Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
IBM AIX Various Application Buffer Overflows Let Local Users Gain Root Privileges
|
|
SecurityTracker Alert ID: 1018871 |
|
SecurityTracker URL: http://securitytracker.com/id/1018871
|
|
CVE Reference:
CVE-2007-4217, CVE-2007-4513, CVE-2007-4621, CVE-2007-4622, CVE-2007-4623
(Links to External Site)
|
Date: Oct 30 2007
|
Impact:
Execution of arbitrary code via local system, Root access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 5.2, 5.3
|
Description:
Several vulnerabilities were reported in IBM AIX in various applications and utilities. A local user can obtain elevated privileges on the target system.
A local user can invoke bellmail with the 'm' command to trigger a stack overflow in the sendrmt() function and execute arbitrary code with root privileges [CVE-2007-4623]. The vendor was notified on August 28, 2007.
A local user with 'system' group privileges can invoke the swcons command with the '-p' command switch to modify arbitrary files on the target system. The vendor was notified on December 21, 2004. The vendor issued a partial fix on February 22, 2007.
A local user can invoke crontab with specially crafted command line arguments to trigger a buffer overflow and execute arbitrary code with root privileges [CVE-2007-4621]. The vendor was notified on August 29, 2007.
A local user can invoke the dig application with a specially crafted '-y' command line TSIG key parameter to trigger an integer overflow in the dns_name_fromtext() function in the 'libdns.a' library and potentially execute arbitrary code with root privileges [CVE-2007-4622]. The vendor was notified on August 30, 2007. Only AIX version 5.2 is affected.
A local user can execute an ftp program macro with the '$' command to trigger a buffer overflow in the domacro() function and execute arbitrary code with root privileges [CVE-2007-4217]. The vendor was notified on August 15, 2007.
A local user can invoke the lquerypv command with a specially crafted '-V' command line parameter or the lqueryvg command with a specially crafted '-p' command line parameter to trigger a stack overflow and execute arbitrary code with root privileges [CVE-2007-4513]. The vendor was notified on August 21, 2007.
A local user can invoke the tftp command to trigger a buffer overflow and execute arbitrary code with root privileges.
Joshua J. Drake of VeriSign iDefense Labs reported the bellmail and ftp vulnerabilities. Alex DeLarge reported the swcons vulnerability via iDefense. Sean Larsson of VeriSign iDefense Labs reported the lquerypv and lqueryvg vulnerabilities. The dig vulnerability was reported via iDefense. IBM reported the tftp vulnerability.
|
Impact:
A local user can obtain root privileges on the target system.
|
Solution:
The vendor has issued interim fixes and APARs.
The fixes are included in the following service packs.
AIX 5.2 TL10 SP3
AIX 5.3 TL06 SP4
The IBM advisories area available at:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3972
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3973
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3974
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3975
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3976
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3977
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3978
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3979
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3980
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3981
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3982
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3983
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3984
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3985
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3986
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3987
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3988
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3989
|
Vendor URL: www.ibm.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 30 Oct 2007 16:24:13 -0500
Subject: IBM AIX
|
CVE-2007-4217, CVE-2007-4513, CVE-2007-4621, CVE-2007-4622, CVE-2007-4623
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Tue Oct 30 11:15:09 CDT 2007
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Multiple AIX vulnerabilities for the week of October
29, 2007
PLATFORMS: AIX 5.2 and 5.3
SOLUTION: Apply the APAR, interim fix or workaround as
described in the associated vulnerability advisories.
THREAT: See individual advisories.
CERT VU Number: n/a
CVE Number: n/a
===============================================================================
DETAILED INFORMATION
I. OVERVIEW
This advisory addresses multiple vulnerabilities found in the AIX
operating system. These fixes can also be found in the following
service packs, when available:
AIX 5.2 TL10 SP3
AIX 5.3 TL06 SP4
Prior to service pack availability, fixes can be obtained by
ordering the individual APARs for each fix.
II. DESCRIPTION
The following advisories are being issued for the week of October 29,
2007:
A. AIX bellmail buffer overflow vulnerability
AIX 5.2:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3973
AIX 5.3:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3972
Reboot: NO
Workarounds: YES
B. AIX BIND 8 remote DNS cache poisoning
AIX 5.2:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3975
AIX 5.3:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3974
Reboot: NO
Workarounds: NO
C. AIX swcons file ownership/permission vulnerability
AIX 5.2:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3977
AIX 5.3:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3976
Reboot: NO
Workarounds: YES
D. AIX crontab buffer overflow vulnerability
AIX 5.2:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3978
Reboot: NO
Workarounds: YES
E. AIX dig integer underflow vulnerability
AIX 5.2:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3979
Reboot: NO
Workarounds: YES
F. AIX ftp buffer overflow vulnerability
AIX 5.2:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3981
AIX 5.3:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3980
Reboot: NO
Workarounds: YES
G. AIX lquerypv buffer overflow vulnerability
AIX 5.2:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3983
AIX 5.3:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3982
Reboot: NO
Workarounds: YES
H. AIX lqueryvg buffer overflow vulnerability
AIX 5.2:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3985
AIX 5.3:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3984
Reboot: NO
Workarounds: YES
I. AIX tftp buffer overflow vulnerability
AIX 5.2:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3987
AIX 5.3:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3986
Reboot: NO
Workarounds: YES
J. AIX xfs heap vulnerabilities
AIX 5.2:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3989
AIX 5.3:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd?mode=18&ID=3988
Reboot: NO
Workarounds: NO
III. IMPACT
See the specific advisories for details.
IV. PLATFORM VULNERABILITY ASSESSMENT
See the specific advisories for details.
V. SOLUTIONS
A. APARS
See the specific advisories for details.
B. INTERIM FIXES
See the specific advisories for details.
C. INTERIM FIX INSTALLATION
See the specific advisories for details.
VI. WORKAROUNDS
See the specific advisories for details.
VII. OBTAINING FIXES
AIX Version 5 APARs can be downloaded from:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
Security related Interim Fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
VIII. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xA6A36CCC
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
IX. ACKNOWLEDGMENTS
See the specific advisories for details.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFHJ2NS8lficKajbMwRAnCxAKCzAYsI8mzKITPe9h9Lx9AErD2QdACgmL1Z
YkZNiM5RyTZVpR8srL+6qKs=
=zqtu
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
