__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN IBM AIX: Locale and BIND fixes November 27, 2000 18:00 GMT Number L-021 ______________________________________________________________________________ PROBLEM: Two security vulnerabilities exist in libc.a: (1) NLSPATH - Allows a malicious user to gain root privileges. (2) BIND - Two denial-of-service (DoS) vulnerabilities exist. PLATFORM: IBM AIX 4.2.x, 4.3.x DAMAGE: A malicious user could exploit the NLSPATH setting to gain root access. Through the use of BIND, 8.2.2 versions below patch level 7, a malicious user could perform two types of denial-of-service attacks. Both the "NLSPATH" vulnerability and the BIND vulnerability are possible through flaws in the libc.a library. SOLUTION: Users should apply the work-around as specified by IBM. Pay particular attention to the upgrade warning, which states that a system MUST be at level 4.3.3.25. To prevent the BIND exploits, users may upgrade BIND to the latest version. This would eliminate the need for the IBM patch. No fix will be provided for users running AIX version 4.2.x because it is no longer supported by IBM. Users running 4.2.x must upgrade to Version 4.3.3.25. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The NLSPATH vulnerability allows root access. ASSESSMENT: The Vulnerabilities in BIND are actively exploited. ______________________________________________________________________________ NOTE: There are two notices from IBM. The first notice was an FYI from IBM. The second notice is a Security Advisory on BIND. [****** Begin IBM FYI Alert ******] IBM Global Services Emergency Response Service For Your Information THIS IS NOT A SECURITY VULNERABILITY ALERT 27 NOV 2000 13:47 GMT ERS-FYI-E01-2000:082.1 =========================================================================== IBM-ERS For Your Information (FYI) documents are designed to provide customers of the IBM Emergency Response Service with information about current topics in the fields of Internet and virus security. FYI documents will be issued periodically as the need arises. Topics may include security implications of new protocols in use on the Internet, implementation suggestions for certain types of services, virus hype and hoaxes, and answers to frequently asked questions. =========================================================================== IBM AIX SECURITY NOTIFICATION SUBJECT: The IBM AIX Security Response Team has posted an e-fix to ftp.software.ibm.com/aix/efixes/security that is intended to close two potential security exploits in libc.a until the appropriate APARs are made available that offer a fully tested, permanent fix. Details are given below. BACKGROUND INFO: Two exploits have been recently identified in IBM's AIX operating system that compromise the host systems' reliability and security. One of these vulnerabilities is a format string exploit present in the locale subsytem and is implemented via the attacker's use of setting NLSPATH to point to his or her tainted message file that contains a carefully selected set of format strings that allow the attacker to gain root privileges. The locale subsystem code is contained within libc.a. The other vulnerability consists of two potential denial-of-service exploits in BIND (named). Only a specific range of versions of BIND are affected. The most recent versions (above patch level 6) are not affected. Portions of the BIND code are within libc.a also. IBM has issued e-fixes that contain temporary fixes for each of the two vulnerabilities just described. However, the libc.a file in each does not incorporate the fix for both of these exploits. Thus, a customer will not be protected from both exploits using either of the libc.a libraries. IBM's recommendation (see the README file in this ftp directory) was to choose the e- fix for the locale subsystem vulnerability over that of the DoS exploits in BIND. The former is a more serious security hole, and the BIND problems have not been consistently demonstrated in the BIND version AIX uses. WHAT THIS E-FIX CONTAINS: This e-fix package has a libc.a file that incorporates e-fixes for both the vulnerabilities described above. This version of the library is for AIX 4.3 at version level 4.3.3.25. Customers MUST have their systems at this level for the e-fix to work properly and avoid serious OS difficulties on their hosts. If you are not at this level DO NOT install this e-fix. To upgrade to 4.3.3.25, install APAR #IY12541. Customers must download the e-fix for the BIND vulnerabilities first, and install the e-fix as instructed in the package README file. Again, see the (other) README file in this ftp directory to identify the proper packages. Then, this package can be used: substitute the libc.a library in this package for the one in the /tmp/testnamed (or whatever name for the subdirectory the customer chooses under /tmp) directory described in the BIND package instructions, and repeat the installation instructions as before for the BIND e- fix. Remember to use a non-essential "victim" machine to test the installation and proper operation of the e-fix BEFORE doing the same on an "in-service" box. DISCLAIMER: The e-fix in this package has not been subjected to full regression testing for proper security and functioning of the operating system. Hence, customers are employing this e-fix at their own risk. The e-fix is an emergency, temporary patch only; when the applicable APAR is released for each of the vulnerabilities, customers are urged to install these APARs. =========================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. IBM's Virus Emergency Response Service is a subscription-based service that provides assistance with virus risk and emergency management. By acting as an extension of your own internal security staff, IBM-ERS's team of security experts helps you quickly detect and respond to attacks and exposures to your I/T infrastructre. As a part of IBM's Business Continuity Recovery Services organization, the IBM Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Emergency Response Service, send an electronic mail message to ers-sales@ers.ibm.com, or call 1-800-426-7378. IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 2000 International Business Machines Corporation. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. The material in this document may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS. This document may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. =========================================================================== [****** End IBM FYI Alert ******] [****** Begin IBM Security BIND Security Alert ******] IBM Global Services Emergency Response Service Security Vulnerability Alert 27 NOV 2000 11:30 GMT ERS-SVA-E01-2000:005.1 =========================================================================== VULNERABILITY SUMMARY VULNERABILITY: Two DoS Vulnerabilities in BIND PLATFORMS: IBM AIX 4.2.x, 4.3.x SOLUTION: Apply the fixes listed below. THREAT: DNS can be completely disrupted on affected servers. CERT Advisory: CA-2000-20 =========================================================================== DETAILED INFORMATION I. Description The Internet Software Consortium, the maintainer of BIND, the software used to provide domain name resolution services, has recently posted information about several denial-of-service vulnerabilities. If exploited, any of these vulnerabilities could allow remote intruders to cause site DNS services to be stopped. For more information about these vulnerabilities, please see http://www.isc.org/products/BIND/bind-security.html Two vulnerabilities in particular are especially serious: The "zxfr bug" Using this vulnerability, attackers on sites which are permitted to request zone transfers can force the named daemon running on vulnerable DNS servers to crash, disrupting name resolution service until the named daemon is restarted. The only preconditions for this attack to succeed is that a compressed zone transfer (ZXFR) request be made from a site allowed to make any zone transfer request (not just ZXFR), and that a subsequent name service query of an authoritative and non-cached record be made. The time between the attack and the crash of named may vary from system to system. This vulnerability has been discussed in public forums. The ISC has confirmed that all platforms running version 8.2.2 of the BIND software prior to patch level 7 are vulnerable to this attack. The "srv bug" This vulnerability can cause affected DNS servers running named to go into an infinite loop, thus preventing further name requests to be handled. This can happen if an SRV record is sent to the vulnerable server. II. Impact Domain name resolution services can be completely negated on DNS servers from remote systems. II. Solutions A. Official fix IBM is working on the following fix which will be available soon: AIX 4.3.x: APAR IY14512 NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3, or higher. B. How to minimize the vulnerability A temporary fix for AIX 4.3.x systems is available. The temporary fix can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security/named8_DoS_efix.tar.Z The MD5 checksums for the efix tarfiles are: Filename sum md5 ================================================================= named43Service.tar 29576 6880 7389bc7758a92f1fccb01fcadbf24166 named43Sgold.tar 28101 6930 b266377a22f869ece15c4046a9827b2a This e-fix contains two tarfiles: named43Service.tar and named43Sgold.tar, each of which contains the files libc.a, named8, and named8-xfer. These are the executables you will need. Choose the tarfile most appropriate for your site. IMPORTANT NOTICE: Your operating system MUST be at this level for the e-fix to work properly and to keep your machines properly operating: fileset bos.net.tcp.server is 4.3.3.25 & bos.rte.libc is 4.3.3.25. You can determine what level your system is at by examining the output from these commands: # lslpp -l bos.rte.libc # lslpp -l bos.net.tcp.server Also, these e-fixes have not been fully regression tested. Customers installing and using these e-fixes do so at their own risk. INSTALLATION STEPS: - - - ---------------------------------------- Perform all steps given below as "root". - - - ---------------------------------------- NOTICE: Test this e-fix FIRST on a test machine (i.e. non-production machine). 1) Setup the test machine with the same data as your production DNS/nameserver has. 2) mkdir /tmp/testnamed 3) cp named43Sgold.tar /tmp/testnamed (or cp named43Sservice.tar /tmp/testnamed) 4) cd /tmp/testnamed 5) tar -xvf *tar 6) mount libc.a /usr/lib/libc.a 7) mount named8 /usr/sbin/named8 8) mount named8-xfer /usr/sbin/named8-xfer 9) startsrc -s named 10) Run some tests to verify the name server's proper operation. 11) If all the tests are successful, then repeat the above on the production machine. We recommend that backup copies of the original "libc.a" and the "named8" files be made. IV. Obtaining Fixes IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://techsupport.services.ibm.com/rs6k/fixes.html or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. To facilitate ease of ordering all security related APARs for each AIX release, security fixes are periodically bundled into a cumulative APAR. For more information on these cumulative APARs including last update and list of individual fixes, send email to "aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the "Subject:" line. V. Acknowledgements Thanks to the correspondents to BUGTRAQ and the CERT/CC for bringing this vulnerability to our attention. VI. Contact Information Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to security-alert@austin.ibm.com with a subject of "get key". If you would like to subscribe to the AIX security newsletter, send a note to aixserv@austin.ibm.com with a subject of "subscribe Security". To cancel your subscription, use a subject of "unsubscribe Security". To see a list of other available subscriptions, use a subject of "help". IBM and AIX are a registered trademark of International Business Machines Corporation. All other trademarks are property of their respective holders. =========================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. IBM's Virus Emergency Response Service is a subscription-based service that provides assistance with virus risk and emergency management. By acting as an extension of your own internal security staff, IBM-ERS's team of security experts helps you quickly detect and respond to attacks and exposures to your I/T infrastructre. As a part of IBM's Business Continuity Recovery Services organization, the IBM Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Emergency Response Service, send an electronic mail message to ers-sales@ers.ibm.com, or call 1-800-426-7378. IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 2000 International Business Machines Corporation. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS. This security alert may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. =========================================================================== [****** End IBM Security BIND Security Alert ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of IBM for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), use one of the following methods to contact CIAC: 1. Call the CIAC voice number 925-422-8193 and leave a message, or 2. Call 888-449-8369 to send a Sky Page to the CIAC duty person or 3. Send e-mail to 4498369@skytel.com, or 4. Call 800-201-9288 for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) L-011: HP-UX bdf & df Vulnerabilities L-012: Cisco IOS HTTP Server Query Vulnerability L-013: Revocation of Sun Microsystems Browser Certificates L-014: AIX Format String Vulnerability L-015: Tcpdump Remote Buffer Overflows L-016: Microsoft Netmon Protocol Parsing L-017: HP-UX dtterm misuse L-018: Microsoft "Web Server File Request Parsing" Vulnerability L-019: ISC BIND Vulnerabilities L-020:.Red Hat Linux modutils Vulnerability