Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IBM AIX secldapclntd Daemon Authentication Flaw Lets Remote Users Modify User Accounts
|
|
SecurityTracker Alert ID: 1006192
|
|
CVE Reference: CAN-2003-0119
(Links to External Site)
|
Date: Mar 3 2003
|
Impact: Disclosure of user information, Modification of user information, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: An authentication vulnerability was reported in the IBM AIX secldapclntd daemon. A remote user may be able to modify user accounts on the system.
According to the report, the secldapclntd daemon is intended to pass messages back and forth between the LDAP loadmodule and the
LDAP server. A network socket is reportedly used to communicate with the LDAP loadmodule. IBM reports that a remote user can send
a specially crafted message directly to the secldapclntd daemon to gain unauthorized access to data or to modify user accounts on
the target LDAP server.
|
Impact: A remote user can gain access to data or modify user accounts on the target system.
|
Solution: IBM has released a fix for AIX 5.2.0 and plans to release fixes for AIX 5.1.0 and 4.3.3 as follows:
APAR number for AIX 4.3.3:
IY40510 (available approx. 03/12/2003)
APAR number for AIX 5.1.0: IY40228 (available approx. 04/28/2003)
APAR number
for AIX 5.2.0: IY40157 (available)
For AIX 4.3.3 and 5.1.0, temporary fixes are available:
ftp://aix.software.ibm.com/aix/efixes/security/secldap_efix.tar.Z
See the Source Message for detailed instructions on obtaining and installing the efixes.
|
Vendor URL: www.ibm.com/ (Links to External Site)
|
Cause: Authentication error
|
Underlying OS: UNIX (AIX)
|
Underlying OS Comments: 4.3.3, 5.1.0, 5.2.0
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 02 Mar 2003 22:58:21 -0500
Subject: IBM Security Advisory, Remote secldapclntd compromise
|
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Fri Feb 21 11:00:00 CST 2003
===========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Remote secldapclntd compromise.
PLATFORMS: AIX 4.3, 5.1 and 5.2
SOLUTION: Apply the efix or APARs as described below.
THREAT: A remote attacker can gain unauthorized access to data
or modify user accounts.
CERT VU Number: n/a
CAN Number: CAN-2003-0119
===========================================================================
DETAILED INFORMATION
I. Description
===============
The secldapclntd daemon accepts requests from the LDAP load module,
forwards requests to the LDAP server, and passes results from the
server back to the LDAP loadmodule. The secldapclntd daemon uses
an internet socket to communicate with the loadmodule. A remote user
can craft a message to communicate with the daemon and gain unauthorized
access to data or could potentially modify user accounts on the LDAP server.
II. Impact
==========
A remote attacker can gain unauthorized access to data or modify user
accounts.
III. Solutions
===============
A. Official Fix
IBM provides the following fixes:
APAR number for AIX 4.3.3: IY40510 (available approx. 03/12/2003)
APAR number for AIX 5.1.0: IY40228 (available approx. 04/28/2003)
APAR number for AIX 5.2.0: IY40157 (available)
B. E-fix
Temporary fixes for AIX 4.3.3, 5.1.0 systems are available.
The temporary fixes can be downloaded via ftp from:
ftp://aix.software.ibm.com/aix/efixes/security/secldap_efix.tar.Z
The efix compressed tarball contains two fixes: one each for
AIX 4.3.3 and AIX 5.1.0. It also includes this Advisory
and a README file with installation instructions.
Verify you have retrieved this efix intact:
- - ----------------------------------------------
There are 2 fix-files in this package for the 4.3.3 and 5.1.0
releases. The checksums below were generated using the "sum" and
"md5" commands and are as follows:
Filename sum md5
=================================================================
secldapclntd.433 28480 62 1646c539468c1b96c9fcef9d7188a4a3
secldapclntd.510 23018 74 983a9b9f2345e2497106adfe3fdc9240
These sums should match exactly; if they do not, double check the
command results and the download site address. If those are OK,
contact IBM AIX Security at security-alert@austin.ibm.com and describe
the discrepancy.
IMPORTANT: Create a mksysb backup of the system and verify it is
both bootable, and readable before proceeding.
These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX
at their own risk.
Efix Installation Instructions:
- - -----------------------------------
Detailed installation instructions can be found in the README file
supplied in the efix package. These instructions are summarized below.
1. Create a temporary efix directory and move to that directory.
# mkdir /tmp/efix
# cd /tmp/efix
2. Move the efix to /tmp/efix, uncompress it and un-tar the resulting
tarfile. Move to the fix directory.
# cp PATH_TO_ADVISORY /tmp/efix # where PATH_TO_ADVISORY is the fully
# qualified path to the efix package.
# uncompress secldap_efix.tar.Z
# tar xvf secldap_efix.tar
# cd secldap_efix
3. Rename the patched binary files appropriate for your system and set
ownership and permissions.
# mv secldapclntd.xxx secldapclntd # where xxx is 433 or 510
# chown root.security secldapclntd
# chmod 500 secldapclntd
4. Create a backup copy of original binary. Remove all
permissions from the backup copy.
# cd /usr/sbin
# cp secldapclntd secldapclntd.orig
# chmod 0 secldapclntd.orig
5. Stop the secldapclntd daemon.
# kill `ps -e|grep secldapclntd|awk '{ print $1 }'`
6. Replace the current system binary with the patched
binary. Use the -p option to preserve the file
permissions set in step 3.
# cp -p /tmp/efix/secldap_efix/secldapclntd /usr/sbin/secldapclntd
7. Restart secldapclntd.
# /usr/sbin/secldapclntd
IV. Obtaining Fixes
===================
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center. For more information
on FixDist, and to obtain fixes via the Internet, please reference
http://techsupport.services.ibm.com/rs6k/fixes.html
or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the
"Subject:" line.
AIX APARs may also be downloaded from the web from the following URLs.
For 4.3.3 APARs:
http://techsupport.services.ibm.com/rs6k/fixdb.html
For 5.1.0 APARs:
http://techsupport.services.ibm.com/server/aix.fdc
For 5.2.0 APARs:
http://techsupport.services.ibm.com/server/aix.fdc
To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "aixserv@austin.ibm.com" with
the word "subscribe Security_APARs" in the "Subject:" line.
V. Acknowledgments
==================
The issue was discovered by Tom Lu of the AIX Security Team.
VI. Contact Information
========================
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".
If you would like to subscribe to the AIX security newsletter, send a
note to aixserv@austin.ibm.com with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".
Please contact your local IBM AIX support center for any assistance.
IBM and AIX are a registered trademark of International Business
Machines Corporation. All other trademarks are property of their
respective holders.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (AIX)
iD8DBQE+X4bVcnMXzUg7txIRAu7HAJ0RWz6Ywl85qt3Jp4zZzSb9hl728ACfT9H7
HYe2mNc/V4bf2hAv2oteKMQ=
=X5wp
- -----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
