81 lines
2.8 KiB
Plaintext
81 lines
2.8 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
===========================================================================
|
|
CA-92:06 CERT Advisory
|
|
March 19, 1992
|
|
AIX uucp Vulnerability
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
The Computer Emergency Response Team/Coordination Center (CERT/CC) has
|
|
received information concerning a vulnerability with the UUCP software
|
|
in versions of AIX up to 2007. The vulnerability does not exist in AIX 3.2.
|
|
|
|
IBM is aware of this problem, and a fix is available as apar number
|
|
"ix18516". This patch is available for all AIX releases from GOLD to
|
|
2006.
|
|
|
|
The fix is in the 2007 update and 3.2 release of AIX. IBM customers may
|
|
call IBM Support (800-237-5511) and ask that the fix be shipped to them.
|
|
Patches may be obtained outside the U.S. by contacting your local IBM
|
|
representative.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
Previous versions, except AIX 3.2, of the UUCP software contained
|
|
incorrectly configured versions of various files.
|
|
|
|
|
|
II. Impact
|
|
|
|
Local users can execute unauthorized commands and gain unauthorized
|
|
root access.
|
|
|
|
|
|
III. Solution
|
|
|
|
- If allowing users access to the uucp isn't necessary, disable it.
|
|
|
|
% chmod 0100 /usr/bin/uucp
|
|
|
|
- Obtain the fix from IBM Support.
|
|
|
|
- Install the fix following the instructions in the README file.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
The CERT/CC would like to thank Steve Knodle, Clarkson University, for
|
|
bringing this security vulnerability to our attention.
|
|
- ---------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact CERT/CC or
|
|
your representative in FIRST (Forum of Incident Response and Security Teams).
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
|
CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
|
|
on call for emergencies during other hours.
|
|
|
|
Computer Emergency Response Team/Coordination Center (CERT/CC)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Past advisories, information about FIRST representatives, and other
|
|
information related to computer security are available for anonymous ftp
|
|
from cert.org (192.88.209.5).
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMw7HVP+x0t4w7BAQFe9gQAkzCu71kXM4VQX6gmr1mOxWrSkmVCrNFm
|
|
ux/DNyDFiiaEDjB/6yyCCh436CI7ZdE2vj7G1XRSwBSblKclX8f+cZ7wMNMCF6zG
|
|
tCmLSij2kQEvD/V13DcAVTu/4BSKL0q/FcVZxcqczJ/sKFncw6oHmaxgV5BKnnSW
|
|
mGIccnpcPFM=
|
|
=FlJq
|
|
-----END PGP SIGNATURE-----
|
|
|