-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY | First Issued: Thu Dec 13 15:02:23 CST 2011 | Updated: Thu Dec 15 09:13:32 CST 2011 | Fixed First Issued Date The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/invscout_advisory2.asc =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX inventory scout file deletion and symlink vulnerability PLATFORMS: AIX 5.3, 6.1, and 7.1, and earlier releases SOLUTION: Apply the fix described below. THREAT: See below. CVE Number: CVE-2011-1384 Reboot required? NO Workarounds? YES Protected by FPM? NO Protected by SED? NO =============================================================================== DETAILED INFORMATION I. DESCRIPTION A vulnerability exists in the inventory scout code which may allow a user to delete vital system files and allow an attacker to cause the software to operate on unauthorized files. II. CVSS CVSS Base Score: 6.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/71615 for the current score CVSS Environmental Score*: Undefined III. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, run the following command: # lslpp -l | grep invscout.rte The following filesets are vulnerable: AIX 7.1, 6.1, 5.3: all versions less than 2.2.0.19 NOTE: The invscout.rte is based on an independent service release and is not tied to any particular version or release of AIX. IV. SOLUTIONS A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR number Availability --------------------------------------------------- 5.3 IV11643 available 6.1 IV11643 available 7.1 IV11643 available Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IV11643 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIX IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. V. WORKAROUNDS a) Remove the setuid bit from the following: chmod 555 /opt/IBMinvscout/bin/invscoutClient_VPD_Survey chmod 555 /opt/IBMinvscout/sbin/invscout_lsvpd NOTE: chmod will disable functionality of these commands for all users except root. VII. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www.ibm.com/systems/support and click on the "My notifications" link. To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0x28BFAA12 Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VIII. ACKNOWLEDGMENTS This vulnerability was reported by Jakub Wartak. IX. REFERENCES: Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/71615 CVE-2011-1384: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1384 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFO6g8z4fmd+Ci/qhIRAhQdAKCqFBCfn3ms6+e+AXEopJRFexoNXACcCwbC 6wvhRNJBqlkf67NpMYLmSpw= =KzI3 -----END PGP SIGNATURE-----