mailing list archives
IBM-ERS For Your Information: IBM AIX: Locale and BIND fixes on ftp.software.ibm.com/aix/efixes/security
From: IGS ERS Advisory Service <advisory () US IBM COM>
Date: Mon, 27 Nov 2000 09:56:47 -0500
IBM Global Services
Emergency Response Service
For Your Information
THIS IS NOT A SECURITY VULNERABILITY ALERT
27 NOV 2000 13:47 GMT ERS-FYI-E01-2000:082.1
IBM-ERS For Your Information (FYI) documents are designed to provide
customers of the IBM Emergency Response Service with information about
current topics in the fields of Internet and virus security. FYI documents
will be issued periodically as the need arises. Topics may include
security implications of new protocols in use on the Internet,
implementation suggestions for certain types of services, virus hype and
hoaxes, and answers to frequently asked questions.
-----BEGIN PGP SIGNED MESSAGE-----
IBM AIX SECURITY NOTIFICATION
The IBM AIX Security Response Team has posted an e-fix to
ftp.software.ibm.com/aix/efixes/security that is intended to close two
potential security exploits in libc.a until the appropriate APARs are
made available that offer a fully tested, permanent fix. Details are
Two exploits have been recently identified in IBM's AIX operating system
the host systems' reliability and security.
One of these vulnerabilities is a format string exploit present in the
and is implemented via the attacker's use of setting NLSPATH to point to
his or her
tainted message file that contains a carefully selected set of format
allow the attacker to gain root privileges. The locale subsystem code is
The other vulnerability consists of two potential denial-of-service
exploits in BIND
(named). Only a specific range of versions of BIND are affected. The most
(above patch level 6) are not affected. Portions of the BIND code are
IBM has issued e-fixes that contain temporary fixes for each of the two
just described. However, the libc.a file in each does not incorporate the
both of these exploits. Thus, a customer will not be protected from both
either of the libc.a libraries. IBM's recommendation (see the README file
in this ftp
directory) was to choose the e-fix for the locale subsystem vulnerability
over that of
the DoS exploits in BIND. The former is a more serious security hole, and
problems have not been consistently demonstrated in the BIND version AIX
WHAT THIS E-FIX CONTAINS:
This e-fix package has a libc.a file that incorporates e-fixes for both the
described above. This version of the library is for AIX 4.3 at version
Customers MUST have their systems at this level for the e-fix to work
avoid serious OS difficulties on their hosts. If you are not at this level
install this e-fix. To upgrade to 220.127.116.11, install APAR #IY12541.
Customers must download the e-fix for the BIND vulnerabilities first, and
e-fix as instructed in the package README file. Again, see the (other)
README file in this
ftp directory to identify the proper packages.
Then, this package can be used: substitute the libc.a library in this
package for the
one in the /tmp/testnamed (or whatever name for the subdirectory the
under /tmp) directory described in the BIND package instructions, and
installation instructions as before for the BIND e-fix. Remember to use a
"victim" machine to test the installation and proper operation of the e-fix
doing the same on an "in-service" box.
The e-fix in this package has not been subjected to full regression testing
proper security and functioning of the operating system. Hence, customers
this e-fix at their own risk. The e-fix is an emergency, temporary patch
only; when the applicable APAR is released for each of the
vulnerabilities, customers are urged to install these APARs.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. IBM's Virus Emergency
Response Service is a subscription-based service that provides assistance
with virus risk and emergency management. By acting as an extension of
your own internal security staff, IBM-ERS's team of security experts helps
you quickly detect and respond to attacks and exposures to your I/T
As a part of IBM's Business Continuity Recovery Services organization, the
IBM Emergency Response Service is a component of IBM's SecureWay(tm) line
of security products and services. From hardware to software to
consulting, SecureWay solutions can give you the assurance and expertise
you need to protect your valuable business resources. To find out more
about the IBM Emergency Response Service, send an electronic mail message
to ers-sales () ers ibm com, or call 1-800-426-7378.
IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security
alerts, team contact information, and other items.
IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
for security vulnerability alerts and other distributed information. The
IBM-ERS PGP* public key is available from
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.
IBM-ERS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation and
response coordination among computer security teams worldwide.
Copyright 2000 International Business Machines Corporation.
The information in this document is provided as a service to customers of
the IBM Emergency Response Service. Neither International Business
Machines Corporation, nor any of its employees, makes any warranty, express
or implied, or assumes any legal liability or responsibility for the
accuracy, complete- ness, or usefulness of any information, apparatus,
product, or process contained herein, or represents that its use would not
infringe any privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by IBM or its subsidiaries. The
views and opinions of authors expressed herein do not necessarily state or
reflect those of IBM or its subsidiaries, and may not be used for
advertising or product endorsement purposes.
The material in this document may be reproduced and distributed, without
permission, in whole or in part, by other security incident response teams
(both commercial and non-commercial), provided the above copyright is kept
intact and due credit is given to IBM-ERS.
This document may be reproduced and distributed, without permission, in its
entirety only, by any person provided such reproduction and/or distribution
is performed for non-commercial purposes and with the intent of increasing
the awareness of the Internet community.
- IBM-ERS For Your Information: IBM AIX: Locale and BIND fixes on ftp.software.ibm.com/aix/efixes/security IGS ERS Advisory Service (Nov 28)