IBM-ERS For Your Information: IBM AIX: Locale and BIND fixes on ftp.software.ibm.com/aix/efixes/security

[IGS ERS Advisory Service <advisory () US IBM COM>]

                            IBM Global Services
                        Emergency Response Service
                           For Your Information
                THIS IS NOT A SECURITY VULNERABILITY ALERT

27 NOV 2000  13:47 GMT                             ERS-FYI-E01-2000:082.1
===========================================================================
IBM-ERS For Your Information (FYI) documents are designed to provide
customers of the IBM Emergency Response Service with information about
current topics in the fields of Internet and virus security.  FYI documents
will be issued periodically as the need arises.  Topics may include
security implications of new protocols in use on the Internet,
implementation suggestions for certain types of services, virus hype and
hoaxes, and answers to frequently asked questions.
===========================================================================
 -----BEGIN PGP SIGNED MESSAGE-----

IBM AIX SECURITY NOTIFICATION

SUBJECT:

The IBM AIX Security Response Team has posted an e-fix to
ftp.software.ibm.com/aix/efixes/security that is intended to close two
potential security exploits in libc.a until the appropriate APARs are
made available that offer a fully tested, permanent fix. Details are
given below.

BACKGROUND INFO:

Two exploits have been recently identified in IBM's AIX operating system
that compromise
the host systems' reliability and security.

One of these vulnerabilities is a format string exploit present in the
locale subsytem
and is implemented via the attacker's use of setting NLSPATH to point to
his or her
tainted message file that contains a carefully selected set of format
strings that
allow the attacker to gain root privileges. The locale subsystem code is
contained
within libc.a.

The other vulnerability consists of two potential denial-of-service
exploits in BIND
(named). Only a specific range of versions of BIND are affected. The most
recent versions
(above patch level 6) are not affected. Portions of the BIND code are
within libc.a
also.

IBM has issued e-fixes that contain temporary fixes for each of the two
vulnerabilities
just described. However, the libc.a file in each does not incorporate the
fix for
both of these exploits. Thus, a customer will not be protected from both
exploits using
either of the libc.a libraries. IBM's recommendation (see the README file
in this ftp
directory) was to choose the e-fix for the locale subsystem vulnerability
over that of
the DoS exploits in BIND. The former is a more serious security hole, and
the BIND
problems have not been consistently demonstrated in the BIND version AIX
uses.

WHAT THIS E-FIX CONTAINS:

This e-fix package has a libc.a file that incorporates e-fixes for both the
vulnerabilities
described above. This version of the library is for AIX 4.3 at version
level 4.3.3.25.
Customers MUST have their systems at this level for the e-fix to work
properly and
avoid serious OS difficulties on their hosts. If you are not at this level
DO NOT
install this e-fix. To upgrade to 4.3.3.25, install APAR #IY12541.

Customers must download the e-fix for the BIND vulnerabilities first, and
install the
e-fix as instructed in the package README file. Again, see the (other)
README file in this
ftp directory to identify the proper packages.

Then, this package can be used: substitute the libc.a library in this
package for the
one in the /tmp/testnamed (or whatever name for the subdirectory the
customer chooses
under /tmp) directory described in the BIND package instructions, and
repeat the
installation instructions as before for the BIND e-fix. Remember to use a
non-essential
"victim" machine to test the installation and proper operation of the e-fix
BEFORE
doing the same on an "in-service" box.

DISCLAIMER:

The e-fix in this package has not been subjected to full regression testing
for
proper security and functioning of the operating system. Hence, customers
are employing
this e-fix at their own risk. The e-fix is an emergency, temporary patch
only; when the applicable APAR is released for each of the
vulnerabilities, customers are urged to install these APARs.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQCVAwUBOiJ0C/WDLGpfj4rlAQGd0QQAok8IukM2nVQrlpMkHHccXA5M1syu+39y
IMHFYnJRmTyiyB2CupLa15+aEpPr2Qa8RLuQiLwm1sKZ+iixbZ02tHWatXKcgwUL
hVilkQlYA3BYXMh3ELrV2LnUtegucJclVzJuIuXPBYCpG0XrjD06/7A1cRU0ERlZ
gL53PKkejXc=
=IuRq
-----END PGP SIGNATURE-----
===========================================================================
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  IBM's Virus Emergency
Response Service is a subscription-based service that provides assistance
with virus risk and emergency management.  By acting as an extension of
your own internal security staff, IBM-ERS's team of security experts helps
you quickly detect and respond to attacks and exposures to your I/T
infrastructre.

As a part of IBM's Business Continuity Recovery Services organization, the
IBM Emergency Response Service is a component of IBM's SecureWay(tm) line
of security products and services.  From hardware to software to
consulting, SecureWay solutions can give you the assurance and expertise
you need to protect your valuable business resources.  To find out more
about the IBM Emergency Response Service, send an electronic mail message
to ers-sales () ers ibm com, or call 1-800-426-7378.

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security
alerts, team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
for security vulnerability alerts and other distributed information.  The
IBM-ERS PGP* public key is available from
http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.

IBM-ERS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation and
response coordination among computer security teams worldwide.

Copyright 2000 International Business Machines Corporation.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business
Machines Corporation, nor any of its employees, makes any warranty, express
or implied, or assumes any legal liability or responsibility for the
accuracy, complete- ness, or usefulness of any information, apparatus,
product, or process contained herein, or represents that its use would not
infringe any privately owned rights.  Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by IBM or its subsidiaries.  The
views and opinions of authors expressed herein do not necessarily state or
reflect those of IBM or its subsidiaries, and may not be used for
advertising or product endorsement purposes.

The material in this document may be reproduced and distributed, without
permission, in whole or in part, by other security incident response teams
(both commercial and non-commercial), provided the above copyright is kept
intact and due credit is given to IBM-ERS.

This document may be reproduced and distributed, without permission, in its
entirety only, by any person provided such reproduction and/or distribution
is performed for non-commercial purposes and with the intent of increasing
the awareness of the Internet community.
===========================================================================