===================================================================== CERT-Renater Note d'Information No. 2003/VULN302 _____________________________________________________________________ DATE : 24/09/2003 HARDWARE PLATFORM(S) : IBM OPERATING SYSTEM(S) : AIX 5.2 ====================================================================== IBM SECURITY ADVISORY First Issued: Mon Sep 15 09:09:23 CDT 2003 =========================================================================== VULNERABILITY SUMMARY VULNERABILITY: tsm format string vulnerability. PLATFORMS: AIX 5.2. SOLUTION: Apply the APAR as described below. THREAT: A remote attacker can gain root privileges or a local attacker can escalate his privileges to root privileges. CERT VU Number: n/a CVE Number: CAN-2003-0784 =========================================================================== DETAILED INFORMATION I. Description ============== The tsm command provides terminal state management and login functionality which is used to verify users' identity. The services tsm provides are used by commands such as login, passwd and su. A format string vulnerability has been discovered that may allow a remote attacker to gain root privileges by exploiting the login command. A local user may gain elevated privileges by exploiting the login, su or passwd commands. This vulnerability was discovered internally. At this time, there are no known exploits. II. Impact ========== A remote attacker may gain root privileges by exploiting the login command. A local user may gain elevated privileges by exploiting the login, su or passwd commands. III. Solutions =============== A. Official Fix IBM provides the following fixes: APAR number for AIX 5.2: IY47764 (available) Please note that his issue affects all versions of the bos.rte.security fileset on AIX 5.2 up to and including bos.rte.security.5.2.0.12. B. Workaround This problem can be avoided by setting the pwdprompt attribute to a value in /etc/security/login.cfg. An example would be to set the value in the default stanza as follows: default: pwdprompt = "Password: " IV. Obtaining Fixes =================== IBM AIX APARs may be ordered using Electronic Fix Distribution (via the FixDist program), or from the IBM Support Center. For more information on FixDist, and to obtain fixes via the Internet, please reference http://techsupport.services.ibm.com/rs6k/fixes.html or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the "Subject:" line. AIX APARs may also be downloaded from the web from the following URLs. For 5.2.0 APARs: http://techsupport.services.ibm.com/server/aix.fdc V. Contact Information ======================== If you would like to receive AIX Security Advisories via email, please visit: https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs. Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To request the PGP public key that can be used to encrypt new AIX security vulnerabilities, send email to security-alert@austin.ibm.com with a subject of "get key". Please contact your local IBM AIX support center for any assistance. IBM and AIX are a registered trademark of International Business Machines Corporation. All other trademarks are property of their respective holders. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================