IBM AIX 'snappd' Lets Local Users Gain Root Privileges
|
|
SecurityTracker Alert ID: 1016919 |
|
SecurityTracker URL: http://securitytracker.com/id/1016919
|
|
CVE Reference:
CVE-2006-5011
(Links to External Site)
|
Updated: Jun 3 2008
|
Original Entry Date: Sep 26 2006
|
Impact:
Root access via local system
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 5.2, 5.3
|
Description:
A vulnerability was reported in IBM AIX snappd. A local user can obtain root privileges on the target system.
A local user in the snapp group can execute arbitrary commands on the target system with root privileges.
The 'bos.net.snapp' fileset is affected.
|
Impact:
A local user can obtain root privileges on the target system.
|
Solution:
IBM plans to provide the following fixes:
APAR number for AIX 5.2.0: IY88820 (available approx. 10/18/06)
APAR number for AIX 5.3.0: IY88818 (available approx. 10/04/06)
Interim fixes are available at:
ftp://aix.software.ibm.com/aix/efixes/security/snappd_ifix.tar.Z
|
Vendor URL: www.ibm.com/ (Links to External Site)
|
Cause:
Not specified
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Sep 2006 17:55:22 -0400
Subject: IBM AIX snappd vulnerability
|
----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Mon Sep 25 10:00 CDT 2006
==========================================================================
VULNERABILITY SUMMARY
VULNERABILITY: A vulnerability in snappd may allow a local user in
the snapp group to execute arbitrary commands with
root privileges.
PLATFORMS: AIX 5.2 and 5.3.
SOLUTION: Apply the APAR, interim fix or workaround as
described below.
THREAT: A local user in the snapp group may execute arbitrary
commands with root privileges.
CERT VU Number: n/a
CVE Number: n/a
==========================================================================
DETAILED INFORMATION
I. Description
===============
A vulnerability in snappd may allow a local user in the snapp group to
execute arbitrary commands with root privileges.
snappd ships as part of the bos.net.snapp fileset. To determine if this
fileset is installed, execute the following command:
# lslpp -L bos.net.snapp
If the fileset is installed it will be listed along with its version
information, state, type and a description.
The following table shows the vulnerable versions of bos.net.snapp.
AIX Release Lower Upper
Level Level
===========================================
AIX 5.2 5.2.0.0 5.2.0.0
AIX 5.3 5.3.0.0 5.3.0.0
II. Impact
==========
A local user in the snapp group may execute arbitrary commands with root
privileges.
III. Solutions
===============
A. APARs
IBM provides the following fixes:
APAR number for AIX 5.2.0: IY88820 (available approx. 10/18/06)
APAR number for AIX 5.3.0: IY88818 (available approx. 10/04/06)
NOTE: Affected customers are urged to upgrade to the latest applicable
Technology Level.
B. Interim Fix
Interim fixes are available. The interim fixes can be downloaded via ftp
from:
ftp://aix.software.ibm.com/aix/efixes/security/snappd_ifix.tar.Z
This is a compressed tarball containing this advisory, interim fix
packages and cleartext PGP signatures for each package.
Verify you have retrieved the fixes intact:
+------------------------------------------
The interim fixes below are named by using the APAR corresponding to the
release that the fix applies to. The APAR is followed by an underscore and
the Technology Level for the particular AIX release that a fix applies to.
The checksums below were generated using the "sum" and "md5sum" commands
and are as follows:
Filename sum md5
=========================================================================
IY88820_07.060824.epkg.Z 60570 15 6fe7c0b6f1b6ae79644ef66119c103bf
IY88820_08.060824.epkg.Z 54783 15 d1706d0235ffc94aa4964ce102fc9106
IY88820_09.060824.epkg.Z 65152 15 834843b8057398e11248cffa927a186c
IY88818_03.060824.epkg.Z 56887 16 a1e30e97c1fb39825b01872ccaa0756e
IY88818_04.060824.epkg.Z 09603 16 3472e784f7a564834ac4df42ea5c3f05
IY88818_05.060824.epkg.Z 59232 16 ba050f61ad6ae413fee0306f914c2efd
These sums should match exactly. The PGP signatures in the compressed
tarball and on this advisory can also be used to verify the integrity of
the various files they correspond to. If the sums or signatures cannot be
confirmed, double check the command results and the download site address.
If those are OK, contact IBM AIX Security at security-alert@austin.ibm.com
and describe the discrepancy.
The interim fixes include prerequisite checking. This will ensure the
correct mapping between the interim fixes and AIX Technology Levels. The
following table shows the prerequisite fileset levels required for the
fixes above. The fileset levels listed are for bos.net.snapp.
Interim Fileset Level Fileset Level
Fix (lower limit) (upper limit)
===================================================================
IY88820_07.060824.epkg.Z 5.2.0.0 5.2.0.0
IY88820_08.060824.epkg.Z 5.2.0.0 5.2.0.0
IY88820_09.060824.epkg.Z 5.2.0.0 5.2.0.0
IY88818_03.060824.epkg.Z 5.3.0.0 5.3.0.0
IY88818_04.060824.epkg.Z 5.3.0.0 5.3.0.0
IY88818_05.060824.epkg.Z 5.3.0.0 5.3.0.0
IMPORTANT: If possible, it is recommended that a mksysb backup of the
system is created. Verify it is both bootable, and readable before
proceeding.
Customers may contact IBM support if any issues arise with these interim
fixes.
Interim Installation Instructions:
+---------------------------------
These packages use the new Interim Fix Management Solution to install and
manage interim fixes. More information can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an epkg interim fix installation execute the following command:
# emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an epkg interim fix package, execute the following command:
# emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
The "X" flag will expand any filesystems if required.
Restart snappd if it is running.
C. Workaround
Remove the setuid root bit. Note that this will prevent snappd from
functioning normally for non-root users. This can be done by executing the
following command:
# chmod 550 /usr/sbin/snappd
Verify the changes:
# ls -la /usr/sbin/snappd
- -r-xr-x--- 1 root snapp 21924 May 13 2004 /usr/sbin/snappd
IV. Obtaining Fixes
===================
AIX Version 5 APARs can be downloaded from:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
Security related Interim Fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security
V. Contact Information
=======================
If you would like to receive AIX Security Advisories via email, please
visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a PGP
Public Key Server. The key id is 0x1B14F299.
Please contact your local IBM AIX support center for any assistance.
eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their respective
holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFErQaofN/JhsU8pkRArBVAJ9T51sSz+d3tJFKEaVLnxJw4n7l2QCeJAEA
wRBVTcYwROnzIe/Vrg3QaPE=
=CGnw
-----END PGP SIGNATURE-----
|
|
