80 lines
3.0 KiB
Plaintext
80 lines
3.0 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
===========================================================================
|
|
CA-92:09 CERT Advisory
|
|
April 27, 1992
|
|
AIX Anonymous FTP Vulnerability
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
The Computer Emergency Response Team/Coordination Center (CERT/CC) has
|
|
received information concerning a vulnerability in the anonymous FTP
|
|
configuration in all versions of AIX.
|
|
|
|
IBM is aware of this problem and a fix is available as apar number
|
|
"ix23944". This patch is available for all AIX releases from "GOLD".
|
|
|
|
IBM customers may call IBM Support (800-237-5511) and ask that the fix
|
|
be shipped to them. Patches may be obtained outside the U.S. by contacting
|
|
your local IBM representative. The fix will appear in the upcoming 2009
|
|
update and the next release of AIX.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
Previous versions of the anonymous FTP installation script,
|
|
/usr/lpp/tcpip/samples/anon.ftp, incorrectly configured various files
|
|
and directories.
|
|
|
|
|
|
II. Impact
|
|
|
|
Remote users can execute unauthorized commands and gain access to the
|
|
system if anonymous FTP has been installed.
|
|
|
|
|
|
III. Solution
|
|
|
|
A. Obtain the fix from IBM Support. The fix contains three
|
|
files: a "readme" file (README.a23944), the fix installation
|
|
script (install.a23944), and an archive containing the updated
|
|
files (PATCH.a23944.Z).
|
|
|
|
B. Install the fix following the instructions in the README file.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
The CERT/CC would like to thank Charles McGuire of the Computer Science
|
|
Department, the University of Montana for bringing this security
|
|
vulnerability to our attention and IBM for their response to the problem.
|
|
- ---------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact CERT/CC or
|
|
your representative in FIRST (Forum of Incident Response and Security Teams).
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
|
CERT/CC personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
|
|
on call for emergencies during other hours.
|
|
|
|
Computer Emergency Response Team/Coordination Center (CERT/CC)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Past advisories, information about FIRST representatives, and other
|
|
information related to computer security are available for anonymous ftp
|
|
from cert.org (192.88.209.5).
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMw9XVP+x0t4w7BAQG9awQAxY+3cWmeRPjyXqxUZ1fzDfyzLsSlIrN9
|
|
2FDn403Rmq0kHoyTm9QzGjGC9Rgl0M00fJK40tO/9s+jdwpT73KJGjV/mej/Hhde
|
|
e523KGpbgkdwgxu11PFpPeXc7gmpz8Jj3jZQbF+o2C1mOgXNS5+YTK7pgFDRJja1
|
|
mUhW/JRo8LI=
|
|
=jVpe
|
|
-----END PGP SIGNATURE-----
|
|
|