SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   AIX Vendors:   IBM
IBM AIX Kernel Buffer Overflow Lets Local Users Gain Elevated Privileges or Deny Service
SecurityTracker Alert ID:  1020083
SecurityTracker URL:  http://securitytracker.com/id/1020083
CVE Reference:   CVE-2008-2513   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  May 22 2008
Impact:   Denial of service via local system, Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.2, 5.3, 6.1
Description:   A vulnerability was reported in AIX. A local user can obtain elevated privileges on the target system. A local user can cause denial of service conditions.

A local user can trigger a buffer overflow in the kernel to execute arbitrary code with kernel mode privileges or to cause the system to halt.

The following files are affected:

/usr/lib/boot/unix_64
/usr/lib/boot/unix_mp
/usr/lib/boot/unix_up

Impact:   A local user can obtain kernel privileges on the target system.

A local user can cause the target system to halt.

Solution:   The vendor has issued the following APAR:

5.2.0 IZ19911

The vendor plans to issue the following APARs on June 20, 2008.

5.3.0 IZ22368
5.3.7 IZ22369
5.3.8 IZ21481
6.1.0 IZ22370

Efixes are available at:

http://aix.software.ibm.com/aix/efixes/security/unix_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/unix_fix.tar

The vendor advisories are available at:

http://www.ibm.com/support/docview.wss?uid=isg1IZ19911
http://www.ibm.com/support/docview.wss?uid=isg1IZ22368
http://www.ibm.com/support/docview.wss?uid=isg1IZ22369
http://www.ibm.com/support/docview.wss?uid=isg1IZ21481
http://www.ibm.com/support/docview.wss?uid=isg1IZ22370

Vendor URL:  www.ibm.com/support/docview.wss?uid=isg1IZ19911 (Links to External Site)
Cause:   Boundary error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Wed, 21 May 2008 19:52:32 -0400
Subject:  IBM AIX


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Wed May 21 11:11:21 CDT 2008
===============================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:      AIX unix kernel buffer overflow

PLATFORMS:          AIX 5.2, 5.3, 6.1

SOLUTION:           Apply the fix as described below.

THREAT:             A local attacker may execute arbitrary code.

CVE Number:         n/a

Reboot required?    YES
Workarounds?        NO
Protected by FPM?   NO
Protected by SED?   NO
===============================================================================
                           DETAILED INFORMATION

I. DESCRIPTION

    The AIX kernel contains a buffer which can overflow.  A local
    attacker may exploit this overflow to execute arbitrary code in
    kernel mode or create a denial of service by causing an unexpected
    system halt.

    The following files are vulnerable:

    /usr/lib/boot/unix_64
    /usr/lib/boot/unix_mp
    /usr/lib/boot/unix_up

II. PLATFORM VULNERABILITY ASSESSMENT

    To determine if your system is vulnerable, execute the following
    command:

    lslpp -L bos.mp64 bos.mp bos.up

    The following fileset levels are vulnerable:

    AIX Fileset                     Lower Level    Upper Level
    -----------------------------------------------------------
    bos.mp64, bos.mp, bos.up        5.2.0.85       5.2.0.89
    bos.mp64, bos.mp, bos.up        5.2.0.95       5.2.0.102
    bos.mp64, bos.mp, bos.up        5.2.0.105      5.2.0.111
    bos.mp64, bos.mp                5.3.0.50       5.3.0.57
    bos.mp64, bos.mp                5.3.0.60       5.3.0.68
    bos.mp64, bos.mp                5.3.7.0        5.3.7.4
    bos.mp64, bos.mp                5.3.8.0        5.3.8.1
    bos.mp64                        6.1.0.0        6.1.0.5

III. SOLUTIONS

    A. APARS

        IBM has assigned the following APARs to this problem:

        AIX Level           APAR number        Availability
        ---------------------------------------------------
        5.2.0               IZ19911            Now
        5.3.0               IZ22368            6/20/2008
        5.3.7               IZ22369            6/20/2008
        5.3.8               IZ21481            6/20/2008
        6.1.0               IZ22370            6/20/2008

        Subscribe to the APARs here:

        http://www.ibm.com/support/docview.wss?uid=isg1IZ19911
        http://www.ibm.com/support/docview.wss?uid=isg1IZ22368
        http://www.ibm.com/support/docview.wss?uid=isg1IZ22369
        http://www.ibm.com/support/docview.wss?uid=isg1IZ21481
        http://www.ibm.com/support/docview.wss?uid=isg1IZ22370

        By subscribing, you will receive periodic email alerting you
        to the status of the APAR, and a link to download the fix once
        it becomes available.

    B. FIXES

        Fixes are available.  The fixes can be downloaded from:

        http://aix.software.ibm.com/aix/efixes/security/unix_fix.tar
        ftp://aix.software.ibm.com/aix/efixes/security/unix_fix.tar

        The links above are to a tar file containing this signed
        advisory, fix packages, and PGP signatures for each package.
        The fixes below include prerequisite checking. This will
        enforce the correct mapping between the fixes and AIX
        Technology Levels.

        AIX Level          Fix (*.U) and Interim Fix (*.Z)
        -------------------------------------------------------------------
        5.2.0 TL8          IZ19911_8a.080515.epkg.Z
                           IZ19911_8b.080515.epkg.Z
                           IZ19911_8c.080515.epkg.Z
        5.2.0 TL9          IZ19911_9a.080515.epkg.Z
                           IZ19911_9b.080515.epkg.Z
                           IZ19911_9c.080515.epkg.Z
        5.2.0 TL10         IZ19911_0a.080515.epkg.Z
                           IZ19911_0b.080515.epkg.Z
                           IZ19911_0c.080515.epkg.Z
        5.3.0 TL5          IZ22368_5a.080515.epkg.Z
                           IZ22368_5b.080515.epkg.Z
        5.3.0 TL6          IZ22368_6a.080515.epkg.Z
                           IZ22368_6b.080515.epkg.Z
        5.3.7              IZ22369_7a.080515.epkg.Z
                           IZ22369_7b.080515.epkg.Z
        5.3.8              IZ21481_8a.080515.epkg.Z
                           IZ21481_8b.080515.epkg.Z
        6.1.0              IZ22370_0a.080515.epkg.Z

        To extract the fixes from the tar file:

        tar xvf unix_fix.tar
        cd unix_fix

        Verify you have retrieved the fixes intact:

        The checksums below were generated using the "sum", "cksum",
        "csum -h MD5" (md5sum), and "csum -h SHA1" (sha1sum) commands
        and are as follows:

        sum         filename
        -------------------------------------
        45785  3757 IZ19911_0a.080515.epkg.Z
        45944  3629 IZ19911_0b.080515.epkg.Z
        53116  3409 IZ19911_0c.080515.epkg.Z
        51800  3709 IZ19911_8a.080515.epkg.Z
        27525  3595 IZ19911_8b.080515.epkg.Z
        47040  3350 IZ19911_8c.080515.epkg.Z
        27135  3743 IZ19911_9a.080515.epkg.Z
        24464  3622 IZ19911_9b.080515.epkg.Z
        08115  3404 IZ19911_9c.080515.epkg.Z
        05125  5094 IZ21481_8a.080515.epkg.Z
        27059  4824 IZ21481_8b.080515.epkg.Z
        47211  4993 IZ22368_5a.080515.epkg.Z
        34747  4748 IZ22368_5b.080515.epkg.Z
        19721  5048 IZ22368_6a.080515.epkg.Z
        11072  4805 IZ22368_6b.080515.epkg.Z
        51269  5092 IZ22369_7a.080515.epkg.Z
        22006  4822 IZ22369_7b.080515.epkg.Z
        45766  6881 IZ22370_0a.080515.epkg.Z

        cksum              filename
        -------------------------------------------
        333302186  3846195 IZ19911_0a.080515.epkg.Z
        320698967  3715447 IZ19911_0b.080515.epkg.Z
        1169355713 3490560 IZ19911_0c.080515.epkg.Z
        482521616  3797483 IZ19911_8a.080515.epkg.Z
        949142838  3681197 IZ19911_8b.080515.epkg.Z
        2796951600 3429751 IZ19911_8c.080515.epkg.Z
        3760216720 3832573 IZ19911_9a.080515.epkg.Z
        3023050719 3708051 IZ19911_9b.080515.epkg.Z
        3334480761 3484981 IZ19911_9c.080515.epkg.Z
        432546559  5216013 IZ21481_8a.080515.epkg.Z
        1274137790 4939741 IZ21481_8b.080515.epkg.Z
        1638860541 5112531 IZ22368_5a.080515.epkg.Z
        3791679932 4861859 IZ22368_5b.080515.epkg.Z
        3983826418 5169056 IZ22368_6a.080515.epkg.Z
        3165238016 4919558 IZ22368_6b.080515.epkg.Z
        556998624  5214205 IZ22369_7a.080515.epkg.Z
        2366294013 4936961 IZ22369_7b.080515.epkg.Z
        2345463169 7045415 IZ22370_0a.080515.epkg.Z

        csum -h MD5 (md5sum)              filename
        -----------------------------------------------------------
        5ee3f65c545804d1c9234cfc003c7277  IZ19911_0a.080515.epkg.Z
        f11725ffc828c0aecc49e5b9c18fd0fb  IZ19911_0b.080515.epkg.Z
        7edccae067cbfb33fa07767a938e2631  IZ19911_0c.080515.epkg.Z
        4c69d10b29903b11a748f2909918019d  IZ19911_8a.080515.epkg.Z
        457d9e53d7749bb55918016f4dd73842  IZ19911_8b.080515.epkg.Z
        d15d8f57796c48dc46b39cd21e3c819d  IZ19911_8c.080515.epkg.Z
        b4399e47d5ab4d61fefbde0eb6296503  IZ19911_9a.080515.epkg.Z
        36c8dfd97c3441d7b898c47c0cd2a6cb  IZ19911_9b.080515.epkg.Z
        cac0abca29fd55030d422dc6e9a18872  IZ19911_9c.080515.epkg.Z
        323680626179518ec9bf9dbfadc72c4b  IZ21481_8a.080515.epkg.Z
        c09ae0f26127fe01fc3cc6fd309c6ea3  IZ21481_8b.080515.epkg.Z
        7cc34795f07169bf4b790ab96bb0c1ee  IZ22368_5a.080515.epkg.Z
        0c24cf9da87fc76f23a905a5e339b149  IZ22368_5b.080515.epkg.Z
        fdac2f31cc08e4dbae2f2e97d5da1cda  IZ22368_6a.080515.epkg.Z
        d5f2552121cd5408f35fbd7c8e026a48  IZ22368_6b.080515.epkg.Z
        fcde6be1bcbdbd9d306b339aa079f7f2  IZ22369_7a.080515.epkg.Z
        f98772dc37112f0fc24d8494f8410541  IZ22369_7b.080515.epkg.Z
        9c255da0fdaa95583a60b1f1a30def04  IZ22370_0a.080515.epkg.Z

        csum -h SHA1 (sha1sum)                    filename
        -------------------------------------------------------------------
        f69cf6a98627d5cdc8faadcc336e893deaf14c6c  IZ19911_0a.080515.epkg.Z
        d886d65a44eb7c9a467aa3c2a1ad358e3f37d2fb  IZ19911_0b.080515.epkg.Z
        5edc4c7d215f12670dd0cf9d4a6f6379e2871bb1  IZ19911_0c.080515.epkg.Z
        b2b7a8387dec3873e848c24da6475af8dfa7e436  IZ19911_8a.080515.epkg.Z
        67296c5d87ed56fe5dcf115b43d09fdf7886d11b  IZ19911_8b.080515.epkg.Z
        12ea2d07b2e256e480d742ee60edff48c824f628  IZ19911_8c.080515.epkg.Z
        ed8dec2236743486d4fb024ad97bcef9f511dfef  IZ19911_9a.080515.epkg.Z
        06e387fef1e7584433c07c7134c1682754610f6d  IZ19911_9b.080515.epkg.Z
        130aa402c4c460a6a2152a79c86352cbe692761c  IZ19911_9c.080515.epkg.Z
        74e433453b5b676cdb00500191dc53873795a159  IZ21481_8a.080515.epkg.Z
        ebf09441ffdc9d0c18d1e726a97216fc7cff6c37  IZ21481_8b.080515.epkg.Z
        24ea9a4260a4cd3645d1a7de000e2e8f1dc249bc  IZ22368_5a.080515.epkg.Z
        43cf437dfef2275647fc9b7d5e205175208a7b9f  IZ22368_5b.080515.epkg.Z
        dd6f546c95aa7e45cc44497dbe22ef7b263f7715  IZ22368_6a.080515.epkg.Z
        2b26fd2b342387b3d37eafb2c703987124b0696f  IZ22368_6b.080515.epkg.Z
        86cc4aae7db1619e63a479490c9c0c73e877b02c  IZ22369_7a.080515.epkg.Z
        81ecb28459938630d608cdb97a6faddcb05c038c  IZ22369_7b.080515.epkg.Z
        aa3f783b8ce620aa1ed266530b4eece8e8375d32  IZ22370_0a.080515.epkg.Z

        To verify the sums, use the text of this advisory as input to
        csum, md5sum, or sha1sum. For example:

        csum -h SHA1 -i Advisory.asc
        md5sum -c Advisory.asc
        sha1sum -c Advisory.asc

        These sums should match exactly. The PGP signatures in the tar
        file and on this advisory can also be used to verify the
        integrity of the fixes.  If the sums or signatures cannot be
        confirmed, contact IBM AIX Security at
        security-alert@austin.ibm.com and describe the discrepancy.

     C. FIX AND INTERIM FIX INSTALLATION

        IMPORTANT: If possible, it is recommended that a mksysb backup
        of the system be created.  Verify it is both bootable and
        readable before proceeding.

        To preview a fix installation:

        installp -a -d fix_name -p all  # where fix_name is the name of the
                                        # fix package being previewed.
        To install a fix package:

        installp -a -d fix_name -X all  # where fix_name is the name of the  
                                        # fix package being installed.

        Interim fixes have had limited functional and regression
        testing but not the full regression testing that takes place
        for Service Packs; thus, IBM does not warrant the fully
        correct functionality of an interim fix.

        Interim fix management documentation can be found at:

        http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

        To preview an interim fix installation:

        emgr -e ipkg_name -p         # where ipkg_name is the name of the  
                                     # interim fix package being previewed.

        To install an interim fix package:

        emgr -e ipkg_name -X         # where ipkg_name is the name of the  
                                     # interim fix package being installed.

IV. WORKAROUNDS

    There are no workarounds.

V. OBTAINING FIXES

    AIX security fixes can be downloaded from:

        http://aix.software.ibm.com/aix/efixes/security
        ftp://aix.software.ibm.com/aix/efixes/security

    AIX fixes can be downloaded from:

        http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix

    NOTE: Affected customers are urged to upgrade to the latest
    applicable Technology Level and Service Pack.

VI. CONTACT INFORMATION

    If you would like to receive AIX Security Advisories via email,
    please visit:

        http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
 
    Comments regarding the content of this announcement can be
    directed to:

        security-alert@austin.ibm.com

    To request the PGP public key that can be used to communicate
    securely with the AIX Security Team you can either:

        A. Send an email with "get key" in the subject line to:

            security-alert@austin.ibm.com

        B. Download the key from a PGP Public Key Server. The key ID is:

            0xADA6EB4D

    Please contact your local IBM AIX support center for any
    assistance.

    eServer is a trademark of International Business Machines
    Corporation.  IBM, AIX and pSeries are registered trademarks of
    International Business Machines Corporation.  All other trademarks
    are property of their respective holders.

VII. ACKNOWLEDGMENTS

    IBM discovered and fixed this vulnerability as part of its
    commitment to secure the AIX operating system.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFINEnMP9Qud62m600RAiOLAKCUJd7WOdppVL+vzJ/J2L0uJi8stQCgjcqo
WUbmZgecMFaLY8b/pRF1j1k=
=Wilw
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC