151 lines
5.7 KiB
Plaintext
151 lines
5.7 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
CERT(sm) Advisory CA-94:10
|
|
Original issue date: June 3, 1994
|
|
Last revised: August 30, 1996
|
|
Removed references to README files.
|
|
|
|
A complete revision history is at the end of this file.
|
|
|
|
Topic: IBM AIX bsh Vulnerability
|
|
- -----------------------------------------------------------------------------
|
|
|
|
The CERT Coordination Center has learned of a vulnerability in the
|
|
batch queue (bsh) of IBM AIX systems running versions prior to and
|
|
including AIX 3.2.
|
|
|
|
CERT recommends disabling the batch queue by following the workaround
|
|
instructions in Section III below. Section III also includes
|
|
information on how to obtain fixes from IBM if the bsh queue
|
|
functionality is required by remote systems.
|
|
|
|
We will update this advisory as we receive additional information.
|
|
Please check advisory files regularly for updates that relate to your site.
|
|
|
|
- -----------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
The queueing system on IBM AIX includes a batch queue, "bsh",
|
|
which is turned on by default in /etc/qconfig on all versions of
|
|
AIX 3 and earlier.
|
|
|
|
II. Impact
|
|
|
|
If network printing is enabled, remote and local users can gain
|
|
access to a privileged account.
|
|
|
|
III. Solution
|
|
|
|
In the next release of AIX, the bsh queue will be turned off by
|
|
default. CERT/CC recommends that the bsh queue be turned off using
|
|
the workaround described in Section A below unless there is an
|
|
explicit need to support this functionality for remote hosts. If
|
|
this functionality must be supported, IBM provides fixes as
|
|
outlined in Sections B and C below. For questions concerning
|
|
these workarounds or fixes, please contact IBM at the number
|
|
provided below.
|
|
|
|
A. Workaround
|
|
|
|
Disable the bsh queue by following one of the two procedures
|
|
outlined below:
|
|
|
|
1. As root, from the command line, enter:
|
|
# chque -qbsh -a"up = FALSE"
|
|
|
|
2. From SMIT, enter:
|
|
- Spooler
|
|
- Manage Local Printer Subsystem
|
|
- Change/Show Characteristics of a Queue
|
|
select bsh
|
|
- Activate the Queue
|
|
select no
|
|
|
|
B. Emergency fix
|
|
|
|
Obtain and install the emergency fix for the version(s) of AIX
|
|
used at your site. Fixes for the various levels of AIX are
|
|
available by anonymous FTP from software.watson.ibm.com. The
|
|
files are located in /pub/aix/bshfix.tar.Z in compressed tar
|
|
format. Installation instructions are included in the README
|
|
file included as part of the tar file.
|
|
|
|
The directory /pub/aix contains the latest available emergency
|
|
fix for APAR IX44381. As updates become available, any new
|
|
versions will be placed in this directory with the name
|
|
bshfix<#>.tar.Z with <#> being incremented for each update.
|
|
See the README.FIRST file in that directory for details.
|
|
|
|
IBM may remove this emergency fix file without prior notice if
|
|
flaws are reported. Due to the changing nature of these
|
|
files, no checksum information is available.
|
|
|
|
C. Official fix
|
|
|
|
The official fix for this problem can be ordered as APAR
|
|
IX44381.
|
|
|
|
To order APARs from IBM in the U.S., call 1-800-237-5511 and
|
|
ask that it be shipped to you as soon as it is available. To
|
|
obtain APARs outside of the U.S., contact your local IBM
|
|
representative.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
The CERT Coordination Center wishes to thank Gordon C. Galligher of
|
|
Information Resources, Inc. for reporting this problem and IBM
|
|
Corporation for their support in responding to this problem.
|
|
- ---------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact the CERT
|
|
Coordination Center or your representative in Forum of Incident
|
|
Response and Security Teams (FIRST).
|
|
|
|
If you wish to send sensitive incident or vulnerability information to
|
|
CERT via electronic mail, CERT strongly advises that the e-mail be
|
|
encrypted. CERT can support a shared DES key, PGP (public key
|
|
available via anonymous FTP on info.cert.org), or PEM (contact CERT
|
|
for details).
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
|
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
|
|
and are on call for emergencies during other hours.
|
|
|
|
CERT Coordination Center
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
USA
|
|
|
|
Past advisories, information about FIRST representatives, and other
|
|
information related to computer security are available for anonymous FTP from
|
|
info.cert.org.
|
|
|
|
Copyright 1994, 1996 Carnegie Mellon University
|
|
This material may be reproduced and distributed without permission provided
|
|
it is used for noncommercial purposes and the copyright statement is
|
|
included.
|
|
|
|
CERT is a service mark of Carnegie Mellon University.
|
|
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Revision history
|
|
|
|
Aug. 30, 1996 Removed references to README files because advisories
|
|
themselves are now updated.
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMiSd8nVP+x0t4w7BAQGIBQQArrFHhp6x/+L9bGEcxIHOM4QVxwOR8R1F
|
|
wwhA9QOkQkeCEgkqVrM9vBTR9mrNaoxoXBpmnDyIDhcyd46BrbbJcNU+7tvY2Tya
|
|
016jVfmNWGKsqPYFPQlBuWv2uaouDauOBQC+2fsaGtVvDZax0rudqSZUe/4yJNT9
|
|
+taMZi4HUP0=
|
|
=nFeQ
|
|
-----END PGP SIGNATURE-----
|
|
|