Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
IBM AIX ftpd Bug Lets Remote Authenticated Users Determine the Installation Path
|
|
SecurityTracker Alert ID: 1020090 |
|
SecurityTracker URL: http://securitytracker.com/id/1020090
|
|
CVE Reference:
CVE-1999-0201
(Links to External Site)
|
Date: May 22 2008
|
Impact:
Disclosure of system information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 5.2, 5.3, 6.1
|
Description:
A vulnerability was reported in the IBM AIX ftp daemon. A remote user can determine the installation path.
A remote authenticated user (including an anonymous user) can issue a 'quote cwd' command to determine the full path of the home directory of the ftp user.
ISS X-Force reported this vulnerability.
|
Impact:
A remote authenticated user can determine the installation path.
|
Solution:
IBM plans to issue the following APARs on June 20, 2008:
5.2.0 IZ18670
5.3.0 IZ22357
5.3.7 IZ22358
5.3.8 IZ21529
6.1.0 IZ22356
Efixes are available at:
http://aix.software.ibm.com/aix/efixes/security/ftpd_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/ftpd_fix.tar
The vendor advisories are available at:
http://www.ibm.com/support/docview.wss?uid=isg1IZ18670
http://www.ibm.com/support/docview.wss?uid=isg1IZ22357
http://www.ibm.com/support/docview.wss?uid=isg1IZ22358
http://www.ibm.com/support/docview.wss?uid=isg1IZ21529
http://www.ibm.com/support/docview.wss?uid=isg1IZ22356
|
Vendor URL: www.ibm.com/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 21 May 2008 20:17:20 -0400
Subject: IBM AIX ftpd (AIX)
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Wed May 21 11:19:32 CDT 2008
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: AIX anonymous ftpd information leak
PLATFORMS: AIX 5.2, 5.3, 6.1
SOLUTION: Apply the fix as described below.
THREAT: A remote attacker may learn some details of the
structure of the file system.
CVE Number: CVE-1999-0201
Reboot required? NO
Workarounds? NO
Protected by FPM? NO
Protected by SED? NO
===============================================================================
DETAILED INFORMATION
I. DESCRIPTION
A 'quote cwd' command executed on an ftpd server with anonymous
login enabled can reveal the full path of the home directory of
the anonymous ftp user.
The following files are vulnerable:
/usr/sbin/ftpd
II. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L bos.net.tcp.client
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
-----------------------------------------------------------
bos.net.tcp.client 5.2.0.85 5.2.0.88
bos.net.tcp.client 5.2.0.95 5.2.0.99
bos.net.tcp.client 5.2.0.105 5.2.0.111
bos.net.tcp.client 5.3.0.50 5.3.0.55
bos.net.tcp.client 5.3.0.60 5.3.0.67
bos.net.tcp.client 5.3.7.0 5.3.7.2
bos.net.tcp.client 5.3.8.0 5.3.8.1
bos.net.tcp.client 6.1.0.0 6.1.0.4
III. SOLUTIONS
A. APARS
IBM has assigned the following APARs to this problem:
AIX Level APAR number Availability
---------------------------------------------------
5.2.0 IZ18670 6/20/2008
5.3.0 IZ22357 6/20/2008
5.3.7 IZ22358 6/20/2008
5.3.8 IZ21529 6/20/2008
6.1.0 IZ22356 6/20/2008
Subscribe to the APARs here:
http://www.ibm.com/support/docview.wss?uid=isg1IZ18670
http://www.ibm.com/support/docview.wss?uid=isg1IZ22357
http://www.ibm.com/support/docview.wss?uid=isg1IZ22358
http://www.ibm.com/support/docview.wss?uid=isg1IZ21529
http://www.ibm.com/support/docview.wss?uid=isg1IZ22356
By subscribing, you will receive periodic email alerting you
to the status of the APAR, and a link to download the fix once
it becomes available.
B. FIXES
Fixes are available. The fixes can be downloaded from:
http://aix.software.ibm.com/aix/efixes/security/ftpd_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/ftpd_fix.tar
The links above are to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
The fixes below include prerequisite checking. This will
enforce the correct mapping between the fixes and AIX
Technology Levels.
AIX Level Fix (*.U) and Interim Fix (*.Z)
-------------------------------------------------------------------
5.2.0 TL8 IZ18670_08.080515.epkg.Z
5.2.0 TL9 IZ18670_09.080515.epkg.Z
5.2.0 TL10 IZ18670_10.080515.epkg.Z
5.3.0 TL5 IZ22357_05.080515.epkg.Z
5.3.0 TL6 IZ22357_06.080515.epkg.Z
5.3.7 IZ22358_07.080515.epkg.Z
5.3.8 IZ21529_08.080515.epkg.Z
6.1.0 IZ22356_00.080515.epkg.Z
To extract the fixes from the tar file:
tar xvf ftpd_fix.tar
cd ftpd_fix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "sum", "cksum",
"csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
and are as follows:
sum filename
-------------------------------------
45768 107 IZ18670_08.080515.epkg.Z
57518 107 IZ18670_09.080515.epkg.Z
10097 107 IZ18670_10.080515.epkg.Z
48303 113 IZ21529_08.080515.epkg.Z
26638 150 IZ22356_00.080515.epkg.Z
04179 113 IZ22357_05.080515.epkg.Z
06530 113 IZ22357_06.080515.epkg.Z
10824 113 IZ22358_07.080515.epkg.Z
cksum filename
-------------------------------------------
2786102188 109317 IZ18670_08.080515.epkg.Z
2737300594 109137 IZ18670_09.080515.epkg.Z
2849726096 109187 IZ18670_10.080515.epkg.Z
1568499617 114777 IZ21529_08.080515.epkg.Z
2067224269 153382 IZ22356_00.080515.epkg.Z
688497768 114717 IZ22357_05.080515.epkg.Z
947208037 114873 IZ22357_06.080515.epkg.Z
1076638369 114905 IZ22358_07.080515.epkg.Z
csum -h MD5 (md5sum) filename
-----------------------------------------------------------
c9710f41a8a96f9b12d5491ef8f2ec58 IZ18670_08.080515.epkg.Z
a005f4b198bad5775f160b012a15575a IZ18670_09.080515.epkg.Z
55d100f2d1fb3b560672fc2b3e6ff3f6 IZ18670_10.080515.epkg.Z
410bab7de1d1580ff7f4a07d9d9dec2b IZ21529_08.080515.epkg.Z
8cd9cffe2e2ac85f4788bd0b06f7cdcb IZ22356_00.080515.epkg.Z
8526a9ed6ad59e40f1441e50a9f71c6b IZ22357_05.080515.epkg.Z
8b101f99b2d4496645f917aed8505b32 IZ22357_06.080515.epkg.Z
ee5c4864e6b3be9de62e56fa1405489d IZ22358_07.080515.epkg.Z
csum -h SHA1 (sha1sum) filename
-------------------------------------------------------------------
a14d8e7baf5f55a7abecfcb1ccd926ae0c6bf93e IZ18670_08.080515.epkg.Z
0ff3360e2a6a368274e512a7c6dee3ee5ea94fb7 IZ18670_09.080515.epkg.Z
5b928429e4d1dbab2b6650bb338d55a4ddbf1626 IZ18670_10.080515.epkg.Z
a620648374c2c74c1bf29fdef21bc02b86965ea9 IZ21529_08.080515.epkg.Z
c1a7ac59d018fd09e5c531e10f46ae393744d933 IZ22356_00.080515.epkg.Z
b19b988f886c4c2eb94086da0bd0390b2247309e IZ22357_05.080515.epkg.Z
e39fe75bed2d3ef8d6c4f36b2f52f7a1c7ded919 IZ22357_06.080515.epkg.Z
6eae9dbacac4ea0dfc3f14a9ee7462c729afbc4a IZ22358_07.080515.epkg.Z
To verify the sums, use the text of this advisory as input to
csum, md5sum, or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
md5sum -c Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.
C. FIX AND INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
To preview a fix installation:
installp -a -d fix_name -p all # where fix_name is the name of the
# fix package being previewed.
To install a fix package:
installp -a -d fix_name -X all # where fix_name is the name of the
# fix package being installed.
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; thus, IBM does not warrant the fully
correct functionality of an interim fix.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
IV. WORKAROUNDS
There are no workarounds.
V. OBTAINING FIXES
AIX security fixes can be downloaded from:
http://aix.software.ibm.com/aix/efixes/security
ftp://aix.software.ibm.com/aix/efixes/security
AIX fixes can be downloaded from:
http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix
NOTE: Affected customers are urged to upgrade to the latest
applicable Technology Level and Service Pack.
VI. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
security-alert@austin.ibm.com
B. Download the key from a PGP Public Key Server. The key ID is:
0xADA6EB4D
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
VII. ACKNOWLEDGMENTS
ISS X-Force reported this vulnerability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFINEusP9Qud62m600RAmkDAKDcUiPNNJsn+yZMij3ZfEYxKF6bBgCg4Si0
0v9FJ40uFoSyNyy722ihiVQ=
=qZBF
-----END PGP SIGNATURE-----
|
|
Go to the Top of This SecurityTracker Archive Page
|
