|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: AIX Service Mail Server (aixserv
austin.ibm.com)Date: Wed Nov 14 2001 - 02:19:37 CST
This file contains summary information on AIX security alerts published
by the Computer Emergency Response Team (CERT), and the IBM Emergency
Response Team (ERS). The full text of these alerts can be obtained from
this mail server by requesting the 'CERT' and 'ERS' files. This
information (and more) is available from CERT and ERS directly on the
world-wide web at the following URLs:
CERT: http://www.cert.org/
In order to keep the size of this file reasonable, it contains only
advisories for the current year.. You can obtain a list of previous
advisories either from the above URLs, or by requesting one of the
"Security_YYYY" documents from this mail server.
The fixes mentioned in this document, when available, will be available
from FixDist. Information on obtaining and using FixDist is available
by requesting the 'FixDist' document from this mail server, or at the
following URL on the world-wide web:
http://techsupport.services.ibm.com/rs6k/fixes.html
The 'Security_APARs' document on this mail server contains a list of
security related APARs.
===============================================================================
===============================================================================
CERT Advisory CA-2001-31 Buffer Overflow in CDE Subprocess Control Service
Systems Affected
* Systems running CDE
I. Description
There is a remotely exploitable buffer overflow vulnerability in a
shared library that is used by dtspcd. During client negotiation,
dtspcd accepts a length value and subsequent data from the client
without performing adequate input validation. As a result, a malicious
client can manipulate data sent to dtspcd and cause a buffer overflow,
potentially executing code with root privileges.
II. Impact
An attacker can execute arbitrary code with root privileges.
III. Solution
IBM addressed a buffer overflow in CDE dtspcd in AIX 4.x around April
1999. See the following APARs for more information (URLs wrapped):
APAR IY06694:
http://techsupport.services.ibm.com/aix/fixes/v4/X11/
X11.Dt.rte.4.3.3.10.info
APAR IX89419 (AIX 4.3.0):
http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&
org=apars&doc=29B5A5858069D8A2852567C90039978E
http://techsupport.services.ibm.com/aix/fixes/v4/X11/
X11.Dt.lib.4.3.2.5.info
APAR IX89893 (AIX 4.2.0):
http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&
org=apars&doc=AAF008DAA07200B6852567CC0049B07D
APAR IX89806 (AIX V4.1 BOS):
http://www-1.ibm.com/servlet/support/manager?rs=0&rt=0&
org=apars&doc=446F48D60A887FF0852567CA005C9920
===============================================================================
===============================================================================
CERT Advisory CA-2001-30 Multiple Vulnerabilities in lpd
Systems Affected
* BSDi BSD/OS Version 4.1 and earlier
* Debian GNU/Linux 2.1 and 2.1r4
* FreeBSD All released versions FreeBSD 4.x, 3.x, FreeBSD
4.3-STABLE, 3.5.1-STABLE prior to the correction date
* Hewlett-Packard HP9000 Series 700/800 running HP-UX releases
10.01, 10.10, 10.20, 11.00, and 11.11
* IBM AIX Versions 4.3 and AIX 5.1
* Mandrake Linux Versions 6.0, 6.1, 7.0, 7.1
* NetBSD 1.5.2 and earlier
* OpenBSD Version 2.9 and earlier
* Red Hat Linux 6.0 all architectures
* SCO OpenServer Version 5.0.6a and earlier
* SGI IRIX 6.5-6.5.13
* Sun Solaris 8 and earlier
* SuSE Linux Versions 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, 7.2
Overview
There are multiple vulnerabilities in several implementations of the
line printer daemon (lpd). The line printer daemon enables various
clients to share printers over a network. Review your configuration to
be sure you have applied all relevant patches. We also encourage you
to restrict access to the lpd service to only authorized users.
II. Impact
All of these vulnerabilities can be exploited remotely. In most cases,
they allow an intruder to execute arbitrary code with the privileges
of the lpd server. In some cases, an intruder must have access to a
machine listed in /etc/hosts.equiv or /etc/hosts.lpd, and in some
cases, an intruder must be able to control a nameserver.
One vulnerability (VU#39001) allows you to specify options to sendmail
that can be used to execute arbitrary commands. Ordinarily, this
vulnerability is only exploitable from machines that are authorized to
use the lpd server. However, in conjunction with another vulnerability
(VU#30308), permitting intruders to gain access to the lpd service,
this vulnerability can be used by intruders not normally authorized to
use the lpd service.
For specific information about the impacts of each of these
vulnerabilities, please consult the CERT Vulnerability Notes Database
(http://www.kb.cert.org/vuls).
III. Solution
The following fixes are available.
AIX 4.3: APAR IY23037
AIX 5.1: APAR IY23041
NOTE: Fix will not be provided for versions prior to 4.3 as these
are no longer supported by IBM. Affected customers are urged to
upgrade to 4.3.3 at the latest maintenance level, or to 5.1.
===============================================================================
===============================================================================
CERT Advisory CA-2001-27 Format String Vulnerability in CDE ToolTalk
Systems Affected
* Systems running CDE ToolTalk
Overview
There is a remotely exploitable format string vulnerability in the CDE
ToolTalk RPC database service. This vulnerability could be used to
crash the service or execute arbitrary code, potentially allowing an
intruder to gain root access. This vulnerability is documented in
VU#595507.
I. Description
The Common Desktop Environment (CDE) is an integrated graphical user
interface that runs on Unix and Linux operating systems. CDE ToolTalk
is a message brokering system that provides an architecture for
applications to communicate with each other across hosts and
platforms. The ToolTalk RPC database server, rpc.ttdbserverd, manages
communication between ToolTalk applications. For more information
about CDE, see
http://www.opengroup.org/cde/
http://www.opengroup.org/desktop/faq/
There is a remotely exploitable format string vulnerability in the CDE
ToolTalk RPC database server. While handling an error condition, a
syslog(3) function call is made without providing a format string
specifier argument. Since rpc.ttdbserverd does not perform adequate
input validation or provide the format string specifier argument, a
crafted RPC request containing format string specifiers will be
interpreted by the vulnerable syslog(3) function call. Such a request
can be designed to overwrite specific locations in memory, thus
executing code with the privileges of rpc.ttdbserverd, typically root.
The vulnerability was discovered by Internet Security Systems (ISS)
X-Force. For more information, see
http://xforce.iss.net/alerts/advise98.php
This vulnerability has been assigned the identifier CAN-2001-00717 by
the Common Vulnerabilities and Exposures (CVE) group:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0717
Many common UNIX systems ship with CDE ToolTalk installed and enabled
by default. The rpcinfo command may help determine if a system is
running the ToolTalk RPC database service:
$ rpcinfo -p hostname
The program number for the ToolTalk RPC database service is 100083.
References to this number in the output from rpcinfo or in /etc/rpc
may indicate that the ToolTalk RPC database service is running. Any
system that does not run the ToolTalk RPC database service is not
vulnerable to this problem.
II. Impact
An attacker can execute arbitrary code with the privileges of the
rpc.ttdbserverd process, typically root.
III. Solution
IBM AIX 5.1 and 4.3 are vulnerable. IBM has released an emergency
fix (efix) w hich contains patched binaries for both AIX 5.1 and
AIX 4.3 as well as an advis ory:
ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z
IBM is working on APARs which will not be available until late
October or Novem ber of 2001.
AIX 4.3: APAR IY24387
AIX 5.1: APAR IY23846
===============================================================================
===============================================================================
CERT Advisory CA-2001-21 Buffer Overflow in telnetd
Systems Affected
Systems running versions of telnetd derived from BSD source.
I. Description
There is a remotely exploitable buffer overflow in Telnet daemons
derived from BSD source code. During the processing of the Telnet
protocol options, the results of the "telrcv" function are stored in a
fixed-size buffer. It is assumed that the results are smaller than the
buffer and no bounds checking is performed.
II. Impact
An intruder can execute arbitrary code with the privileges of the
telnetd process, typically root.
III. Solution
IBM's AIX operating system, versions 5.1L and under, is vulnerable to this
exploit.
We have developed an emergency fix (efix) for this vulnerability, and are
testing it. This efix will be posted as soon as possible to the ftp site
ftp://ftp.software.ibm.com/aix/efixes/security. An APAR number will also
be assigned very soon.
IBM is investigating the severity of the exploitation of this vulnerability.
===============================================================================
===============================================================================
VULNERABILITY: Root Shell Spawning Possible Via "diagrpt"
PLATFORMS: IBM AIX 4.3.x and 5.1
SOLUTION: Apply the emergency-fixes described below, or
employ the workaround, also described below.
THREAT: Malicious user could obtain root privileges.
WORKAROUND
If you do not wish to install the efix for this vulnerability
but instead wait for the APAR that fixes it to be made
available, you can also negate this vulnerability by making the
"diagrpt" command to be non-SUID. You must be "root" to do this.
However, ordinary users will not be able to use the command if
the SUID bit is removed.
Official fix
IBM is working on the following fixes which will be available
soon:
AIX 4.3.x and 5.1: APAR assignment pending.
NOTE: Fix will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3.3 at the latest maintenance level,
or to 5.1.
How to minimize the vulnerability
Temporary fixes for AIX 4.3.x and 5.1 systems are available.
The temporary fixes can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/diagrpt_efix.tar.Z
The efix tarball consists of two patched diagrpt tarred binaries, one
for AIX 4.3.x systems (diagrpt.43.tar) and one for AIX 5.1
(diagrpt.51.tar). A copy of this Advisory is included in the efix
tarball.
These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.
===============================================================================
===============================================================================
CERT Advisory CA-2001-09 Statistical Weaknesses in TCP/IP Initial Sequence
Numbers
Original release date: May 01, 2001
Last revised: --
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
* Systems using TCP stacks which have not incorporated RFC1948 or
equivalent improvements
* Systems not using cryptographically-secure network protocols like
IPSec
____________________________________________________________________
AIX is not affected.
===============================================================================
===============================================================================
CERT Advisory CA-2001-07 File Globbing Vulnerabilities in Various FTP
Servers
Original release date: April 10, 2001
Last revised: --
Source: CERT/CC
Systems Affected
FTP servers on various platforms
Overview
A variety of FTP servers incorrectly manage buffers in a way that can
lead to remote intruders executing arbitrary code on the FTP server.
The incorrect management of buffers is centered around the return from
the glob() function, and may be confused with a related
denial-of-service problem. These problems were discovered by the
COVERT Labs at PGP Security.
____________________________________________________________________
AIX is not affected.
===============================================================================
===============================================================================
CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND
Last revised: February 7, 2001
Systems Affected
Domain Name System (DNS) Servers running various versions of ISC BIND
(including both 4.9.x prior to 4.9.8 and 8.2.x prior to 8.2.3; 9.x is
not affected) and derivatives. Because the normal operation of most
services on the Internet depends on the proper operation of DNS
servers, other services could be impacted if these vulnerabilities are
exploited.
Overview
The CERT/CC has recently learned of four vulnerabilities spanning
multiple versions of the Internet Software Consortium's (ISC) Berkeley
Internet Name Domain (BIND) server. BIND is an implementation of the
Domain Name System (DNS) that is maintained by the ISC. Because the
majority of name servers in operation today run BIND, these
vulnerabilities present a serious threat to the Internet
infrastructure.
Three of these vulnerabilities (VU#196945, VU#572183, and VU#868916)
were discovered by the COVERT Labs at PGP Security, who have posted an
advisory regarding these issues at
http://www.pgp.com/research/covert/advisories/047.asp
The fourth vulnerability (VU#325431) was discovered by Claudio
Musmarra.
The Internet Software Consortium has posted information about all four
vulnerabilities at
http://www.isc.org/products/BIND/bind-security.html
I. Description
VU#196945 - ISC BIND 8 contains buffer overflow in transaction
signature (TSIG) handling code
During the processing of a transaction signature (TSIG), BIND 8 checks
for the presence of TSIGs that fail to include a valid key. If such a
TSIG is found, BIND skips normal processing of the request and jumps
directly to code designed to send an error response. Because the
error-handling code initializes variables differently than in normal
processing, it invalidates the assumptions that later function calls
make about the size of the request buffer.
Once these assumptions are invalidated, the code that adds a new
(valid) signature to the responses may overflow the request buffer and
overwrite adjacent memory on the stack or the heap. When combined with
other buffer overflow exploitation techniques, an attacker can gain
unauthorized privileged access to the system, allowing the execution
of arbitrary code.
VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
The vulnerable buffer is a locally defined character array used to
build an error message intended for syslog. Attackers attempting to
exploit this vulnerability could do so by sending a specially
formatted DNS query to affected BIND 4 servers. If properly
constructed, this query could be used to disrupt the normal operation
of the DNS server process, resulting in either denial of service or
the execution of arbitrary code.
VU#868916 - ISC BIND 4 contains input validation error in
nslookupComplain()
The vulnerable buffer is a locally defined character array used to
build an error message intended for syslog. Attackers attempting to
exploit this vulnerability could do so by sending a specially
formatted DNS query to affected BIND 4 servers. If properly
constructed, this query could be used to disrupt the normal operation
of the DNS server process, resulting in the execution of arbitrary
code.
This vulnerability was patched by the ISC in an earlier version of
BIND 4, most likely BIND 4.9.5-P1. However, there is strong evidence
to suggest that some third party vendors who redistribute BIND 4 have
not included these changes in their BIND packages. Therefore, the
CERT/CC recommends that all users of BIND 4 or its derivatives base
their distributions on BIND 4.9.8.
VU#325431 - Queries to ISC BIND servers may disclose environment
variables
This vulnerability is an information leak in the query processing code
of both BIND 4 and BIND 8 that allows a remote attacker to access the
program stack, possibly exposing program and/or environment variables.
This vulnerability is triggered by sending a specially formatted query
to vulnerable BIND servers.
II. Impact
VU#196945 - ISC BIND 8 contains buffer overflow in transaction
signature (TSIG) handling code
This vulnerability may allow an attacker to execute code with the same
privileges as the BIND server. Because BIND is typically run by a
superuser account, the execution would occur with superuser
privileges.
VU#572183 - ISC BIND 4 contains buffer overflow in nslookupComplain()
This vulnerability can disrupt the proper operation of the BIND server
and may allow an attacker to execute code with the privileges of the
BIND server. Because BIND is typically run by a superuser account, the
execution would occur with superuser privileges.
VU#868916 - ISC BIND 4 contains input validation error in
nslookupComplain()
This vulnerability may allow an attacker to execute code with the
privileges of the BIND server. Because BIND is typically run by a
superuser account, the execution would occur with superuser
privileges.
VU#325431 - Queries to ISC BIND servers may disclose environment
variables
This vulnerability may allow attackers to read information from the
program stack, possibly exposing environment variables. In addition,
the information obtained by exploiting this vulnerability may aid in
the development of exploits for VU#572183 and VU#868916.
IV. Solution
IBM has posted an emergency fix for all four of the vulnerabilities
described in this Advisory.
This fix can be downloaded from:
ftp://ftp.software.ibm.com/aix/efixes/security
The compressed tarfile is multiple_bind_vulns_efix.tar.Z. Installation
instructions and other important information are given in the README
file that is included in the tarball.
The official fix for the four BIND4 and BIND8 vulnerabilities will be
in APAR IY16182.
===============================================================================
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]