PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
{ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE
MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,368/DS-SIM {CSG}
SUBJ:  AIX UUCP VULNERABILITY {AUTOMATED SYSTEMS SECURITY INCIDENT
SUPPORT TEAM {ASSIST} 92-62}
1.  ASSIST HAS RECEIVED INFORMATION CONCERNING A VULNERABILITY
WITH THE UUCP SOFTWARE IN VERSIONS OF AIX UP TO 2007.  THE
VULNERABILITY DOES NOT EXIST IN AIX 3.2.  PREVIOUS VERSIONS,
EXCEPT AIX 3.2, OF THE UUCP SOFTWARE CONTAINED INCORRECTLY
CONFIGURED VERSIONS OF VARIOUS FILES.  THESE INCORRECT
CONFIGURATIONS COULD RESULT IN USERS EXECUTING UNAUTHORIZED
COMMANDS AND GAINING UNAUTHORIZED ROOT ACCESS.  IBM IS AWARE OF
THIS PROBLEM AND A FIX IS AVAILABLE AS APAR NUMBER "IX18516." 
THIS PATCH IS AVAILABLE FOR ALL AIX RELEASES FROM GOLD TO 2006. 
THE FIX IS IN THE 2007 UPDATE AND 3.2 RELEASE OF AIX.  IBM
CUSTOMERS CAN CALL IBM SUPPORT {800-237-5511} AND ASK FOR THE
PATCH TO BE SHIPPED TO THEM.  PATCHES MAY BE OBTAINED OUTSIDE THE
U.S. BY CONTACTING YOUR LOCAL IBM REPRESENTATIVE.
2.  RECOMMENDATION: IF ALLOWING USERS ACCESS TO THE UUCP IS NOT
NECSSARY, DISABLE IT BY EXECUTING THE COMMAND "{PERCENT SIGN}
CHMOD 0100 /USR/BIN/UUCP."  OBTAIN THE FIX FROM IBM SUPPORT. 
INSTALL THE FIX FOLLOWING THE INSTRUCTIONS IN THE README FILE.
3.  POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS
 MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55.  ASSIST
CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE, 
PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK
NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE
THE ASSIST DUTY OFFICER PAGED.  ASSIST CAN BE REACHED VIA E-MAIL
AT "DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."