid executables
PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x
SOLUTION: Apply the fixes described below.
THREAT: If exploited, this condition may permit unauthorized
super-user access to the system
-------------------------------------------------------------------------------
I. Description
AIX does not ignore the LIBPATH environment variable when executing
setgid executables.
II. Impact
Unprivileged users may gain access to system groups. There have been
reports of this being used to gain root access from a local account.
III. Fixes
AIX 3.2: APAR IX66299 (PTF U447666)
AIX 4.1: APAR IX66340
AIX 4.2: APAR IX66344
=============================================================================
=============================================================================
CERT(sm) Advisory CA-97.06
Original issue date: February 6, 1997
Last revised: --
Topic: Vulnerability in rlogin/term
-----------------------------------------------------------------------------
See the appropriate release below to determine your action.
AIX 3.2: APAR IX57724
AIX 4.1: APAR IX57972
AIX 4.2: No APAR required.
=============================================================================
=============================================================================
CERT(sm) Advisory CA-97.05
Original issue date: January 28, 1997
Last revised: --
Topic: MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4
-----------------------------------------------------------------------------
The version of sendmail shipped with AIX is not vulnerable to the 7
to 8 bit MIME conversion vulnerability detailed in this advisory.
=============================================================================
=============================================================================
CERT(sm) Advisory CA-97.04
Original issue date: January 27, 1997
Last revised: --
Topic: talkd Vulnerability
-----------------------------------------------------------------------------
The version of talkd shipped with AIX is vulnerable to the conditions
described in this advisory. The APARs listed below will be available
shortly. It is recommended that the talkd daemon be turned off until
the APARs are applied.
AIX 3.2: APAR IX65474
AIX 4.1: APAR IX65472
AIX 4.2: APAR IX65473
=============================================================================
=============================================================================
CERT(sm) Advisory CA-96.26
Original issue date: December 18, 1996
Last revised: --
Topic: Denial-of-Service Attack via ping
-----------------------------------------------------------------------------
See the appropriate release below to determine your action.
AIX 3.2
-------
APAR - IX59644 (PTF - U444227 U444232)
AIX 4.1
-------
APAR - IX59453
AIX 4.2
-------
APAR - IX61858
IBM SNG Firewall
----------------
NOTE: The fixes in this section should ONLY be applied to systems
running the IBM Internet Connection Secured Network Gateway (SNG)
firewall software. They should be applied IN ADDITION TO the IBM
AIX fixes listed in the previous section.
IBM SNG V2.1
------------
APAR - IR33376 PTF UR46673
IBM SNG V2.2
------------
APAR - IR33484 PTF UR46641
=============================================================================
=============================================================================
CERT(sm) Advisory CA-96.25
Original issue date: December 10, 1996
Last revised: --
Topic: Sendmail Group Permissions Vulnerability
-----------------------------------------------------------------------------
The version of sendmail that ships with AIX is vulnerable to the
conditions listed in this advisory. A fix is in progress, and will be
delivered in the following APARs.
AIX 3.2: IX64460
AIX 4.1: IX64459
AIX 4.2: IX64443
=============================================================================
=============================================================================
ERS-SVA-E01-1996:008.1
03 December 1996 18:30 GMT
VULNERABILITY: The "lquerypv" command does not correctly enforce file access
permissions.
-----------------------------------------------------------------------------
See the appropriate release below to determine your action.
AIX 3.2.x
---------
Not vulnerable; no fix necessary.
AIX 4.1.x
---------
APAR - IX64203
AIX 4.2.x
---------
APAR - IX64204
=============================================================================
=============================================================================
ERS-SVA-E01-1996:007.1
03 December 1996 18:30 GMT
VULNERABILITY: Possible buffer overrun condition in "gethostbyname()" library
function
-----------------------------------------------------------------------------
See the appropriate release below to determine your action.
AIX 3.2.x
---------
APAR - IX60927 (PTF - U443452,U444191,U444206,U444213,U444233,U444244)
AIX 4.1.x
---------
APAR - IX61019
AIX 4.2.x
---------
APAR - IX62144
=============================================================================
=============================================================================
ERS-SVA-E01-1996:006.1
03 December 1996 18:30 GMT
VULNERABILITY: "Ping o' Death" and SYN flood attacks
-----------------------------------------------------------------------------
See the appropriate release below to determine your action.
A. The SYN Flood Attack
AIX 3.2.5
---------
No APAR available; upgrade to AIX 4.x recommended
AIX 4.1.x
---------
APAR - IX62476
AIX 4.2.x
---------
APAR - IX62428
B. The "Ping o' Death" Attack
AIX 3.2.5
---------
APAR - IX59644
AIX 4.1.x
---------
APAR - IX59453
AIX 4.2.x
---------
APAR - IX61858
NOTE: The fixes in this section should ONLY be applied to systems running the
IBM Internet Connection Secured Network Gateway (SNG) firewall software.
They should be applied IN ADDITION TO the IBM AIX fixes listed in the
previous section.
IBM SNG V2.1
------------
APAR - IR33376 PTF UR46673
IBM SNG V2.2
------------
APAR - IR33484 PTF UR46641
=============================================================================
=============================================================================
CERT(sm) Advisory CA-96.24
Original issue date: November 21, 1996
Last revised: --
Topic: Sendmail Daemon Mode Vulnerability
-----------------------------------------------------------------------------
See the appropriate release below to determine your action.
AIX 3.2
-------
No fix required. AIX 3.2 sendmail is not vulnerable.
AIX 4.1
-------
No fix required. AIX 4.1 sendmail is not vulnerable.
AIX 4.2
-------
AIX 4.2 sendmail is vulnerable.
APAR IX63068 will be available shortly.
=============================================================================
=============================================================================
CERT(sm) Advisory CA-96.21
Original issue date: September 19, 1996
Last revised: September 24, 1996
Topic: TCP SYN Flooding and IP Spoofing Attacks
-----------------------------------------------------------------------------
Although AIX is likely no more or less vulnerable to this type of attack
than any other vendor, IBM does recommend the following fixes to harden
your AIX system against external TCP protocol attacks.
AIX 3.2
-------
Apply the following fixes to your system:
APAR - IX59644
AIX 4.1
-------
Apply the following fixes to your system:
APAR - IX58507
AIX 4.2
-------
Apply the following fixes to your system:
APAR - IX58905
=============================================================================
=============================================================================
CERT(sm) Advisory CA-96.20
Original issue date: September 18, 1996
Last revised: --
Topic: Sendmail Vulnerabilities
-----------------------------------------------------------------------------
*** This advisory supersedes CA-95:05 ***
IBM Corporation
================
The following APARs are being developed and will be available shortly.
See the appropriate release below to determine your action.
AIX 3.2
-------
APAR - IX61303 IX61307
AIX 4.1
-------
APAR - IX61162 IX61306
AIX 4.2
-------
APAR - IX61304 IX61305
=============================================================================
=============================================================================
CERT(sm) Advisory CA-96.14
July 24, 1996
Topic: Vulnerability in rdist
-----------------------------------------------------------------------------
AIX is vulnerable to this problem. Fixes are in process but are
not yet available. The APAR numbers for the fixes are given below.
In the meantime, we recommend removing the setuid bit from the
/usr/bin/rdist program.
To remove the setuid bit, follow these instructions.
As the root user, type:
chmod u-s /usr/bin/rdist
AIX 3.2
-------
APAR - IX59741
AIX 4.1
-------
APAR - IX59742
AIX 4.2
-------
APAR - IX59743
=============================================================================
=============================================================================
CERT(sm) Advisory CA-96.09
April 24, 1996
Topic: Vulnerability in rpc.statd
-----------------------------------------------------------------------------
AIX 3.2
-------
APAR - IX56056 (PTF - U441411)
AIX 4.1
-------
APAR - IX55931
=============================================================================
=============================================================================
CERT(sm) Advisory CA-96.08
April 18, 1996
Topic: Vulnerabilities in PCNFSD
-----------------------------------------------------------------------------
AIX 3.2
-------
APAR - IX57623 (PTF - U442633)
APAR - IX56965 (PTF - U442638)
AIX 4.1
-------
APAR - IX57616
APAR - IX56730
=============================================================================
=============================================================================
Topic: AIX 3.2.5 rmail vulnerability
Source: IBM AIX Response Team
IBM AIX Security Advisory
Friday April 12, 1996
---------------------------------------------------------------------
I. Description:
IBM has become aware of a potential security exposure with
the rmail command on version 3 of the AIX operating system.
Version 4 does not contain this vulnerability.
II. Impact:
A user can gain unauthorized access to another user's mail.
III. Solution:
There are two possible solutions to this vulnerability.
IBM urges you to use the first solution since it is the
quickest solution.
1) As root, execute the following command:
/usr/bin/chmod 555 /usr/bin/rmail /bin/rmail
2) Apply the following APAR to your system once the APAR
is available:
APAR - IX57680
=============================================================================
=============================================================================
This is in response to the following advisories, which were identical.
IBM-ERS ERS-SVA-C01-1996:001.1
CIAC G-09
CERT VU#6093
IBM has incorporated options into sendmail that disable the VRFY and
EXPN features of sendmail. Use the '-o' parameter on the command line
or the O control line in the configuration file to activate these options.
Security options for the SMTP server (daemon) mode of sendmail are:
+ Turns on secure SMTP. When enabled, this option disables the VRFY
and EXPN commands. These commands are required and do run, but
they echo their argument back to the user rather than expanding
the argument to indicate whether it is valid or invalid.
- Turns on SMTP security logging. When enabled, any use of the VRFY
and EXPN commands is logged, even if the commands are disabled by
the + option. Any invalid user given to the RCPT command is also
logged. The log message is sent to syslogd as a mail.warning
message. The message includes the date, time, user's hostname,
command, and argument given to SMTP.
AIX 3.2
-------
APAR - IX41105 (PTF U426334)
AIX 4.1
-------
APAR - IX49343 (bos.net.tcp.client 4.1.2.2 or later)
=============================================================================
=============================================================================
CA-95:17 CERT Advisory
December 12, 1995
rpc.ypupdated Vulnerability
-----------------------------------------------------------------------------
AIX 3.2
-------
APAR - IX55360 (PTF U440666)
AIX 4.1
-------
APAR - IX55363
=============================================================================
=============================================================================
VB-95:08 CERT Vendor-Initiated Bulletin
November 2, 1995
-----------------------------------------------------------------------------
Patches for AIX 3.2 and AIX 4.1 are available now via anonymous FTP from
software.watson.ibm.com/pub/aix/xdm.
AIX 3.2 xdm.325
AIX 4.1 xdm.41
Please replace your /usr/bin/X11/xdm with these versions.
Official fixes will be available in approximately 4 weeks under the
following APAR numbers:
AIX 3.2 IX54679
AIX 4.1 IX54680
=============================================================================
=============================================================================
CA-95:14 CERT Advisory
November 1, 1995
Telnetd Environment Vulnerability
-----------------------------------------------------------------------------
IBM AIX is not vulnerable to the conditions described in this CERT
Advisory.
=============================================================================
=============================================================================
CA-95:13 CERT Advisory
October 19, 1995
Syslog Vulnerability - A Workaround for Sendmail
-----------------------------------------------------------------------------
IBM Corp. - AIX 3.2 and AIX 4.1
Fixes can be obtained by ordering the following APARs using FixDist or by
contacting the IBM Support Center.
AIX 3.2 IX53358
AIX 4.1 IX53718
==============================================================================