-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 IBM SECURITY ADVISORY First Issued: Wed May 21 11:11:21 CDT 2008 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: AIX unix kernel buffer overflow PLATFORMS: AIX 5.2, 5.3, 6.1 SOLUTION: Apply the fix as described below. THREAT: A local attacker may execute arbitrary code. CVE Number: n/a Reboot required? YES Workarounds? NO Protected by FPM? NO Protected by SED? NO =============================================================================== DETAILED INFORMATION I. DESCRIPTION The AIX kernel contains a buffer which can overflow. A local attacker may exploit this overflow to execute arbitrary code in kernel mode or create a denial of service by causing an unexpected system halt. The following files are vulnerable: /usr/lib/boot/unix_64 /usr/lib/boot/unix_mp /usr/lib/boot/unix_up II. PLATFORM VULNERABILITY ASSESSMENT To determine if your system is vulnerable, execute the following command: lslpp -L bos.mp64 bos.mp bos.up The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ----------------------------------------------------------- bos.mp64, bos.mp, bos.up 5.2.0.85 5.2.0.89 bos.mp64, bos.mp, bos.up 5.2.0.95 5.2.0.102 bos.mp64, bos.mp, bos.up 5.2.0.105 5.2.0.111 bos.mp64, bos.mp 5.3.0.50 5.3.0.57 bos.mp64, bos.mp 5.3.0.60 5.3.0.68 bos.mp64, bos.mp 5.3.7.0 5.3.7.4 bos.mp64, bos.mp 5.3.8.0 5.3.8.1 bos.mp64 6.1.0.0 6.1.0.5 III. SOLUTIONS A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR number Availability --------------------------------------------------- 5.2.0 IZ19911 Now 5.3.0 IZ22368 6/20/2008 5.3.7 IZ22369 6/20/2008 5.3.8 IZ21481 6/20/2008 6.1.0 IZ22370 6/20/2008 Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ19911 http://www.ibm.com/support/docview.wss?uid=isg1IZ22368 http://www.ibm.com/support/docview.wss?uid=isg1IZ22369 http://www.ibm.com/support/docview.wss?uid=isg1IZ21481 http://www.ibm.com/support/docview.wss?uid=isg1IZ22370 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are available. The fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security/unix_fix.tar ftp://aix.software.ibm.com/aix/efixes/security/unix_fix.tar The links above are to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels. AIX Level Fix (*.U) and Interim Fix (*.Z) ------------------------------------------------------------------- 5.2.0 TL8 IZ19911_8a.080515.epkg.Z IZ19911_8b.080515.epkg.Z IZ19911_8c.080515.epkg.Z 5.2.0 TL9 IZ19911_9a.080515.epkg.Z IZ19911_9b.080515.epkg.Z IZ19911_9c.080515.epkg.Z 5.2.0 TL10 IZ19911_0a.080515.epkg.Z IZ19911_0b.080515.epkg.Z IZ19911_0c.080515.epkg.Z 5.3.0 TL5 IZ22368_5a.080515.epkg.Z IZ22368_5b.080515.epkg.Z 5.3.0 TL6 IZ22368_6a.080515.epkg.Z IZ22368_6b.080515.epkg.Z 5.3.7 IZ22369_7a.080515.epkg.Z IZ22369_7b.080515.epkg.Z 5.3.8 IZ21481_8a.080515.epkg.Z IZ21481_8b.080515.epkg.Z 6.1.0 IZ22370_0a.080515.epkg.Z To extract the fixes from the tar file: tar xvf unix_fix.tar cd unix_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "sum", "cksum", "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands and are as follows: sum filename ------------------------------------- 45785 3757 IZ19911_0a.080515.epkg.Z 45944 3629 IZ19911_0b.080515.epkg.Z 53116 3409 IZ19911_0c.080515.epkg.Z 51800 3709 IZ19911_8a.080515.epkg.Z 27525 3595 IZ19911_8b.080515.epkg.Z 47040 3350 IZ19911_8c.080515.epkg.Z 27135 3743 IZ19911_9a.080515.epkg.Z 24464 3622 IZ19911_9b.080515.epkg.Z 08115 3404 IZ19911_9c.080515.epkg.Z 05125 5094 IZ21481_8a.080515.epkg.Z 27059 4824 IZ21481_8b.080515.epkg.Z 47211 4993 IZ22368_5a.080515.epkg.Z 34747 4748 IZ22368_5b.080515.epkg.Z 19721 5048 IZ22368_6a.080515.epkg.Z 11072 4805 IZ22368_6b.080515.epkg.Z 51269 5092 IZ22369_7a.080515.epkg.Z 22006 4822 IZ22369_7b.080515.epkg.Z 45766 6881 IZ22370_0a.080515.epkg.Z cksum filename ------------------------------------------- 333302186 3846195 IZ19911_0a.080515.epkg.Z 320698967 3715447 IZ19911_0b.080515.epkg.Z 1169355713 3490560 IZ19911_0c.080515.epkg.Z 482521616 3797483 IZ19911_8a.080515.epkg.Z 949142838 3681197 IZ19911_8b.080515.epkg.Z 2796951600 3429751 IZ19911_8c.080515.epkg.Z 3760216720 3832573 IZ19911_9a.080515.epkg.Z 3023050719 3708051 IZ19911_9b.080515.epkg.Z 3334480761 3484981 IZ19911_9c.080515.epkg.Z 432546559 5216013 IZ21481_8a.080515.epkg.Z 1274137790 4939741 IZ21481_8b.080515.epkg.Z 1638860541 5112531 IZ22368_5a.080515.epkg.Z 3791679932 4861859 IZ22368_5b.080515.epkg.Z 3983826418 5169056 IZ22368_6a.080515.epkg.Z 3165238016 4919558 IZ22368_6b.080515.epkg.Z 556998624 5214205 IZ22369_7a.080515.epkg.Z 2366294013 4936961 IZ22369_7b.080515.epkg.Z 2345463169 7045415 IZ22370_0a.080515.epkg.Z csum -h MD5 (md5sum) filename ----------------------------------------------------------- 5ee3f65c545804d1c9234cfc003c7277 IZ19911_0a.080515.epkg.Z f11725ffc828c0aecc49e5b9c18fd0fb IZ19911_0b.080515.epkg.Z 7edccae067cbfb33fa07767a938e2631 IZ19911_0c.080515.epkg.Z 4c69d10b29903b11a748f2909918019d IZ19911_8a.080515.epkg.Z 457d9e53d7749bb55918016f4dd73842 IZ19911_8b.080515.epkg.Z d15d8f57796c48dc46b39cd21e3c819d IZ19911_8c.080515.epkg.Z b4399e47d5ab4d61fefbde0eb6296503 IZ19911_9a.080515.epkg.Z 36c8dfd97c3441d7b898c47c0cd2a6cb IZ19911_9b.080515.epkg.Z cac0abca29fd55030d422dc6e9a18872 IZ19911_9c.080515.epkg.Z 323680626179518ec9bf9dbfadc72c4b IZ21481_8a.080515.epkg.Z c09ae0f26127fe01fc3cc6fd309c6ea3 IZ21481_8b.080515.epkg.Z 7cc34795f07169bf4b790ab96bb0c1ee IZ22368_5a.080515.epkg.Z 0c24cf9da87fc76f23a905a5e339b149 IZ22368_5b.080515.epkg.Z fdac2f31cc08e4dbae2f2e97d5da1cda IZ22368_6a.080515.epkg.Z d5f2552121cd5408f35fbd7c8e026a48 IZ22368_6b.080515.epkg.Z fcde6be1bcbdbd9d306b339aa079f7f2 IZ22369_7a.080515.epkg.Z f98772dc37112f0fc24d8494f8410541 IZ22369_7b.080515.epkg.Z 9c255da0fdaa95583a60b1f1a30def04 IZ22370_0a.080515.epkg.Z csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------- f69cf6a98627d5cdc8faadcc336e893deaf14c6c IZ19911_0a.080515.epkg.Z d886d65a44eb7c9a467aa3c2a1ad358e3f37d2fb IZ19911_0b.080515.epkg.Z 5edc4c7d215f12670dd0cf9d4a6f6379e2871bb1 IZ19911_0c.080515.epkg.Z b2b7a8387dec3873e848c24da6475af8dfa7e436 IZ19911_8a.080515.epkg.Z 67296c5d87ed56fe5dcf115b43d09fdf7886d11b IZ19911_8b.080515.epkg.Z 12ea2d07b2e256e480d742ee60edff48c824f628 IZ19911_8c.080515.epkg.Z ed8dec2236743486d4fb024ad97bcef9f511dfef IZ19911_9a.080515.epkg.Z 06e387fef1e7584433c07c7134c1682754610f6d IZ19911_9b.080515.epkg.Z 130aa402c4c460a6a2152a79c86352cbe692761c IZ19911_9c.080515.epkg.Z 74e433453b5b676cdb00500191dc53873795a159 IZ21481_8a.080515.epkg.Z ebf09441ffdc9d0c18d1e726a97216fc7cff6c37 IZ21481_8b.080515.epkg.Z 24ea9a4260a4cd3645d1a7de000e2e8f1dc249bc IZ22368_5a.080515.epkg.Z 43cf437dfef2275647fc9b7d5e205175208a7b9f IZ22368_5b.080515.epkg.Z dd6f546c95aa7e45cc44497dbe22ef7b263f7715 IZ22368_6a.080515.epkg.Z 2b26fd2b342387b3d37eafb2c703987124b0696f IZ22368_6b.080515.epkg.Z 86cc4aae7db1619e63a479490c9c0c73e877b02c IZ22369_7a.080515.epkg.Z 81ecb28459938630d608cdb97a6faddcb05c038c IZ22369_7b.080515.epkg.Z aa3f783b8ce620aa1ed266530b4eece8e8375d32 IZ22370_0a.080515.epkg.Z To verify the sums, use the text of this advisory as input to csum, md5sum, or sha1sum. For example: csum -h SHA1 -i Advisory.asc md5sum -c Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. C. FIX AND INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. To preview a fix installation: installp -a -d fix_name -p all # where fix_name is the name of the # fix package being previewed. To install a fix package: installp -a -d fix_name -X all # where fix_name is the name of the # fix package being installed. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. IV. WORKAROUNDS There are no workarounds. V. OBTAINING FIXES AIX security fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VI. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Send an email with "get key" in the subject line to: security-alert@austin.ibm.com B. Download the key from a PGP Public Key Server. The key ID is: 0xADA6EB4D Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VII. ACKNOWLEDGMENTS IBM discovered and fixed this vulnerability as part of its commitment to secure the AIX operating system. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (AIX) iD8DBQFINEnMP9Qud62m600RAiOLAKCUJd7WOdppVL+vzJ/J2L0uJi8stQCgjcqo WUbmZgecMFaLY8b/pRF1j1k= =Wilw -----END PGP SIGNATURE-----