-----BEGIN PGP SIGNED MESSAGE----- IBM SECURITY ADVISORY Mon Oct 29 09:15:39 CST 2001 =========================================================================== VULNERABILITY SUMMARY VULNERABILITY: Buffer oveflow vulnerability in CDE DtSvc library PLATFORMS: IBM AIX 4.3 and 5.1 SOLUTION: Apply the emergency-fixes described below THREAT: Malicious user can obtain elevated privileges CERT Advisory: NONE =========================================================================== DETAILED INFORMATION I. Description A buffer overflow vulnerability has been found in the Common Desktop Environment (CDE) libDtSvc.a library. The vulnerability is invoked when a user passes a properly coded string to any of the "dt" commands (e.g., dtprintinfo and dtterm) using the "-session" option. II. Impact A malicious local user can use a well-crafted exploit code to gain elevated, possibly root, privileges on the attacked system, compromising the integrity of the system and its attached local network. The exploitability of this vulnerability has not been studied completely. Nonetheless, AIX system administrators and security personnel are urged to apply the emergency patches being made available to preclude a possibly serious attack. III. Solutions A. Official fix IBM is working on the following fixes which will be available soon: AIX 5.1: Pending assignment - the README file in the efix download directory will be updated as soon as the assignment is made. AIX 4.3: APAR #IY24596 The APARs for AIX 4.3 and 5.1 will not be available until late November 2001. NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3.3 at the latest maintenance level, or to 5.1. B. How to minimize the vulnerability WORKAROUND None, other than disabling the CDE. EMERGENCY FIX (efix): Temporary fixes for AIX 4.3.x and 5.1 systems are available. The temporary fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security The name of the efix you want to download to close this vulnerability is CDE_libDtSvc_efix.tar.Z. The efix compressed tarball contains a copy of this Advisory and another tarfile, efix_binaries.tar. This latter tarfile will untar into two binary efix files, libDtSvc.a_43 and libDtSvc.a_51, for AIX 4.3 and 5.1, respectively. In addition, there is a detached PGP signature file for efix_binaries.tar. The proper signature is that of AIX Security . These temporary fixes have not been fully regression tested; thus, IBM does not warrant the fully correct functioning of the efix. Customers install the efix and operate the modified version of AIX at their own risk. To proceed with efix installation: First, verify the MD5 cryptographic hash sum of efix_binaries.tar you obtain from unpacking the downloaded compressed tarball with that given below. These should match exactly; if they do not, double check the hash results and the download site address. If OK, contact IBM AIX Security at security-alert@austin.ibm.com and describe the discrepancy. Also, for those who use PGP, another security check for the integrity of the efix binaries tarfile is the inclusion of a detached PGP signature file, efix_binaries.tar.asc. MD5 (efix_binaries.tar) = 31db9713ba5a6a919cc882c7a0525217 IMPORTANT NOTE REGARDING MD5: "MD5" is "Message Digest #5". MD5 is a 128-bit one-way cryptographic hash algorithm. It is used to generate a crypto-secure "signature" or "fingerprint" of a file or a directory and its files. Although not 100% infallible, MD5 is meant to be used to generate the secure, unique fingerprint of a file/directory, and also to generate such a fingerprint of a file/directory for comparison with someone else's MD5 fingerprint of that file/directory. If the fingerprints match, then the file/directory being examined has not been modified or replaced with another. Thus, one can be reasonably certain that the file or fileset is the one originally created by a known, trusted entity, and passed to the intended person or people. Source code for MD5 can be obtained at: ftp://ftp.funet.fi/pub/crypt/hash/mds/md5 Customers should download md5sum.tar.gz and the Makefile, and then compile to make the executable. To generate the hash signature of a file or fileset, enter on the command line the name of the MD5 executable followed by the name of the file/directory of interest. Then compare the output hash with that given above. Finally, the use of MD5, or not using it, does not affect in any way the installation of the efix. It is meant to be a security measure only. efix Installation Instructions: ------------------------------- 1. Become root, if not already done. 2. In the /tmp directory, uncompress and untar the efix: a. uncompress CDE_libDtSvc_efix.tar.Z b. tar -xvf efix_binaries.tar You will now have two binary efix files: libDtSvc.a_43 and libDtSvc.a_51, one for AIX 4.3 and the other for AIX 5.1, respectively. You will also have a PGP-signed copy of this advisory, named "Advisory". There is also a detached PGP signature of the efix_binaries.tar file. The signature should be that of AIX Security . Keep the binary file containing the patch for your version of AIX. You may discard the unneeded one if you desire. Now execute: cp libDtSvc.a_xy libDtSvc.a /* where "xy" is either "43" or "51" as appropriate */ 3. Follow these instructions: To install libDtSvc.a : cd /usr/dt/lib mv libDtSvc.a libDtSvc.a.orig /* make a backup of your original libDtSvc.a! */ mv /tmp/libDtSvc.a . /* The new libDtSvc.a */ chmod 444 libDtSvc.a chown bin:bin libDtSvc.a slibclean IV. Obtaining Fixes IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://techsupport.services.ibm.com/rs6k/fixes.html or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send email to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line. V. Acknowledgements Many thanks to Arai Yuu, of the LAC Computer Security Laboratory in Japan for discovering this vulnerability! VI. Contact Information Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to security-alert@austin.ibm.com with a subject of "get key". If you would like to subscribe to the AIX security newsletter, send a note to aixserv@austin.ibm.com with a subject of "subscribe Security". To cancel your subscription, use a subject of "unsubscribe Security". To see a list of other available subscriptions, use a subject of "help". IBM and AIX are a registered trademark of International Business Machines Corporation. All other trademarks are property of their respective holders. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQCVAwUBO93MtQsPbaL1YgqvAQHlPQP9Gc61t+CM4lvYG4mLGE1aEp83HodeDZhs 1wedrASQ0v88MNJh+NO2yBbGsZxMwsm0orN1aGfWXY9uvNwJeKUxWczve6b/5Zl/ i4QQcZ5An2cyWjc5tMOK3mv+8LzWrb7DgBMUVMHOChJMW9ahptfLp0rMQbzVXoiA xV9PTgGFXlE= =mUwr -----END PGP SIGNATURE-----