Bugtraq mailing list archives
IBM-ERS For Your Information: IBM AIX: Locale and BIND fixes on ftp.software.ibm.com/aix/efixes/security
From: IGS ERS Advisory Service <advisory () US IBM COM>
Date: Mon, 27 Nov 2000 09:56:47 -0500
IBM Global Services Emergency Response Service For Your Information THIS IS NOT A SECURITY VULNERABILITY ALERT 27 NOV 2000 13:47 GMT ERS-FYI-E01-2000:082.1 =========================================================================== IBM-ERS For Your Information (FYI) documents are designed to provide customers of the IBM Emergency Response Service with information about current topics in the fields of Internet and virus security. FYI documents will be issued periodically as the need arises. Topics may include security implications of new protocols in use on the Internet, implementation suggestions for certain types of services, virus hype and hoaxes, and answers to frequently asked questions. =========================================================================== -----BEGIN PGP SIGNED MESSAGE----- IBM AIX SECURITY NOTIFICATION SUBJECT: The IBM AIX Security Response Team has posted an e-fix to ftp.software.ibm.com/aix/efixes/security that is intended to close two potential security exploits in libc.a until the appropriate APARs are made available that offer a fully tested, permanent fix. Details are given below. BACKGROUND INFO: Two exploits have been recently identified in IBM's AIX operating system that compromise the host systems' reliability and security. One of these vulnerabilities is a format string exploit present in the locale subsytem and is implemented via the attacker's use of setting NLSPATH to point to his or her tainted message file that contains a carefully selected set of format strings that allow the attacker to gain root privileges. The locale subsystem code is contained within libc.a. The other vulnerability consists of two potential denial-of-service exploits in BIND (named). Only a specific range of versions of BIND are affected. The most recent versions (above patch level 6) are not affected. Portions of the BIND code are within libc.a also. IBM has issued e-fixes that contain temporary fixes for each of the two vulnerabilities just described. However, the libc.a file in each does not incorporate the fix for both of these exploits. Thus, a customer will not be protected from both exploits using either of the libc.a libraries. IBM's recommendation (see the README file in this ftp directory) was to choose the e-fix for the locale subsystem vulnerability over that of the DoS exploits in BIND. The former is a more serious security hole, and the BIND problems have not been consistently demonstrated in the BIND version AIX uses. WHAT THIS E-FIX CONTAINS: This e-fix package has a libc.a file that incorporates e-fixes for both the vulnerabilities described above. This version of the library is for AIX 4.3 at version level 4.3.3.25. Customers MUST have their systems at this level for the e-fix to work properly and avoid serious OS difficulties on their hosts. If you are not at this level DO NOT install this e-fix. To upgrade to 4.3.3.25, install APAR #IY12541. Customers must download the e-fix for the BIND vulnerabilities first, and install the e-fix as instructed in the package README file. Again, see the (other) README file in this ftp directory to identify the proper packages. Then, this package can be used: substitute the libc.a library in this package for the one in the /tmp/testnamed (or whatever name for the subdirectory the customer chooses under /tmp) directory described in the BIND package instructions, and repeat the installation instructions as before for the BIND e-fix. Remember to use a non-essential "victim" machine to test the installation and proper operation of the e-fix BEFORE doing the same on an "in-service" box. DISCLAIMER: The e-fix in this package has not been subjected to full regression testing for proper security and functioning of the operating system. Hence, customers are employing this e-fix at their own risk. The e-fix is an emergency, temporary patch only; when the applicable APAR is released for each of the vulnerabilities, customers are urged to install these APARs. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQCVAwUBOiJ0C/WDLGpfj4rlAQGd0QQAok8IukM2nVQrlpMkHHccXA5M1syu+39y IMHFYnJRmTyiyB2CupLa15+aEpPr2Qa8RLuQiLwm1sKZ+iixbZ02tHWatXKcgwUL hVilkQlYA3BYXMh3ELrV2LnUtegucJclVzJuIuXPBYCpG0XrjD06/7A1cRU0ERlZ gL53PKkejXc= =IuRq -----END PGP SIGNATURE----- =========================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. IBM's Virus Emergency Response Service is a subscription-based service that provides assistance with virus risk and emergency management. By acting as an extension of your own internal security staff, IBM-ERS's team of security experts helps you quickly detect and respond to attacks and exposures to your I/T infrastructre. As a part of IBM's Business Continuity Recovery Services organization, the IBM Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Emergency Response Service, send an electronic mail message to ers-sales () ers ibm com, or call 1-800-426-7378. IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 2000 International Business Machines Corporation. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. The material in this document may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS. This document may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. ===========================================================================
Current thread:
- IBM-ERS For Your Information: IBM AIX: Locale and BIND fixes on ftp.software.ibm.com/aix/efixes/security IGS ERS Advisory Service (Nov 28)