2001-10-29
Published: 2001-10-29 00:00:00
Updated: 2001-10-29 00:00:00
IBM Global Services
Managed Security Services
Outside Advisory Redistribution
----------- Forwarded Information Starts Here.
IBM SECURITY ADVISORY
Mon Oct 29 09:15:39 CST 2001
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Buffer oveflow vulnerability in CDE DtSvc library
PLATFORMS: IBM AIX 4.3 and 5.1
SOLUTION: Apply the emergency-fixes described below
THREAT: Malicious user can obtain elevated privileges
CERT Advisory: NONE
===========================================================================
DETAILED INFORMATION
I. Description
A buffer overflow vulnerability has been found in the Common Desktop
Environment (CDE)
libDtSvc.a library.
The vulnerability is invoked when a user passes a properly coded string
to any of the
"dt" commands (e.g., dtprintinfo and dtterm) using the "-session"
option.
II. Impact
A malicious local user can use a well-crafted exploit code
to gain elevated, possibly root, privileges on the attacked system,
compromising the
integrity of the system and its attached local network.
The exploitability of this vulnerability has not been studied
completely. Nonetheless,
AIX system administrators and security personnel are urged to apply the
emergency patches
being made available to preclude a possibly serious attack.
III. Solutions
A. Official fix
IBM is working on the following fixes which will be available
soon:
AIX 5.1: Pending assignment - the README file in the efix download
directory
will be updated as soon as the assignment is made.
AIX 4.3: APAR #IY24596
The APARs for AIX 4.3 and 5.1 will not be available until late
November 2001.
NOTE: Fix will not be provided for versions prior to 4.3 as
these are no longer supported by IBM. Affected customers are
urged to upgrade to 4.3.3 at the latest maintenance level,
or to 5.1.
B. How to minimize the vulnerability
WORKAROUND
None, other than disabling the CDE.
EMERGENCY FIX (efix):
Temporary fixes for AIX 4.3.x and 5.1 systems are available.
The temporary fixes can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security
The name of the efix you want to download to close this vulnerability
is
CDE_libDtSvc_efix.tar.Z.
The efix compressed tarball contains a copy of this Advisory and
another
tarfile, efix_binaries.tar. This latter tarfile will untar into two
binary efix files,
libDtSvc.a_43 and libDtSvc.a_51, for AIX 4.3 and 5.1,
respectively. In addition, there is a detached PGP signature file for
efix_binaries.tar. The proper signature is that of AIX Security
<security-alert@austin.ibm.com>.
These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.
To proceed with efix installation:
First, verify the MD5 cryptographic hash sum of efix_binaries.tar
you obtain from unpacking the downloaded compressed tarball with that
given below. These
should match exactly; if they do not, double check the hash results
and the download site address. If OK, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
Also, for those who use PGP, another security check for the integrity
of the
efix binaries tarfile is the inclusion of a detached PGP signature
file,
efix_binaries.tar.asc.
MD5 (efix_binaries.tar) = 31db9713ba5a6a919cc882c7a0525217
IMPORTANT NOTE REGARDING MD5:
"MD5" is "Message Digest #5". MD5 is a 128-bit one-way cryptographic
hash algorithm.
It is used to generate a crypto-secure "signature" or "fingerprint" of
a file or
a directory and its files. Although not 100% infallible, MD5 is meant
to be used to
generate the secure, unique fingerprint of a file/directory, and also
to generate such
a fingerprint of a file/directory for comparison with someone else's
MD5 fingerprint of that
file/directory. If the fingerprints match, then the file/directory
being examined has
not been modified or replaced with another. Thus, one can be reasonably
certain that
the file or fileset is the one originally created by a known, trusted
entity, and
passed to the intended person or people.
Source code for MD5 can be obtained at:
ftp://ftp.funet.fi/pub/crypt/hash/mds/md5
Customers should download md5sum.tar.gz and the Makefile, and then
compile to make
the executable.
To generate the hash signature of a file or fileset, enter on the
command line
the name of the MD5 executable followed by the name of the
file/directory of
interest.
Then compare the output hash with that given above.
Finally, the use of MD5, or not using it, does not affect in any way
the
installation of the efix. It is meant to be a security measure only.
efix Installation Instructions:
-------------------------------
1. Become root, if not already done.
2. In the /tmp directory, uncompress and untar the efix:
a. uncompress CDE_libDtSvc_efix.tar.Z
b. tar -xvf efix_binaries.tar
You will now have two binary efix files: libDtSvc.a_43
and libDtSvc.a_51, one for AIX 4.3 and the other for AIX 5.1,
respectively.
You will also have a PGP-signed copy of this advisory, named
"Advisory".
There is also a detached PGP signature of the efix_binaries.tar file.
The signature should be that of AIX Security
<security-alert@austin.ibm.com>.
Keep the binary file containing the patch for your version
of AIX. You may discard the unneeded one if you desire.
Now execute:
cp libDtSvc.a_xy libDtSvc.a /* where "xy" is either "43" or "51" as
appropriate */
3. Follow these instructions:
To install libDtSvc.a :
cd /usr/dt/lib
mv libDtSvc.a libDtSvc.a.orig /* make a backup of your original
libDtSvc.a! */
mv /tmp/libDtSvc.a . /* The new libDtSvc.a */
chmod 444 libDtSvc.a
chown bin:bin libDtSvc.a
slibclean
IV. Obtaining Fixes
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center. For more information
on FixDist, and to obtain fixes via the Internet, please reference
http://techsupport.services.ibm.com/rs6k/fixes.html
or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the
"Subject:" line.
To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "aixserv@austin.ibm.com" with
the word "subscribe Security_APARs" in the "Subject:" line.
V. Acknowledgements
Many thanks to Arai Yuu, of the LAC Computer Security Laboratory in Japan
for discovering this vulnerability!
VI. Contact Information
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
note to aixserv@austin.ibm.com with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".
IBM and AIX are a registered trademark of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
