[ SOURCE: http://www.secureroot.com/security/advisories/9640287788.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= CERT(*) Advisory CA-94:10 Original issue date: June 3, 1994 Last revised: September 23, 1997 Updated copyright statement Topic: IBM AIX bsh Vulnerability - ----------------------------------------------------------------------------- The CERT Coordination Center has learned of a vulnerability in the batch queue (bsh) of IBM AIX systems running versions prior to and including AIX 3.2. CERT recommends disabling the batch queue by following the workaround instructions in Section III below. Section III also includes information on how to obtain fixes from IBM if the bsh queue functionality is required by remote systems. We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site. - ----------------------------------------------------------------------------- I. Description The queueing system on IBM AIX includes a batch queue, "bsh", which is turned on by default in /etc/qconfig on all versions of AIX 3 and earlier. II. Impact If network printing is enabled, remote and local users can gain access to a privileged account. III. Solution In the next release of AIX, the bsh queue will be turned off by default. CERT/CC recommends that the bsh queue be turned off using the workaround described in Section A below unless there is an explicit need to support this functionality for remote hosts. If this functionality must be supported, IBM provides fixes as outlined in Sections B and C below. For questions concerning these workarounds or fixes, please contact IBM at the number provided below. A. Workaround Disable the bsh queue by following one of the two procedures outlined below: 1. As root, from the command line, enter: # chque -qbsh -a"up = FALSE" 2. From SMIT, enter: - Spooler - Manage Local Printer Subsystem - Change/Show Characteristics of a Queue select bsh - Activate the Queue select no B. Emergency fix Obtain and install the emergency fix for the version(s) of AIX used at your site. Fixes for the various levels of AIX are available by anonymous FTP from software.watson.ibm.com. The files are located in /pub/aix/bshfix.tar.Z in compressed tar format. Installation instructions are included in the README file included as part of the tar file. The directory /pub/aix contains the latest available emergency fix for APAR IX44381. As updates become available, any new versions will be placed in this directory with the name bshfix<#>.tar.Z with <#> being incremented for each update. See the README.FIRST file in that directory for details. IBM may remove this emergency fix file without prior notice if flaws are reported. Due to the changing nature of these files, no checksum information is available. C. Official fix The official fix for this problem can be ordered as APAR IX44381. To order APARs from IBM in the U.S., call 1-800-237-5511 and ask that it be shipped to you as soon as it is available. To obtain APARs outside of the U.S., contact your local IBM representative. - --------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Gordon C. Galligher of Information Resources, Inc. for reporting this problem and IBM Corporation for their support in responding to this problem. - --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT via electronic mail, CERT strongly advises that the e-mail be encrypted. CERT can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT for details). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. - ------------------------------------------------------------------------------ Copyright 1994, 1996 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. CERT is registered in the U.S. Patent and Trademark Office. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history Sep. 23. 1997 Updated copyright statement Aug. 30, 1996 Removed references to README files because advisories themselves are now updated. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOBTAG1r9kb5qlZHQEQLFZgCdF66t5CgPlWaKWd0PPtnGEep0A5wAn2Mo rRG38QjgKC5jlqG3I0ROnH9v =q2cn -----END PGP SIGNATURE-----