OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Security
From: AIX Service Mail Server (aixservaustin.ibm.com)
Date: Tue Nov 07 2000 - 21:31:13 CST

This file contains summary information on AIX security alerts published
by the Computer Emergency Response Team (CERT), and the IBM Emergency
Response Team (ERS). The full text of these alerts can be obtained from
this mail server by requesting the 'CERT' and 'ERS' files. This
information (and more) is available from CERT and ERS directly on the
world-wide web at the following URLs:

  CERT: http://www.cert.org/

   ERS: http://www.ers.ibm.com/

In order to keep the size of this file reasonable, it contains only
advisories for the current year.. You can obtain a list of previous
advisories either from the above URLs, or by requesting one of the
"Security_YYYY" documents from this mail server.

The fixes mentioned in this document, when available, will be available
from FixDist. Information on obtaining and using FixDist is available
by requesting the 'FixDist' document from this mail server, or at the
following URL on the world-wide web:

  http://techsupport.services.ibm.com/rs6k/fixes.html

The 'Security_APARs' document on this mail server contains a list of
security related APARs.
===============================================================================
===============================================================================
ERS-FYI-E01-2000:078.1

THIS IS NOT A SECURITY VULNERABILITY ALERT

IBM-ERS For Your Information (FYI) documents are designed to provide customers
of the IBM Emergency Response Service with information about current topics in
the fields of Internet and virus security. FYI documents will be issued
periodically as the need arises. Topics may include security implications of
new protocols in use on the Internet, implementation suggestions for certain
types of services, virus hype and hoaxes, and answers to frequently asked
questions.
===============================================================================
I. Description

AIX allows user specified locale file to be used for displaying
messages. This functionality is provided through the catopen() call.
This call uses the NLSPATH environment variable to specify an alternate
locale file instead of one of the system locale files. By constructing
a valid locale file which contains special format characters and
setting the NLSPATH environment variable to point to its path, a
malicious user can have privileged applications use his locale file to
obtain root privileges.

II. Impact

Any executable with the setuid or setgid bit set is potentially
vulnerable to root compromise.

II. Solutions

  A. Official fix

      IBM is working on the following fix which will be available
      soon:

      AIX 4.3.x: IY13753

      NOTE: Fix will not be provided for versions prior to 4.3 as
      these are no longer supported by IBM. Affected customers are
      urged to upgrade to 4.3, or higher.

  B. How to minimize the vulnerability

    A temporary fix for AIX 4.3.x systems is available which ignores
    the NLSPATH environment variable. Note that pending standards
    compliance review, the actual APAR fix may or may not be
    implemented the same way. The temporary fix can be downloaded
    via ftp from:

    ftp://aix.software.ibm.com/aix/efixes/security/locale_format_efix.tar.Z

    The MD5 checksum for the efix libc is:

    Filename sum md5
    =================================================================
    libc.a 12878 6149 f8169a0c985220874c0404b4c69d5f20

    This temporary fix has not been fully regression tested. Do the
    following steps (as root) to install the temporary fix:

    1. Determine the version of the libc fileset on your machine.

        # lslpp -l bos.rte.libc

        If the version of the libc.a fileset for your machine is not
        at the level given below, install the requisite APAR
        listed. This will help ensure that the libc fix will run
        properly.

        Release Fileset Version requisite APAR
        ============================================================
        AIX 4.3.x bos.rte.libc 4.3.3.25 IY12541

    2. Uncompress and extract the fix.

        a. place the temporary fix in a directory of your choosing, e.g., "your_dir";
           using /tmp as your_dir is a reasonable choice
        b. # uncompress < locale_format_efix.tar.Z | tar xf -

        The efix libc.a will be extracted to your_dir/locale_format/lib

    3. Make sure the new libc.a works on your system.

        a. # slibclean
        b. # export LIBPATH=your_dir/locale_format/lib
        c. # ls your_dir

        NOTE: This "ls" is a simple test to make sure the new libc.a works.
        If this does *NOT* work (i.e. you get a "killed" message), then do
        *NOT* go further...this libc.a does not work on your system.

    4. Follow the instructions below to install the new libc.a.

        Make a copy of the original libc.a (make sure there is enough
        free apace in the filesystem to for you to work with), e.g.,

          a. # mkdir /usr/ccs/lib/sv
          b. # cp /usr/ccs/lib/libc.a /usr/ccs/lib/sv

        Copy the libc.a fix into place, e.g.,

          a. # cp -f your_dir/locale_format/lib/libc.a /usr/ccs/lib/
          b. # chown bin.bin /usr/ccs/lib/libc.a
          c. # chmod 555 /usr/ccs/lib/libc.a
          d. # ln -sf /usr/ccs/lib/libc.a /usr/lib/libs.a
          e. # unset LIBPATH
          f. # slibclean

        Make sure that the new libraries will be picked up at
        the next reboot.

          # bosboot -a

    4. Reboot.
===============================================================================
===============================================================================
CERT Advisory CA-2000-17 Input Validation Problem in rpc.statd

Systems Affected

     * Systems running the rpc.statd service
____________________________________________________________________

AIX is not affected.
===============================================================================
===============================================================================
CERT Advisory CA-2000-13 Two Input Validation Problems In FTPD

Systems Affected

     * Any system running wu-ftpd 2.6.0 or earlier
     * Any system running ftpd derived from wu-ftpd 2.0 or later
     * Some systems running ftpd derived from BSD ftpd 5.51 or BSD ftpd
       5.60 (the final BSD release)
____________________________________________________________________

AIX is not affected.
===============================================================================
===============================================================================
CERT Advisory CA-2000-11 MIT Kerberos Vulnerable to Denial-of-Service
Attacks

Systems Affected

     * Systems with MIT-derived implementations of the Kerberos 4 KDC
     * Systems with MIT-derived implementations of the Kerberos 5 KDC
       enabled to handle krb4 ticket requests

I. Description

   There are at least five distinct vulnerabilities in various versions
   and implementations of the Kerberos software. All of these
   vulnerabilities may be exploited to effect denial-of-service attacks
   with varying degrees of severity. These vulnerabilities include
     * The buffer used to hold the variable lastrealm in the function
       set_tgtkey() can be owerflowed.

     * The buffer used to hold the variable localrealm in the function
       process_v4() can be overflowed.

     * The buffer to hold the variable e_msg in the function
       kerb_err_reply() can be overflowed.

     * The code that services AUTH_MSG_KDC_REQUESTs does not properly check
       for null-termination.

     * Memory that has previously been freed may be improperly freed again,
       possibly resulting in unstable operation.

II. Impact

   Depending on the version of kerberos, the environment in which its
   running, and the particular vulnerability that is exploited, a remote
   attacker can cause one or more of the following:
     * The KDC to issue invalid tickets for all principles,
     * The KDC to generate a "principal unknown" error, or
     * The KDC process to crash.

   Any new authentications to kerberized services will not be possible
   until the KDC is restarted. Note that this implies that operation of
   "kerberized" services will be halted until the KDC is stopped.

   It does not appear that any of these vulnerabilities allows the
   execution of code by an intruder.

III. Solution

   AIX 4.3: APAR IY11450
   PSSP 2.2: APAR IY11271
   PSSP 2.3: APAR IY11266
   PSSP 2.4: APAR IY11272
   PSSP 3.1.1: APAR IY11212
===============================================================================
===============================================================================
CERT Advisory CA-2000-09 Flaw in PGP 5.0 Key Generation

Systems Affected

     * UNIX systems having a /dev/random device running any version of
       PGP 5.0, including U.S. Commercial, U.S. Freeware, and
       International versions
     * Keys created non-interactively on such a system
     * Documents encrypted with such a key
     * Signatures generated with such a key
____________________________________________________________________

AIX is not affected.
===============================================================================
===============================================================================
VULNERABILITY: Filesystem vulnerability in AIX

I. Description

Local users could gain write access to some files on local or remotely
mounted AIX filesystems, even though the file permissions do not allow
write access. This vulnerability was discovered in the IBM laboratory
during analysis of filesystem behavior and is not exposed during normal
system operation.

III. Solutions

The following fixes can be obtained from the AIX Fix Distribution
Service at the following URL:

   http://techsupport.services.ibm.com/rs6k/fixes.html

   AIX 3.2.x: APAR IY10111
   AIX 4.1.x: APAR IY10031
   AIX 4.2.x: APAR IY10001
   AIX 4.3.x: APAR IY09941

   In addition, an emergency fix specifically built to install on AIX
   4.3.2 systems is available at the following URL:

   ftp://aix.software.ibm.com/aix/efixes/iy09941
===============================================================================
===============================================================================
CERT Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos
Authenticated Services

Systems Affected

     * Systems running services authenticated via Kerberos 4
     * Some systems running services authenticated via Kerberos 5
     * Systems running the Kerberized remote shell daemon (krshd)
     * Systems with the Kerberos 5 ksu utility installed
     * Systems with the Kerberos 5 v4rcp utility installed

Description

   There are at least four distinct vulnerabilities in various versions
   and implementations of the Kerberos software. All of these
   vulnerabilities may be exploited to obtain root privileges.

Solution

   AIX 4.3: APAR IY10787
   PSSP 2.2: APAR IY10657
   PSSP 2.3: APAR IY10523
   PSSP 2.4: APAR IY10658
   PSSP 3.1.1: APAR IY10630
===============================================================================
===============================================================================