IBM AIX Logical Volume Manager Temporary File Flaws and Buffer Overflows Let Local Users Modify Files and Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1009973
|
|
SecurityTracker URL: http://securitytracker.com/id?1009973
|
|
CVE Reference: CAN-2004-0544
, CAN-2004-0545
(Links to External Site)
|
Updated: Jun 10 2004
|
Original Entry Date: Apr 28 2004
|
Impact: Denial of service via local system, Execution of arbitrary code via local system, Modification of system information, Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: Some vulnerabilities were reported in the IBM AIX Logical Volume Manager (LVM) commands. A local user may be able to cause denial of service conditions. A local user with certain privileges may be able to execute arbitrary code.
IBM reported that they discovered that some LVM commands use temporary files in an unsafe manner [CVE: CAN-2004-0545]. A local user
can create a symbolic link (symlink) from a critical file on the system to one of the temporary files. Then, when the affected
LVM command is run, the symlinked file will be overwritten. IBM reports that this may be exploited to cause data destruction or
denial of service conditions.
It is also reported that the 'putlvcb' and 'getlvcb' commands contain buffer overflows [CVE: CAN-2004-0544].
A local user with "system group privileges" can invoke the commands to execute arbitrary code.
|
Impact: A local user can cause arbitrary files to be overwritten.
A local user with system group privileges can execute arbitrary code.
|
Solution: IBM has released efixes for AIX 5.1.0 and 5.2.0, available at:
ftp://aix.software.ibm.com/aix/efixes/security/lvmcmd_efix.tar.Z
IBM
plans to issue the following fixes:
APAR number for AIX 5.1.0: IY55681 (available approx. 06/02/04)
APAR number
for AIX 5.2.0: IY55682 (available approx. 05/19/04)
|
Vendor URL: www.ibm.com/ (Links to External Site)
|
Cause: Access control error, Boundary error, State error
|
Underlying OS: UNIX (AIX)
|
Underlying OS Comments: AIX 5.1 and 5.2
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 28 Apr 2004 13:58:42 -0400
Subject: symlink and buffer overflow vulnerabilities in LVM commands
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Thu Apr 22 15:17:51 CDT 2004
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: symlink and buffer overflow vulnerabilities in LVM
commands
PLATFORMS: AIX 5.1 and 5.2.
SOLUTION: Apply the efixes or APARs as described below.
THREAT: A local attacker may cause data destruction or a denial
of service.
A local attacker with system group privileges may
execute arbitrary code.
CERT VU Number: N/A
CVE Number: N/A
===========================================================================
DETAILED INFORMATION
I. Description
===============
A symlink vulnerability was discovered in some LVM commands that
allow an attacker to overwrite arbitrary system files. This could lead to
data destruction or a denial of service. These issues were discovered
internally; at this time there are no known exploits in the wild.
Buffer overflow vulnerabilities were discovered in the putlvcb and
getlvcb commands. These commands are used by high level LVM commands
to modify and query the Logical Volume Control Block. To exploit these
issues, an attacker must have system group privileges. There are known
exploits for this issue.
The commands affected by these issues ship as part of the bos.rte.lvm fileset.
To determine if this fileset is installed, execute the following command:
# lslpp -L bos.rte.lvm
If the fileset is installed it will be listed along with its version
information, state, type and a description.
II. Impact
==========
A local attacker may cause data destruction or a denial of service.
A local attacker with system group privileges may execute arbitrary code.
III. Solutions
===============
A. Official Fix
IBM provides the following fixes:
APAR number for AIX 5.1.0: IY55681 (available approx. 06/02/04)
APAR number for AIX 5.2.0: IY55682 (available approx. 05/19/04)
NOTE: Affected customers are urged to upgrade to 5.1.0 or 5.2.0 at
the latest maintenance level.
B. Emergency Fix
Efixes are available for AIX 5.1.0 and 5.2.0. The efixes can be
downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/lvmcmd_efix.tar.Z
lvmcmd_efx.tar.Z is a compressed tarball containing this advisory, two
efix packages for 5.1.0 and 5.2.0 and cleartext PGP signatures for
each efix package.
Verify you have retrieved the efixes intact:
- --------------------------------------------
The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:
Filename sum md5
======================================================================
lvmcmd51.040422.epkg.Z 20723 485 d6016788254e40377304208870e1e54a
lvmcmd52.040422.epkg.Z 49794 542 e5ec42cb05641643fce249663f75f377
These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity
of the various files they correspond to. If the sums or signatures cannot
be confirmed, double check the command results and the download site
address. If those are OK, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.
These efixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.
Efix Installation Instructions:
- -------------------------------
The efix package for AIX 5.1.0 and 5.2.0 are named lvmcmd51.040422.epkg.Z and
lvmcmd52.040422.epkg.Z respectively.
These packages use the new Emergency Fix Management Solution to install
and manage efixes. More information can be found at:
http://techsupport.services.ibm.com/server/aix.efixmgmt
To preview an epkg efix installation execute the following command:
# emgr -e epkg_name -p # where epkg_name is the name of the
# efix package being previewed.
To install an epkg efix package, execute the following command:
# emgr -e epkg_name -X # where epkg_name is the name of the
# efix package being installed.
The "X" flag will expand any filesystems if required.
IV. Obtaining Fixes
===================
AIX Version 5 APARs can be downloaded from the eServer pSeries Fix Central
web site:
http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp
Security related Emergency Fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
V. Contact Information
========================
If you would like to receive AIX Security Advisories via email, please visit:
https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a
PGP Public Key Server. The key id is 0x3AE561C3.
Please contact your local IBM AIX support center for any assistance.
eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFAiWnS+0ah+jrlYcMRArSKAKDsq7c/m0wm2IxAclS9Sjf8Jw38FwCgv/Oe
f5LR1vIsUxjG2NNwzhmLPj0=
=RLCA
-----END PGP SIGNATURE-----
|
|
