home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Forum of Incident Response & Security Teams
/
Forum_of_Incident_Response_and_Security_Teams_FIRST_October_1994.iso
/
teaminfo
/
nasirc
/
nasa9403.txt
< prev
next >
Wrap
Text File
|
1994-07-02
|
5KB
|
93 lines
NASIRC BULLETIN #94-03 February 24, 1994
AIX Performance Tools Vulnerabilities
===========================================================
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
NASA Automated Systems Incident Response Capability
===========================================================
NASIRC recently received information about a security vulnerability in
the AIX Licensed Program Product (performance tools). Specifically, if
"bosext1.extcmds.obj" has been installed on systems running AIX 3.2.5,
or on systems running AIX 3.2.4 with Program Temporary Fixes (PTFs)
U420020 or U422510 installed, local users can gain unauthorized root
access to the system. (This problem apparently does NOT exist in other
versions of AIX.)
Temporary fix:
The recommended "fix" is to change the permissions of all programs in
the /usr/lpp/bosperf directory structure so as to remove the setuid
and ensure they are all executable only by "root". To do this, system
managers (after issuing "su root") should enter the following command:
chmod -R u-s,og= /usr/lpp/bosperf/*
Programs affected by this include filemon, fileplace, genkex, genkld,
lvedit, netpmon, rmap, rmss, stripnm, svomn, and tprof. After issuing
the above command, none of these programs will be executable by any
user other than "root".
Permanent patch:
Patches for this problem can be ordered as Authorized Program Analysis
Report (APAR) IX42332, which will be shipped as soon as possible. To
order an APAR from IBM, call 1-800-237-5511 and ask for the specific
APAR number to be shipped. (APARs may be obtained outside the USA by
contacting your local IBM representative.)
NASIRC will continue to monitor the situation and will post additional
information as it becomes available. If you have any difficulties in
acquiring the APAR or have any questions about this situation, please
contact NASIRC at any of the venues listed below.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
NASIRC ACKNOWLEDGES: USAF/DISA for forwarding this information, and
ARPA/CERT & IBM for their rapid response to the problem.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
===============================================================
For further assistance, please contact the NASIRC Helpdesk:
Phone: 1-800-7-NASIRC Fax: 1-301-441-1853
Internet Email: nasirc@nasa.gov
24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
STU III: 1-301-982-5480
===============================================================
This bulletin may be forwarded without restriction to sites and
system administrators within the NASA community.
The NASIRC online archive system is available via anonymous ftp.
Just ftp to nasirc.nasa.gov and login as anonymous. You will be
required to enter your valid e-mail address. Once there you can
access the following information:
/toolkits ! contains automated toolkit software
/bulletins ! contains NASIRC bulletins
Information maintained in these directories is be updated on a
continuous basis with relevant software and information. Contact
the NASIRC Helpdesk for more information or assistance with tool
kits or security measures.
-----------------
PLEASE NOTE: Users outside of the NASA community may receive NASIRC
bulletins. If you are not part of the NASA community, please contact
your agency's response team to report incidents. Your agency's team
will coordinate with NASIRC, who will ensure the proper internal
NASA team(s) are notified. NASIRC is a member of the Forum of
Incident Response and Security Teams (FIRST), a world-wide organiza-
tion which provides for coordination between incident response teams
in handling computer-security-related issues. You can obtain a list
of FIRST member organizations and their constituencies by sending
email to docserver@first.org with an empty "subject" line and a
message body containing the line "send first-contacts".