=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL (Nico de Koo) Index : S-94-16 Distribution : World Page : 1 Classification: External Version: Final Subject : IBM AIX bsh Vulnerability Date : 07-Jun-94 =============================================================================== CERT-NL received information on a vulnerabilty in IBM AIX bsh vulnerability CERT-NL wishes to thank CERT/CC for providing this information. ---------------------------------------------------------------------------- CERT-NL recently received information about a security vulnerability in the batch queue (bsh) of IBM AIX systems running versions prior to and including AIX 3.2. CERT-NL recommends disabling the batch queue by following the workaround instructions in Section III below. Section III also includes information on how to obtain fixes from IBM if the bsh queue functionality is required by remote systems. As we receive additional information relating to this advisory, we will place it, along with any clarifications, in a security bulletin addendum S-94-16.README file. CERT advisories and their associated README files are available by anonymous FTP from ftp.nic.surfnet.nl. In the directory "surfnet/net-security/cert-nl/docs/bulletin" We encourage you to check the README files regularly for updates on advisories that relate to your site. ----------------------------------------------------------------------------- I. Description The queueing system on IBM AIX includes a batch queue, "bsh", which is turned on by default in /etc/qconfig on all versions of AIX 3 and earlier. II. Impact If network printing is enabled, remote and local users can gain access to a privileged account. III. Solution In the next release of AIX, the bsh queue will be turned off by default. CERT recommends that the bsh queue be turned off using the workaround described in Section A below unless there is an explicit need to support this functionality for remote hosts. If this functionality must be supported, IBM provides fixes as outlined in Sections B and C below. For questions concerning these workarounds or fixes, please contact IBM at the number provided below. A. Workaround Disable the bsh queue by following one of the two procedures outlined below: 1. As root, from the command line, enter: # chque -qbsh -a"up = FALSE" 2. From SMIT, enter: - Spooler - Manage Local Printer Subsystem - Change/Show Characteristics of a Queue select bsh - Activate the Queue select no B. Emergency fix Obtain and install the emergency fix for the version(s) of AIX used at your site. Fixes for the various levels of AIX are available by anonymous FTP from ftp.nic.surfnet.nl. The file is located in: /surfnet/net-security/cert-nl/patches/ibm-fixes/bshfix.tar.Z in compressed tar format. Installation instructions are included in the README file included as part of the tar file. The directory /surfnet/net-security/cert-nl/patches/ibm-fixes contains the latest available emergency fix for APAR IX44381. As updates become available, any new versions will be placed in this directory with the name bshfix<#>.tar.Z with <#> being incremented for each update. IBM may remove this emergency fix file without prior notice if flaws are reported. Due to the changing nature of these files, no checksum information is available. C. Official fix The official fix for this problem can be ordered as APAR IX44381. To order APARs from IBM contact your local IBM representative and ask that it be shipped to you as soon as it is available. If you believe that your system has been compromised, contact the CERT-NL or your representative in Forum of Incident Response and Security Teams (FIRST). CERT-NL will continue to monitor this situation and will post additional information should it become necessary. If you have any questions about this bulletin, please contact CERT-NL via any of the venues below. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= CERT-NL ACKNOWLEDGES: The CERT Coordination Center and wishes to thank Gordon C. Galligher of Information Resources, Inc. for reporting this problem and IBM Corporation for their support in responding to this problem. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "surfnet/net-security/cert-nl/docs/bulletin". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are one (when DST is in effect two) hour(s) ahead of Universal Time Coordinated (i.e. UTC+0100 (UTC+0200)). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ==============================================================================