-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Wed May 21 11:20:56 CDT 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX iostat environment variable error PLATFORMS: AIX 5.2, 5.3, 6.1 SOLUTION: Apply the fix or workaround as described below. THREAT: A local attacker may execute arbitrary code. CVE Number: n/a Reboot required? NO Workarounds? YES Protected by FPM? YES (high, medium, or low) Protected by SED? NO =============================================================================== DETAILED INFORMATION I. DESCRIPTION The iostat command contains an environment variable handling error. A local attacker may exploit this error to execute arbitrary code with root privileges because the command is setuid root. The following files are vulnerable: /usr/bin/iostat II. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L bos.acct The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ----------------------------------------------------------- bos.acct 5.2.0.85 5.2.0.86 bos.acct 5.2.0.95 5.2.0.95 bos.acct 5.2.0.105 5.2.0.105 bos.acct 5.3.0.50 5.3.0.51 bos.acct 5.3.0.60 5.3.0.63 bos.acct 5.3.7.0 5.3.7.2 bos.acct 5.3.8.0 5.3.8.0 bos.acct 6.1.0.0 6.1.0.4 III. SOLUTIONS A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR number Availability --------------------------------------------------- 5.2.0 IZ20635 Now 5.3.0 IZ22350 6/20/2008 5.3.7 IZ22351 6/20/2008 5.3.8 IZ21506 6/20/2008 6.1.0 IZ22349 6/20/2008 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ20635 http://www.ibm.com/support/docview.wss?uid=isg1IZ22350 http://www.ibm.com/support/docview.wss?uid=isg1IZ22351 http://www.ibm.com/support/docview.wss?uid=isg1IZ21506 http://www.ibm.com/support/docview.wss?uid=isg1IZ22349 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security/iostat_fix.tar ftp://aix.software.ibm.com/aix/efixes/security/iostat_fix.tar The links above are to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Fix (*.U) and Interim Fix (*.Z) ------------------------------------------------------------------- 5.2.0 TL8 IZ20635_08.080514.epkg.Z 5.2.0 TL9 IZ20635_09.080514.epkg.Z 5.2.0 TL10 IZ20635_10.080514.epkg.Z 5.3.0 TL5 IZ22350_05.080514.epkg.Z 5.3.0 TL6 IZ22350_06.080514.epkg.Z 5.3.7 IZ22351_07.080514.epkg.Z 5.3.8 IZ21506_08.080514.epkg.Z 6.1.0 IZ22349_00.080514.epkg.Z To extract the fixes from the tar file: tar xvf iostat_fix.tar cd iostat_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------- 50066 21 IZ20635_08.080514.epkg.Z 36104 21 IZ20635_09.080514.epkg.Z 62211 21 IZ20635_10.080514.epkg.Z 00806 47 IZ21506_08.080514.epkg.Z 58721 84 IZ22349_00.080514.epkg.Z 35311 43 IZ22350_05.080514.epkg.Z 51367 44 IZ22350_06.080514.epkg.Z 34354 47 IZ22351_07.080514.epkg.Z cksum filename ------------------------------------------- 4243908138 21321 IZ20635_08.080514.epkg.Z 1977515682 21397 IZ20635_09.080514.epkg.Z 3364525726 21372 IZ20635_10.080514.epkg.Z 294568034 47109 IZ21506_08.080514.epkg.Z 1353517907 85731 IZ22349_00.080514.epkg.Z 784404659 43886 IZ22350_05.080514.epkg.Z 2620297401 44441 IZ22350_06.080514.epkg.Z 2078653751 47141 IZ22351_07.080514.epkg.Z csum -h MD5 (md5sum) filename ----------------------------------------------------------- a34baf6d059e2cb5d4bd42576b428e5a IZ20635_08.080514.epkg.Z ca38fa1ded9ee91d10c03c0323bc0291 IZ20635_09.080514.epkg.Z 0a5d2df96aad21bc8fb89a8c2245121d IZ20635_10.080514.epkg.Z aa2dc5cdd673a7d4d771ef2deda0f35b IZ21506_08.080514.epkg.Z 32d7c022d750ec0a02381936b4a40c6d IZ22349_00.080514.epkg.Z 9a1950fbdf6dce8a447213e1c27fb490 IZ22350_05.080514.epkg.Z c935b8406819fff19b36eda177df6e94 IZ22350_06.080514.epkg.Z 6cce1445a7b479dece218c05a09ee0f0 IZ22351_07.080514.epkg.Z csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------- 88caf0c79cc56f95b44e7584ed7a62c522e96fa9 IZ20635_08.080514.epkg.Z 4011d191a10489a42e43648abc06b8ab7eca8154 IZ20635_09.080514.epkg.Z 5b1dcdc053162fbbf6d3503f835b19879fe419fe IZ20635_10.080514.epkg.Z 10b39d745f113bd9407045c1cd9184aef04c485c IZ21506_08.080514.epkg.Z 204fab6105119ec5776d8eab5bb417c380974505 IZ22349_00.080514.epkg.Z d204a9a1f6a9095b17b84501a15350043753813c IZ22350_05.080514.epkg.Z e39c50e85a81017b0622b0772e23c00e6424ca0c IZ22350_06.080514.epkg.Z d8bd2529daecc0204de01f13bc88a8fe391fd018 IZ22351_07.080514.epkg.Z To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. FIX AND INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. IV. WORKAROUNDS There are two workarounds available. A. OPTION 1 Change the permissions of these commands to remove the setuid bit using the following commands: chmod 500 /usr/bin/iostat NOTE: chmod will disable functionality of these commands for all users except root. B. OPTION 2 (AIX 6.1, AIX 5.3 TL6 and TL7) Use the File Permissions Manager (fpm) command to manage setuid and setgid programs. fpm documentation can be found in the AIX 6 Security Redbook at: http://www.redbooks.ibm.com/abstracts/sg247430.html An fpm level of high, medium, or low will remove the setuid bit from the affected commands. For example: fpm -l high -p # to preview changes fpm -l high # to execute changes NOTE: Please review the documentation before execution. fpm will disable functionality of multiple commands for all users except root. V. OBTAINING FIXES AIX security fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VI. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xADA6EB4D Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VII. ACKNOWLEDGMENTS IBM discovered and fixed this vulnerability as part of its commitment to secure the AIX operating system. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFINEv8P9Qud62m600RArjDAKDQIkEINFGR4AGXG5iuwCkTVDCf6ACfRfKK whMa1Avy8ZKtw/+7OPjyP60= =O8jS -----END PGP SIGNATURE-----