OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: IBM MSS Advisory Service (advisoryUS.IBM.COM)
Date: Wed Apr 18 2001 - 05:59:09 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

                                IBM Global Services
                             Managed Security Services
                          Outside Advisory Redistribution

    ----------- Forwarded Information Starts Here.
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    IBM SECURITY ADVISORY

    Tue Apr 10 11:15:04 CDT 2001
    ===========================================================================
                               VULNERABILITY SUMMARY

    VULNERABILITY: Buffer Overflow Vulnerability in (x)ntp

    PLATFORMS: IBM AIX 4.3.x and 5.1

    SOLUTION: Apply the emergency-fixes described below.

    THREAT: Malicious user could obtain root privileges, or cause
                      a denial of service (DoS).

    CERT Advisory: Pending.

    ===========================================================================
                               DETAILED INFORMATION

    I. Description

       The Network Time Protocol daemon, (x)ntp, shipped with AIX contains
       a buffer overflow vulnerability that allows a malicious user, local
       or remote, to gain root privileges.

       Gaining root privileges by exploiting this vulnerability appears to
       be somewhat difficult in practice, as knowledge of the hardware-
       dependent stack registers/addresses is required for different
       architectures. Also, there does not exist much "working room" in the
       size of the stack overflow that can be accomplished, requiring
       an especially well-crafted exploit code.

       An exploit has been written and made public; it is intended for use
       on Intel architectures to gain root access. However, it causes ntp
       daemon problems when run as is. A result is likely to be a denial of
       service (DoS). The exploit code would need to be
       modified for full exploitation on the RISC6000 architecture.

       Nonetheless, IBM has found that a vulnerability in the daemon
       source code does exist, and has fixed this problem.

    II. Impact

       A malicious local or remote user can use a well-crafted exploit code
       to gain root privileges on the attacked system, compromising the
       integrity of the system and its attached local network.

       If the malicious user is unable to gain root access, he or she could
       still cause a system crash (DoS) via this vulnerability.

    III. Solutions

      A. Official fix

          IBM is working on the following fixes which will be available
          soon:

          AIX 4.3.x and 5.1: APAR assignment pending.

          NOTE: Fix will not be provided for versions prior to 4.3 as
          these are no longer supported by IBM. Affected customers are
          urged to upgrade to 4.3.3 at the latest maintenance level,
          or to 5.1, when it becomes available.

      B. How to minimize the vulnerability

        Temporary fixes for AIX 4.3.x and 5.1 systems are available.

        The temporary fixes can be downloaded via ftp from:

        ftp://aix.software.ibm.com/aix/efixes/security/xntpd_efix.tar.Z

        The efix tarball consists of two patched xntpd binaries, one for
        AIX 4.3.x systems (xntpd.43) and one for AIX 5.1 (scheduled for
        release soon; binary is xntpd.51). A copy of this Advisory is also
        included.

        These temporary fixes have not been fully regression tested; thus,
        IBM does not warrant the fully correct functioning of the efix.
        Customers install the efix and operate the modified version of AIX
        at their own risk.

        To proceed with efix installation:

        First, verify the MD5 cryptographic hash sums of each efix files
        you obtain from unpacking the efix tarball with those given below.
    These
        should match exactly; if they do not, double check the hash results
        and the download site address. If OK, contact IBM AIX Security at
        security-alertaustin.ibm.com and describe the discrepancy.

        Filename sum md5
        =================================================================
        xntpd.43 15698 254 66f9e21a02267eaead6f7f020f16ce8c
        xntpd.51 56685 267 6a2c7260a45c3849752f976f12c1881c

        Efix Installation Instructions:
        -------------------------------

        1. Become root, if not already done.

        2. In a scratch or tmp directory, uncompress and untar the efix:

           a. uncompress xntpd_efix.tar.Z
           b. tar -xvf xntpd_efix.tar

        3. If you are running an AIX 4.3.x system, copy the xntpd.43 file
           to /usr/sbin. Do the same if you have AIX 5.1 running, except
           copy the xntpd.51 file.

        4. Stop the ntp daemon if it is currently running:

           a. stopsrc -s xntpd

        5. Make a backup copy of the existing
           xntpd binary package in case something goes wrong with the
           installation of the efix:

           a. cp /usr/sbin/xntpd /usr/sbin/xntpd.original

        6. Now copy the efix binary to take the place of the original xntpd:

           a. cp /usr/sbin/xntpd.43 (or xntpd.51, as appropriate)
              /usr/sbin/xntpd.

        7. Check to be certain that the new xntpd is executable by root and
           is assigned proper permissions otherwise.

        8. Restart the ntp daemon:

           a. startsrc -s xntpd

    IV. Obtaining Fixes

    IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
    FixDist program), or from the IBM Support Center. For more information
    on FixDist, and to obtain fixes via the Internet, please reference

            http://techsupport.services.ibm.com/rs6k/fixes.html

    or send email to "aixservaustin.ibm.com" with the word "FixDist" in the
    "Subject:" line.

    To facilitate ease of ordering all security related APARs for each AIX
    release, security fixes are periodically bundled into a cumulative APAR.
    For more information on these cumulative APARs including last update and
    list of individual fixes, send email to "aixservaustin.ibm.com" with
    the word "subscribe Security_APARs" in the "Subject:" line.

    V. Acknowledgements

    Many thanks to Przemyslaw Frasunek <venglinFREEBSD.LUBLIN.PL>
    for discovering this vulnerability, and to the CERT/CC and
    SecurityFocus' BUGTRAQ for posting notices of this security
    problem.

    VI. Contact Information

    Comments regarding the content of this announcement can be directed to:

       security-alertaustin.ibm.com

    To request the PGP public key that can be used to encrypt new AIX
    security vulnerabilities, send email to security-alertaustin.ibm.com
    with a subject of "get key".

    If you would like to subscribe to the AIX security newsletter, send a
    note to aixservaustin.ibm.com with a subject of "subscribe Security".
    To cancel your subscription, use a subject of "unsubscribe Security".
    To see a list of other available subscriptions, use a subject of
    "help".

    IBM and AIX are a registered trademark of International Business
    Machines Corporation. All other trademarks are property of their
    respective holders.
    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.3

    iQA/AwUBOtWVhcXrSKQHhgFwEQKJ4gCgtmhQJ6WouopVi0pPcnlnu/Z67NcAoLiD
    2wvKo+hjNY3MqAWw+QjUEOuA
    =9nPJ
    -----END PGP SIGNATURE-----
    ----------- Forwarded Information Ends Here.