===================================================================== CERT-Renater Note d'Information No. 2009/VULN423 _____________________________________________________________________ DATE : 20/10/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : AIX, VIOS running rpc.cmsd. ====================================================================== http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc ______________________________________________________________________ IBM SECURITY ADVISORY First Issued: Wed Oct 7 10:25:46 CDT 2009 The most recent version of this document is available here: http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc or ftp://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc VULNERABILITY SUMMARY VULNERABILITY: AIX rpc.cmsd remote buffer overflow vulnerability PLATFORMS: AIX 5.3, 6.1, and earlier releases VIOS 1.4, 1.5, 2.1, and earlier releases SOLUTION: Apply the fix or workaround as described below. THREAT: A remote attacker may execute arbitrary code as root. Reboot required? NO Workarounds? YES Protected by FPM? NO Protected by SED? YES DETAILED INFORMATION I. DESCRIPTION There is a buffer overflow vulnerability in the calendar daemon library libcsa.a. A remote attacker can exploit this vulnerability when the rpc.cmsd calendar daemon is enabled in /etc/inetd.conf. The successful exploitation of this vulnerability allows a remote attacker to execute arbitrary code as the root user. The following libraries and executables are vulnerable: /usr/dt/bin/rpc.cmsd /usr/dt/lib/libcsa.a II. PLATFORM VULNERABILITY ASSESSMENT Note: To use the following commands on VIOS you must first execute: oem_setup_env To determine if your system is vulnerable, execute the following command: lslpp -L X11.Dt.lib X11.Dt.rte The following fileset levels are vulnerable: AIX Fileset Lower Level Upper Level ------------------------------------------------ all earlier levels are vulnerable X11.Dt.rte 5.3.7.0 5.3.7.3 X11.Dt.lib 5.3.7.0 5.3.7.2 X11.Dt.rte 5.3.8.0 5.3.8.1 X11.Dt.lib 5.3.8.0 5.3.8.0 X11.Dt.rte 5.3.9.0 5.3.9.0 X11.Dt.lib 5.3.9.0 5.3.9.0 X11.Dt.rte 5.3.10.0 5.3.10.0 X11.Dt.lib 5.3.9.0 5.3.9.0 X11.Dt.rte 6.1.0.0 6.1.0.3 X11.Dt.lib 6.1.0.0 6.1.0.2 X11.Dt.rte 6.1.1.0 6.1.1.1 X11.Dt.lib 6.1.1.0 6.1.1.0 X11.Dt.rte 6.1.2.0 6.1.2.1 X11.Dt.lib 6.1.2.0 6.1.2.1 X11.Dt.rte 6.1.3.0 6.1.3.1 X11.Dt.lib 6.1.3.0 6.1.3.1 III. SOLUTIONS A. APARS IBM has assigned the following APARs to this problem: AIX Level APAR number Availability --------------------------------------------------- 5.3.0 IZ62672 interm fix only 5.3.7 IZ61628 11/11/09 (sp10) 5.3.8 IZ62237 11/11/09 (sp8) 5.3.9 IZ61717 11/11/09 (sp5) 5.3.10 IZ62123 11/11/09 (sp2) 6.1.0 IZ62569 12/16/09 (sp11) 6.1.1 IZ62570 12/16/09 (sp7) 6.1.2 IZ62571 12/16/09 (sp6) 6.1.3 IZ62572 12/16/09 (sp3) Subscribe to the APARs here: http://www.ibm.com/support/docview.wss?uid=isg1IZ62672 http://www.ibm.com/support/docview.wss?uid=isg1IZ61628 http://www.ibm.com/support/docview.wss?uid=isg1IZ62237 http://www.ibm.com/support/docview.wss?uid=isg1IZ61717 http://www.ibm.com/support/docview.wss?uid=isg1IZ62123 http://www.ibm.com/support/docview.wss?uid=isg1IZ62569 http://www.ibm.com/support/docview.wss?uid=isg1IZ62570 http://www.ibm.com/support/docview.wss?uid=isg1IZ62571 http://www.ibm.com/support/docview.wss?uid=isg1IZ62572 By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available. B. FIXES Fixes are now available. The fixes can be downloaded from: ftp://aix.software.ibm.com/aix/efixes/security/cmsd_fix.tar http://aix.software.ibm.com/aix/efixes/security/cmsd_fix.tar The links above are to a tar file containing this signed advisory, fix packages, and PGP signatures for each package. AIX Level VIOS Level Interim Fix (*.Z) ------------------------------------------------------------------- 5.3.0 TL6 1.4 IZ62672_06.091004.epkg.Z 5.3.7 1.5.0, 1.5.1 IZ61628_07.091003.epkg.Z 5.3.8 1.5.2 IZ62237_08.091003.epkg.Z 5.3.9 IZ61717_09.091003.epkg.Z 5.3.10 IZ62123_10.091003.epkg.Z 6.1.0 IZ62569_00.091003.epkg.Z 6.1.1 IZ62570_01.091003.epkg.Z 6.1.2 2.1.0 IZ62571_02.091003.epkg.Z 6.1.3 2.1.1 IZ62572_03.091003.epkg.Z To extract the fixes from the tar file: tar xvf cmsd_fix.tar cd cmsd_fix Verify you have retrieved the fixes intact: The checksums below were generated using the "csum -h SHA1" (sha1sum) commands and are as follows: csum -h SHA1 (sha1sum) filename ------------------------------------------------------------------ be8a1acdcb4f09cb62da9d42ea04c3feb9002559 IZ61628_07.091003.epkg.Z 3777d7ca7e9d8d5a74d3364c55bce9f4d4550527 IZ61717_09.091003.epkg.Z 8bf77f5a19cdf757560cd2add98fb01b51539dca IZ62123_10.091003.epkg.Z 1bc742596171d1cbfa3d48ddcf1111936d9feded IZ62237_08.091003.epkg.Z 7fca0ba4d5b43f0896acdffea0a5b427bbef451b IZ62569_00.091003.epkg.Z 943641406c4f1b8bb50cd3a7f459352acb26a4ac IZ62570_01.091003.epkg.Z a9582999d68bb7aac9af2f64e80a8282be9bdef3 IZ62571_02.091003.epkg.Z fb2dea536f6e5050f40da336ac4f64f835d74fe7 IZ62572_03.091003.epkg.Z 8588b683a5dc1c5796317e0be77b065fea7dc14d IZ62672_06.091004.epkg.Z To verify the sums, use the text of this advisory as input to csum or sha1sum. For example: csum -h SHA1 -i Advisory.asc sha1sum -c Advisory.asc These sums should match exactly. The PGP signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes. If the sums or signatures cannot be confirmed, contact IBM AIX Security and describe the discrepancy at the following address: security-alert@austin.ibm.com C. INTERIM FIX INSTALLATION IMPORTANT: If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding. Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; thus, IBM does not warrant the fully correct functionality of an interim fix. Interim fix management documentation can be found at: http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html To preview an interim fix installation: emgr -e ipkg_name -p # where ipkg_name is the name of the # interim fix package being previewed. To install an interim fix package: emgr -e ipkg_name -X # where ipkg_name is the name of the # interim fix package being installed. IV. WORKAROUND Remove the entry for rpc.cmsd from /etc/inetd.conf and refresh inetd so that inetd will no longer run the program. This can be done by running the following command: chsubserver -r inetd -C /etc/inetd.conf -d -v 'cmsd' -p 'udp' Any remaining instances of rpc.cmsd should be killed with the following command: ps -efl|grep [r]pc.cmsd|awk '{x = "kill " $4}{system(x)}' NOTE: Removing rpc.cmsd from /etc/inetd.conf will disable some functionality for all users. V. OBTAINING FIXES AIX security fixes can be downloaded from: http://aix.software.ibm.com/aix/efixes/security or ftp://aix.software.ibm.com/aix/efixes/security AIX fixes can be downloaded from: http://www.ibm.com/eserver/support/fixes/fixcentral/main/pseries/aix NOTE: Affected customers are urged to upgrade to the latest applicable Technology Level and Service Pack. VI. CONTACT INFORMATION If you would like to receive AIX Security Advisories via email, please visit: http://www.ibm.com/systems/support and click on the "My notifications" link. To view previously issued advisories, please visit: http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd Comments regarding the content of this announcement can be directed to: security-alert@austin.ibm.com To obtain the PGP public key that can be used to communicate securely with the AIX Security Team you can either: A. Download the key from our web page: http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt B. Download the key from a PGP Public Key Server. The key ID is: 0xADA6EB4D Please contact your local IBM AIX support center for any assistance. eServer is a trademark of International Business Machines Corporation. IBM, AIX and pSeries are registered trademarks of International Business Machines Corporation. All other trademarks are property of their respective holders. VII. ACKNOWLEDGMENTS This vulnerability was reported by Rodrigo Rubira Branco and iDefense Labs. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================