(I have no further information on this) Subject: Alert: AIX Security (Batch Queue) {URGENT - AIX BATCH QUEUE SECURITY EXPOSURE} June 2, 1994 IBM has become aware of a potential AIX security exposure with the batch queue that makes it possible for users on AIX Version 3 systems to gain unauthorized root access. Exploitation of this exposure would require the user to have extensive knowledge of the batch queue system and to perform a complex series of specific steps, making inadvertent access unlikely. However, it is recommended that you alert your customers to the potential so they can take the appropriate actions to secure their systems. Descriptions of the problem and the recommended actions are being communicated by AIX Support via CERT advisory (an information service of Carnegie Mellon University's Software Engineering Institute) and internal IBM M&S SPOC (Single Point Of Contact) notifications. While all AIX releases undergo rigorous testing, security exposures are recognized by the industry as very difficult to identify. IBM hopes its efforts to respond rapidly to this problem will allow customers to eliminate this security exposure with minimal disruption. {IMMEDIATE WORKAROUND:} As described below, a workaround is immediately available which eliminates the security exposure by disabling the batch queue using the following procedure: - As root from the command line enter: chque -qbsh -a"up = FALSE" - From SMIT enter: - Spooler - Manage Local Printer Subsystem - Change/Show Characteristics of a Queue select bsh - Activate the Queue select "no" {EMERGENCY FIX} Emergency Fixes for the different levels of AIX affected by this exposure are also available immediately to rectify the AIX problem so that the batch queue can be enabled with no security exposure. These fixes can be obtained via anonymous ftp from software.watson.ibm.com. The files will be located in /pub/aix/bshfix.tar.Z in compressed tar format. {OFFICIAL FIX} An APAR has been opened and an official PTF will be made available in approximately two weeks for installed AIX systems and will be included in future AIX shipments. The official fix for this problem can be ordered as Authorized Program Analysis Report (APAR) IX44381. To order an APAR from IBM in the U.S. call 1-800-237-5511 and ask for shipment as soon as it is available. APARS may be obtained outside the U.S. by contacting a local IBM representative. Frank Karner, Phone: 512-823-5950 (TL/793), Internet: karner@austin.vnet.ibm.com