MCI Telecommunications internetMCI Security Group Report Name: iMCI Security Alert Report Number: iMCISE:IMCIAIX:011098:01:P1R1 Report Date: 01/10/98 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net ---------------------------------------------------------------------------- This file contains summary information on AIX security alerts published by the Computer Emergency Response Team (CERT), and the IBM Emergency Response Team (ERS). The full text of these alerts can be obtained from this mail server by requesting the 'CERT' and 'ERS' files. This information (and more) is available from CERT and ERS directly on the world-wide web at the following URLs: CERT: http://www.cert.org/ ERS: http://www.ers.ibm.com/ The fixes mentioned in this document, when available, will be available from FixDist. Information on obtaining and using FixDist is available by requesting the 'FixDist' document from this mail server, or at the following URL on the world-wide web: http://service.software.ibm.com/aix.us/fixes The 'Security_APARs' document on this mail server contains a list of security related APARs for which fixes are available as of April 1997. ============================================================================ === ============================================================================ === 08 January 1998 20:30 GMT Number: ERS-SVA-E01-1998:001.1 ---------------------------------------------------------------------------- --- VULNERABILITY SUMMARY VULNERABILITY: The "routed" daemon allows remote users to modify system files. PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x, 4.3.x SOLUTION: Apply the fixes listed below. THREAT: Remote users can gain system access. ============================================================================ === DETAILED INFORMATION I. Description The "routed" daemon accepts packets that cause arbitrary system files to be created and/or modified. Only machines running the routed daemon are vulnerable. An exploit script has been made publicly available. II. Impact Remote users can modify system files which can allow remote access to the system. III. Solutions A. How to alleviate the problem A temporary fix is available via anonymous ftp from: ftp://testcase.software.ibm.com/aix/fromibm/security.routed.tar.Z Filename sum md5 ================================================================= routed 59682 40 1aae6cf116ae84f8bee91b96736b7d23 Use the following steps (as root) to install the temporary fix: 1. Uncompress and extract the fix: # uncompress < security.routed.tar.Z | tar xf - 2. Execute the following commands to replace the vulnerable routed binary: # cp /usr/sbin/routed /usr/sbin/routed.orig # chmod -x /usr/sbin/routed.orig # cp routed/routed /usr/sbin/routed # chmod 554 /usr/sbin/routed NOTE: This temporary fix has not been fully regression tested. B. Official fix IBM is currently working on the following APARs but they are not yet available. AIX 4.3.x: IX73951 AIX 4.2.x: IX73949 AIX 4.1.x: IX73948 AIX 3.2.x: upgrade to version 4 ============================================================================ === ============================================================================ === CERT* Advisory CA-97.27 Original issue date: Dec. 10, 1997 Last revised: December 11, 1997 - Vendor updates for Caldera, Inc., Digital Equipment Corporation, NEC Corporation. Topic: FTP Bounce ----------------------------------------------------------------------------- I. Description In the past few years there have been ongoing discussions about a problem known as "FTP bounce." In its simplest terms, the problem is based on the misuse of the PORT command in the FTP protocol. To understand the FTP bounce attack, please see the tech tip at ftp://ftp.cert.org/pub/tech_tips/FTP_PORT_attacks The core component of the problem is that by using the PORT command in active FTP mode, an attacker may be able to establish connections to arbitrary ports on machines other than the originating client. This behavior is RFC compliant, but it is also potentially a source of security problems for some sites. The example attacks described in the tech tip demonstrate the potential of this vulnerability. II. Impact An attacker may be able to establish a connection between the FTP server machine and an arbitrary port on another system. This connection may be used to bypass access controls that would otherwise apply. III. Solution All AIX ftp servers are vulnerable to the FTP bounce attack. The following fixes are in progress: AIX 3.2: upgrade to v4 AIX 4.1: IX73075 AIX 4.2: IX73076 AIX 4.3: IX73077 ============================================================================= ============================================================================= CERT* Advisory CA-97.26 Original issue date: Dec. 5, 1997 Last revised: Topic: Buffer Overrun Vulnerability in statd(1M) Program ----------------------------------------------------------------------------- 1. Description AUSCERT has received information concerning a vulnerability in some vendor versions of the RPC server, statd(1M). statd provides network status monitoring. It interacts with lockd to provide crash and recovery functions for the locking services on NFS. Due to insufficient bounds checking on input arguments which may be supplied by local users, as well as remote users, it is possible to overwrite the internal stack space of the statd program while it is executing a specific rpc routine. By supplying a carefully designed input argument to the statd program, intruders may be able to force statd to execute arbitrary commands as the user running statd. In most instances, this will be root. This vulnerability may be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network. Sites can check whether they are running statd by: On system V like systems: # ps -fe |grep statd root 973 1 0 14:41:46 ? 0:00 /usr/lib/nfs/statd On BSD like systems: # ps -auxw |grep statd root 156 0.0 0.0 52 0 ? IW May 3 0:00 rpc.statd Specific vendor information regarding this vulnerability can be found in Section 3. 2. Impact This vulnerability permits attackers to gain root privileges. It can be exploited by local users. It can also be exploited remotely without the intruder requiring a valid local account if statd is accessible via the network. 3. Workarounds/Solution If you are not using NFS in your environment then there is no need for the statd program to be running and it can be disabled (Section 3.2). AIX 3.2 and 4.1 are vulnerable to the statd buffer overflow. However, the buffer overflow described in this advisory was fixed when the APARs for CERT CA-96.09 was released. See the appropriate release below to determine your action. AIX 3.2: APAR IX56056 (PTF U441411) AIX 4.1: APAR IX55931 AIX 4.2: Fixed in base release. AIX 4.3: Fixed in base release. ============================================================================= ============================================================================ === VULNERABILITY SUMMARY VULNERABILITY: The AIX ftp client interprets server provided filenames PLATFORMS: IBM AIX(r) 3.2, 4.1, 4.2 SOLUTION: Remove the setuid bit from the "ftp" command. THREAT: Remote ftp servers can cause arbitrary commands to run on the local machine. ============================================================================ === DETAILED INFORMATION I. Description The ftp client can be tricked into running arbitrary commands supplied by the remote server. When the remote file begins with a pipe symbol, the ftp client will process the contents of the remote file as a shell script. II. Impact Remote ftp servers can cause arbitrary commands to run on the local machine. This can include remote root access. III. Solutions AIX 3.2 ------- There are no fixes available for AIX 3.2. It is suggested that customers upgrade to a higher level. AIX 4.1 ------- Apply the following fix to your system: APAR - IX70885 To determine if you have this APAR on your system, run the following command: instfix -ik IX70885 AIX 4.2 ------- Apply the following fix to your system: APAR - IX70886 To determine if you have this APAR on your system, run the following command: instfix -ik IX70886 ============================================================================ === ============================================================================ === VULNERABILITY SUMMARY VULNERABILITY: The AIX "nslookup" command does not drop privileges correctly PLATFORMS: IBM AIX(r) 4.1, 4.2 SOLUTION: Apply the fixes listed below THREAT: Local users can become root ============================================================================ === DETAILED INFORMATION I. Description The nslookup command has a vulnerability that allows local users to become root. II. Solutions A. How to alleviate the problem This problem can be alleviated by removing the set-user-id bit from the "nslookup" program. To do this, execute the following command as "root": chmod 555 /usr/bin/nslookup Removing the set-user-id bit will not result in lost functionality unless /etc/resolv.conf exists and is not world-readable. B. Official fix AIX 4.1 ------- Apply the following fix to your system: APAR - IX71464 To determine if you have this APAR on your system, run the following command: instfix -ik IX71464 AIX 4.2 ------- Apply the following fix to your system: APAR - IX70815 To determine if you have this APAR on your system, run the following command: instfix -ik IX70815 ============================================================================ === ============================================================================ === VULNERABILITY SUMMARY VULNERABILITY: The AIX piodmgrsu command incorrectly uses privilege PLATFORMS: IBM AIX(r) 4.1, 4.2 SOLUTION: Apply the fixes listed below THREAT: Local users can gain additional privileges ============================================================================ === DETAILED INFORMATION I. Description The piodmgrsu command was first shipped in AIX 4.1 and performs various operations on the printer backend's alternate ODM database. The command passes an insecure environment to its children allowing local users to gain access to the administrative "printq" group. II. Fixes AIX 4.1 ------- Apply the following fix to your system: APAR - IX71514 To determine if you have this APAR on your system, run the following command: instfix -ik IX71514 AIX 4.2 ------- Apply the following fix to your system: APAR - IX71517 To determine if you have this APAR on your system, run the following command: instfix -ik IX71517 ============================================================================ === ============================================================================ === VULNERABILITY SUMMARY VULNERABILITY: Buffer overflow and insecure log files in the AIX portmir command PLATFORMS: IBM AIX(r) 4.2.1 SOLUTION: Remove the setuid bit from /usr/sbin/portmir THREAT: Local users can become root ============================================================================ === DETAILED INFORMATION I. Description Several vulnerabilities exist in the portmir command that can allow local users to become root. This command was added in 4.2.1; therefore, 4.1 and 3.2 are not vulnerable. II. Impact Local users can become root. III. Fixes A. How to alleviate the problem Run the following command (as root) to close this vulnerability until APARs can be applied: # chmod u-s /usr/sbin/portmir B. Official fix Apply the following fix to your system: APAR - IX71795 To determine if you have this APAR on your system, run the following command: instfix -ik IX71795 ============================================================================ === ============================================================================ === VULNERABILITY SUMMARY VULNERABILITY: Buffer overflows in the libDtSvc.a library PLATFORMS: IBM AIX(r) 4.1, 4.2 SOLUTION: Apply the fixes listed below THREAT: Local users can become root =========================================================================== DETAILED INFORMATION I. Description A buffer overflow vulnerability exists in the AIX libDtSvc.a library that can allow local users to become root. There has been an exploit posted to the Bugtraq mailing list. In the course of investigating the libDtSvc.a overflows, fixes were made to the writesrv and rcp commands as well. II. Fixes Abstract 4.1 APAR 4.2 APAR ==================================================================== SECURITY: buffer overflow in dtaction IX69179 IX69180 SECURITY: buffer overflow in writesrv IX69168 IX69169 SECURITY: buffer overflow in /bin/rcp IX69170 IX69171 To determine if you have these APARs on your system, run the following command (double quotes required if more than one APAR is specified): instfix -ivk " [ ...]" ============================================================================ === ============================================================================ === VULNERABILITY: Buffer overflow in the IBM AIX "xdat" command PLATFORMS: IBM AIX(r) 4.1, 4.2 SOLUTION: Remove the setuid bit or apply one of the fixes below THREAT: Local users may become root ============================================================================ === I. Description The "xdat" command shipped with AIX version 4 does not check the length of the "TZ" environment variable. This command was not shipped with AIX 3.2. II. Impact Local users may become root. III. Solutions A. How to alleviate the problem This problem can be alleviated by removing the set-user-id bit from the "xdat" program. To do this, execute the following command as "root": chmod 555 /usr/lpp/X11/bin/xdat B. Official fix IBM is currently working on the following APARs but they are not yet available. AIX 4.1: IX72020 AIX 4.2: IX72021 C. Temporary fixes A temporary fix is available via anonymous ftp from: ftp://testcase.software.ibm.com/aix/fromibm/security.xdat.tar.Z Filename sum md5 ================================================================= xdat 44047 74 33bcec8bbc7d8eb2e4e2ae760d2b986e Use the following steps (as root) to install the temporary fix: 1. Uncompress and extract the fix: # uncompress < security.xdat.tar.Z | tar xf - 2. Use the "xdat_patch.sh" script or the following manual commands: # pgp xdat/xdat.pgp xdat/xdat # cp /usr/lpp/X11/bin/xdat /usr/lpp/X11/bin/xdat.orig # chmod -s /usr/lpp/X11/bin/xdat.orig # cp xdat/xdat /usr/lpp/X11/bin/xdat # chmod 4555 /usr/lpp/X11/bin/xdat This fix has not been fully regression tested but does prevent the TZ environment variable exploit. If the new executable fails to load due to missing symbols, the following APARs may help to resolve the prerequisites: AIX 4.1: IX69580 AIX 4.2: IX69180 ============================================================================ === ============================================================================= CERT* Advisory CA-97.23 Original issue date: September 16, 1997 Last revised: September 19, 1997 Appendix A - Added information for OpenBSD and Silicon Graphics, Inc. Topic: Buffer Overflow Problem in rdist ----------------------------------------------------------------------------- I. Description The rdist program is a UNIX Operating System utility used to distribute files from one host to another. On some systems, rdist opens network connections using a privileged port as the source port. This requires root privileges, and to attain these privileges rdist on such systems is installed set-user-id root. A new vulnerability has been found in some set-user-id root implementations of rdist. The vulnerability lies in the function expstr(), where macros supplied as arguments are expanded using sprintf(). It is possible to overwrite stack frames and call specially pre-crafted native machine code. If the appropriate machine code is supplied, an attacker can execute arbitrary programs (such as the shell) with set-user-id root privileges. Note that this vulnerability is distinct from that discussed in CERT advisory CA-96.14. II. Impact On systems with a vulnerable copy of rdist, anyone with access to a local account can gain root access. III. Solution All versions of AIX are vulnerable to this buffer overflow. There is no 3.2 fix. It is recommended that 3.2 customers upgrade to a higher level. The following APARs will be available for AIX version 4 soon. AIX 3.2: upgrade to 4.1.5 or higher AIX 4.1: IX70876 AIX 4.2: IX70875 Obtain the "CERT" document from this mail server for the complete text of this advisory, including details on circumventing this exposure. ============================================================================ === ============================================================================ === CERT* Advisory CA-97.22 Original issue date: August 13, 1997 Last revised: August 20, 1997 Introduction - Clarified that 4.9.6 is not vulnerable. Section III - Added a note why sites should upgrade to 8.1.1. Topic: BIND - the Berkeley Internet Name Daemon ----------------------------------------------------------------------------- *** This advisory supersedes CA-96.02. *** ----------------------------------------------------------------------------- I. Description The Berkeley Internet Name Daemon (BIND) is an implementation of the Domain Name Service (DNS) written primarily for UNIX Systems. BIND consists of three parts: * The client part. This part contains subroutine libraries used by programs that require DNS services. Example clients of these libraries are telnet, the X Windows System, and ssh (the secure shell). The client part consists of subroutine libraries, header files, and manual pages. * The server part. This part contains the name server daemon (named) and its support program (named-xfer). These programs provide one source of the data used for mapping between host names and IP addresses. When appropriately configured, these name server daemons can interoperate across a network (the Internet for example) to provide the mapping services for that network. The server part consists of the daemon, its support programs and scripts, and manual pages. * The tools part. This part contains various tools for interrogating name servers in a network. They use the client part to extract information from those servers. The tools part consists of these interrogation tools and manual pages. As BIND has matured, several vulnerabilities in the client, server, and tools parts have been fixed. Among these is server cache poisoning. Cache poisoning occurs when malicious or misleading data received from a remote name server is saved (cached) by another name server. This "bad" data is then made available to programs that request the cached data through the client interface. Analysis of recent incidents reported to the CERT Coordination Center has shown that the cache poisoning technique is being used to adversely affect the mapping between host names and IP addresses. Once this mapping has been changed, any information sent between hosts on a network may be subjected to inspection, capture, or corruption. Although the new BIND distributions do address important security problems, not all known problems are fixed. In particular, several problems can be fixed only with the use of cryptographic authentication techniques. Implementing and deploying this solution is non-trivial; work on this task is currently underway within the Internet community. II. Impact The mapping between host names and IP addresses may be changed. As a result, attackers can inspect, capture, or corrupt the information exchanged between hosts on a network. III. Solution IBM is currently working on the following APARs which will be available soon: AIX 4.1: IX70236 AIX 4.2: IX70237 ============================================================================ === ============================================================================ === CERT* Advisory CA-97.18 Original issue date: June 12, 1997 Last revised: -- Topic: Vulnerability in the at(1) program ----------------------------------------------------------------------------- I. Description The at(1) program can be used by local users to schedule commands to be executed at a later time. When those commands are run, they are run as the user who originally ran at(1). That user will be referred to as the scheduling user. As a precaution, the scheduling user's list of commands is stored in a file in a directory that is not writable by other users. The file's ownership is changed to that of the scheduling user, and that information is used to define the identity of the process that runs the commands when the appointed time arrives. These measures are intended to prevent other users from changing the scheduling user's list of commands or creating new lists to be executed as another user. To achieve this additional level of security, the at(1) program runs as set-user-id root. Some versions of at(1) contain a programming defect that can result in a buffer local to at(1) being overflowed. Through the careful specification of the data that overflows this buffer, arbitrary commands can be executed with the identity of at(1) process, root in this case. II. Impact Any user with an account on a system that contains a defective version of at(1) can execute programs as root. III. Solution AIX 3.2: APAR IX60796 (PTFs U443452 U443486 U444191 U444206 U444213 U444243) AIX 4.1: APARs IX60894 and IX60890 AIX 4.2: APARs IX60892 and IX61125 Until you are able to install the appropriate patch, we recommend the following workaround: Turn off at(1) by setting its mode to 0. Do the following as root: # chmod 0 /usr/bin/at After you turn off the at(1) command, users will not be able to use it. As an alternative to at(1), consider using the crontab(1) command. ============================================================================ === ============================================================================ === Topic: lquerylv buffer overflow 1. Description A buffer overflow exploit in the lquerylv command has been made public. 2. Fixes AIX 3.2: APAR IX66230 (PTF U447739) AIX 4.1: APAR IX66231 AIX 4.2: APAR IX66232 ============================================================================ === ============================================================================ === CERT* Advisory CA-97.16 Original issue date: May 29, 1997 Last revised: --- Topic: ftpd Signal Handling Vulnerability ----------------------------------------------------------------------------- 1. Description AUSCERT has received information concerning a vulnerability in some vendor and third party versions of the Internet File Transfer Protocol server, ftpd(8). This vulnerability is caused by a signal handling routine increasing process privileges to root, while still continuing to catch other signals. This introduces a race condition which may allow regular, as well as anonymous ftp, users to access files with root privileges. Depending on the configuration of the ftpd server, this may allow intruders to read or write to arbitrary files on the server. This attack requires an intruder to be able to make a network connection to a vulnerable ftpd server. Sites should be aware that the ftp services are often installed by default. Sites can check whether they are allowing ftp services by checking, for example, /etc/inetd.conf: # grep -i '^ftp' /etc/inetd.conf Note that on some systems the inetd configuration file may have a different name or be in a different location. Please consult your documentation if the configuration file is not found in /etc/inetd.conf. If your site is offering ftp services, you may be able to determine the version of ftpd by checking the notice when first connecting. The vulnerability status of specific vendor and third party ftpd servers can be found in Section 3. Information involving this vulnerability has been made publicly available. 2. Impact Regular and anonymous users may be able to access arbitrary files with root privileges. Depending on the configuration, this may allow anonymous, as well as regular, users to read or write to arbitrary files on the server with root privileges. 3. Workarounds/Solution The version of ftpd shipped with AIX is vulnerable to the conditions described in the advisory. The following APARs will be available shortly: AIX 3.2: APAR IX65536 AIX 4.1: APAR IX65537 AIX 4.2: APAR IX65538 ============================================================================ === ============================================================================ === CERT* Advisory CA-97.13 Original issue date: May 7, 1997 Last revised: -- Topic: Vulnerability in xlock ----------------------------------------------------------------------------- I. Description xlock is a program that allows a user to "lock" an X terminal. A buffer overflow condition exists in some implementations of xlock. It is possible attain unauthorized access to a system by engineering a particular environment and calling a vulnerable version of xlock that has setuid or setgid bits set. Information about vulnerable versions must be obtained from vendors. Some vendor information can be found in Appendix A of this advisory. Exploitation information involving this vulnerability has been made publicly available. II. Fixes AIX 3.2: APAR IX68189 AIX 4.1: APAR IX68190 AIX 4.2: APAR IX68191 ============================================================================ === ============================================================================ === CERT* Advisory CA-97.11 Original issue date: May 1, 1997 Last revised: -- Topic: Vulnerability in libXt ----------------------------------------------------------------------------- I. Description There have been discussions on public mailing lists about buffer overflows in the Xt library of the X Windowing System made freely available by The Open Group (and previously by the now-defunct X Consortium). During these discussions, exploitation scripts were made available for some platforms.** The specific problem outlined in those discussions was a buffer overflow condition in the Xt library and the file xc/lib/Xt/Error.c. It was possible for a user to execute arbitrary instructions as a privileged user using a program built by this distribution with setuid or setgid bits set. Note that in this case a root compromise was only possible when programs built from this distribution (e.g., xterm) were setuid root. II. Impact Platforms that have X applications built with the setuid or setgid bits set may be vulnerable to buffer overflow conditions. These conditions can make it possible for a local user to execute arbitrary instructions as a privileged user without authorization. Access to an account on the system is necessary for exploitation. III. Fixes AIX 3.2: APARs IX61784 IX67047 IX66713 (PTFs U445908 U447740) AIX 4.1: APARs IX61031 IX66736 IX66449 AIX 4.2: APARs IX66824 IX66352 ============================================================================ === ============================================================================ === VULNERABILITY: Buffer overflows in NLS environment variables PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x SOLUTION: Apply the fixes described below. THREAT: If exploited, this condition may permit unauthorized super-user access to the system ---------------------------------------------------------------------------- --- I. Description There are buffer overflows in the way that AIX handles certain NLS environment variables. II. Impact Unprivileged users may gain root access. An exploit has been published detailing this vulnerability. III. Fixes AIX 3.2: APAR IX67405 (PTFs U447656 U447671 U447676 U447682 U447705 U447723) AIX 4.1: APAR IX67407 AIX 4.2: APAR IX67377 --------------- A temporary patch is available via anonymous ftp from: ftp://testcase.software.ibm.com/aix/fromibm/README.NLS_security_fix ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.42.tar ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.41.tar ftp://testcase.software.ibm.com/aix/fromibm/NLS_security_fix.32.tar MD5 checksums: MD5 (NLS_security_fix.32.tar) = 8382b9907e1c52ba01bb0d54a6398e09 MD5 (NLS_security_fix.41.tar) = 2935f43ebd86e8c64bfae3a533f152f7 MD5 (NLS_security_fix.42.tar) = e3c26df51d27701d5784225da945de8e ============================================================================ === ============================================================================ === VULNERABILITY: LIBPATH not ignored for setgid executables PLATFORMS: IBM AIX(r) 3.2.x, 4.1.x, 4.2.x SOLUTION: Apply the fixes described below. THREAT: If exploited, this condition may permit unauthorized super-user access to the system ---------------------------------------------------------------------------- --- I. Description AIX does not ignore the LIBPATH environment variable when executing setgid executables. II. Impact Unprivileged users may gain access to system groups. There have been reports of this being used to gain root access from a local account. III. Fixes AIX 3.2: APAR IX66299 (PTF U447666) AIX 4.1: APAR IX66340 AIX 4.2: APAR IX66344 ============================================================================= ============================================================================= CERT(sm) Advisory CA-97.06 Original issue date: February 6, 1997 Last revised: -- Topic: Vulnerability in rlogin/term ----------------------------------------------------------------------------- See the appropriate release below to determine your action. AIX 3.2: APAR IX57724 AIX 4.1: APAR IX57972 AIX 4.2: No APAR required. ============================================================================= ============================================================================= CERT(sm) Advisory CA-97.05 Original issue date: January 28, 1997 Last revised: -- Topic: MIME Conversion Buffer Overflow in Sendmail Versions 8.8.3 and 8.8.4 ----------------------------------------------------------------------------- The version of sendmail shipped with AIX is not vulnerable to the 7 to 8 bit MIME conversion vulnerability detailed in this advisory. ============================================================================= ============================================================================= CERT(sm) Advisory CA-97.04 Original issue date: January 27, 1997 Last revised: -- Topic: talkd Vulnerability ----------------------------------------------------------------------------- The version of talkd shipped with AIX is vulnerable to the conditions described in this advisory. The APARs listed below will be available shortly. It is recommended that the talkd daemon be turned off until the APARs are applied. AIX 3.2: APAR IX65474 AIX 4.1: APAR IX65472 AIX 4.2: APAR IX65473 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.26 Original issue date: December 18, 1996 Last revised: -- Topic: Denial-of-Service Attack via ping ----------------------------------------------------------------------------- See the appropriate release below to determine your action. AIX 3.2 ------- APAR - IX59644 (PTF - U444227 U444232) AIX 4.1 ------- APAR - IX59453 AIX 4.2 ------- APAR - IX61858 IBM SNG Firewall ---------------- NOTE: The fixes in this section should ONLY be applied to systems running the IBM Internet Connection Secured Network Gateway (SNG) firewall software. They should be applied IN ADDITION TO the IBM AIX fixes listed in the previous section. IBM SNG V2.1 ------------ APAR - IR33376 PTF UR46673 IBM SNG V2.2 ------------ APAR - IR33484 PTF UR46641 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.25 Original issue date: December 10, 1996 Last revised: -- Topic: Sendmail Group Permissions Vulnerability ----------------------------------------------------------------------------- The version of sendmail that ships with AIX is vulnerable to the conditions listed in this advisory. A fix is in progress, and will be delivered in the following APARs. AIX 3.2: IX64460 AIX 4.1: IX64459 AIX 4.2: IX64443 ============================================================================= ============================================================================= ERS-SVA-E01-1996:008.1 03 December 1996 18:30 GMT VULNERABILITY: The "lquerypv" command does not correctly enforce file access permissions. ----------------------------------------------------------------------------- See the appropriate release below to determine your action. AIX 3.2.x --------- Not vulnerable; no fix necessary. AIX 4.1.x --------- APAR - IX64203 AIX 4.2.x --------- APAR - IX64204 ============================================================================= ============================================================================= ERS-SVA-E01-1996:007.1 03 December 1996 18:30 GMT VULNERABILITY: Possible buffer overrun condition in "gethostbyname()" library function ----------------------------------------------------------------------------- See the appropriate release below to determine your action. AIX 3.2.x --------- APAR - IX60927 (PTF - U443452,U444191,U444206,U444213,U444233,U444244) AIX 4.1.x --------- APAR - IX61019 AIX 4.2.x --------- APAR - IX62144 ============================================================================= ============================================================================= ERS-SVA-E01-1996:006.1 03 December 1996 18:30 GMT VULNERABILITY: "Ping o' Death" and SYN flood attacks ----------------------------------------------------------------------------- See the appropriate release below to determine your action. A. The SYN Flood Attack AIX 3.2.5 --------- No APAR available; upgrade to AIX 4.x recommended AIX 4.1.x --------- APAR - IX62476 AIX 4.2.x --------- APAR - IX62428 B. The "Ping o' Death" Attack AIX 3.2.5 --------- APAR - IX59644 AIX 4.1.x --------- APAR - IX59453 AIX 4.2.x --------- APAR - IX61858 NOTE: The fixes in this section should ONLY be applied to systems running the IBM Internet Connection Secured Network Gateway (SNG) firewall software. They should be applied IN ADDITION TO the IBM AIX fixes listed in the previous section. IBM SNG V2.1 ------------ APAR - IR33376 PTF UR46673 IBM SNG V2.2 ------------ APAR - IR33484 PTF UR46641 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.24 Original issue date: November 21, 1996 Last revised: -- Topic: Sendmail Daemon Mode Vulnerability ----------------------------------------------------------------------------- See the appropriate release below to determine your action. AIX 3.2 ------- No fix required. AIX 3.2 sendmail is not vulnerable. AIX 4.1 ------- No fix required. AIX 4.1 sendmail is not vulnerable. AIX 4.2 ------- AIX 4.2 sendmail is vulnerable. APAR IX63068 will be available shortly. ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.21 Original issue date: September 19, 1996 Last revised: September 24, 1996 Topic: TCP SYN Flooding and IP Spoofing Attacks ----------------------------------------------------------------------------- Although AIX is likely no more or less vulnerable to this type of attack than any other vendor, IBM does recommend the following fixes to harden your AIX system against external TCP protocol attacks. AIX 3.2 ------- Apply the following fixes to your system: APAR - IX59644 AIX 4.1 ------- Apply the following fixes to your system: APAR - IX58507 AIX 4.2 ------- Apply the following fixes to your system: APAR - IX58905 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.20 Original issue date: September 18, 1996 Last revised: -- Topic: Sendmail Vulnerabilities ----------------------------------------------------------------------------- *** This advisory supersedes CA-95:05 *** IBM Corporation ================ The following APARs are being developed and will be available shortly. See the appropriate release below to determine your action. AIX 3.2 ------- APAR - IX61303 IX61307 AIX 4.1 ------- APAR - IX61162 IX61306 AIX 4.2 ------- APAR - IX61304 IX61305 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.14 July 24, 1996 Topic: Vulnerability in rdist ----------------------------------------------------------------------------- AIX is vulnerable to this problem. Fixes are in process but are not yet available. The APAR numbers for the fixes are given below. In the meantime, we recommend removing the setuid bit from the /usr/bin/rdist program. To remove the setuid bit, follow these instructions. As the root user, type: chmod u-s /usr/bin/rdist AIX 3.2 ------- APAR - IX59741 AIX 4.1 ------- APAR - IX59742 AIX 4.2 ------- APAR - IX59743 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.09 April 24, 1996 Topic: Vulnerability in rpc.statd ----------------------------------------------------------------------------- AIX 3.2 ------- APAR - IX56056 (PTF - U441411) AIX 4.1 ------- APAR - IX55931 ============================================================================= ============================================================================= CERT(sm) Advisory CA-96.08 April 18, 1996 Topic: Vulnerabilities in PCNFSD ----------------------------------------------------------------------------- AIX 3.2 ------- APAR - IX57623 (PTF - U442633) APAR - IX56965 (PTF - U442638) AIX 4.1 ------- APAR - IX57616 APAR - IX56730 ============================================================================= ============================================================================= Topic: AIX 3.2.5 rmail vulnerability Source: IBM AIX Response Team IBM AIX Security Advisory Friday April 12, 1996 --------------------------------------------------------------------- I. Description: IBM has become aware of a potential security exposure with the rmail command on version 3 of the AIX operating system. Version 4 does not contain this vulnerability. II. Impact: A user can gain unauthorized access to another user's mail. III. Solution: There are two possible solutions to this vulnerability. IBM urges you to use the first solution since it is the quickest solution. 1) As root, execute the following command: /usr/bin/chmod 555 /usr/bin/rmail /bin/rmail 2) Apply the following APAR to your system once the APAR is available: APAR - IX57680 ============================================================================= ============================================================================= This is in response to the following advisories, which were identical. IBM-ERS ERS-SVA-C01-1996:001.1 CIAC G-09 CERT VU#6093 IBM has incorporated options into sendmail that disable the VRFY and EXPN features of sendmail. Use the '-o' parameter on the command line or the O control line in the configuration file to activate these options. Security options for the SMTP server (daemon) mode of sendmail are: + Turns on secure SMTP. When enabled, this option disables the VRFY and EXPN commands. These commands are required and do run, but they echo their argument back to the user rather than expanding the argument to indicate whether it is valid or invalid. - Turns on SMTP security logging. When enabled, any use of the VRFY and EXPN commands is logged, even if the commands are disabled by the + option. Any invalid user given to the RCPT command is also logged. The log message is sent to syslogd as a mail.warning message. The message includes the date, time, user's hostname, command, and argument given to SMTP. AIX 3.2 ------- APAR - IX41105 (PTF U426334) AIX 4.1 ------- APAR - IX49343 (bos.net.tcp.client 4.1.2.2 or later) ============================================================================= ============================================================================= CA-95:17 CERT Advisory December 12, 1995 rpc.ypupdated Vulnerability ----------------------------------------------------------------------------- AIX 3.2 ------- APAR - IX55360 (PTF U440666) AIX 4.1 ------- APAR - IX55363 ============================================================================= ============================================================================= VB-95:08 CERT Vendor-Initiated Bulletin November 2, 1995 ----------------------------------------------------------------------------- Patches for AIX 3.2 and AIX 4.1 are available now via anonymous FTP from software.watson.ibm.com/pub/aix/xdm. AIX 3.2 xdm.325 AIX 4.1 xdm.41 Please replace your /usr/bin/X11/xdm with these versions. Official fixes will be available in approximately 4 weeks under the following APAR numbers: AIX 3.2 IX54679 AIX 4.1 IX54680 ============================================================================= ============================================================================= CA-95:14 CERT Advisory November 1, 1995 Telnetd Environment Vulnerability ----------------------------------------------------------------------------- IBM AIX is not vulnerable to the conditions described in this CERT Advisory. ============================================================================= ============================================================================= CA-95:13 CERT Advisory October 19, 1995 Syslog Vulnerability - A Workaround for Sendmail ----------------------------------------------------------------------------- IBM Corp. - AIX 3.2 and AIX 4.1 Fixes can be obtained by ordering the following APARs using FixDist or by contacting the IBM Support Center. AIX 3.2 IX53358 AIX 4.1 IX53718 ============================================================================== SUCCESS THROUGH TEAMWORK ================================================================