L-021: IBM AIX: Locale and BIND fixes

PROBLEM:       Two security vulnerabilities exist in libc.a:
               (1) NLSPATH - Allows a malicious user to gain root privileges.
               (2) BIND    - Two denial-of-service (DoS) vulnerabilities exist.
PLATFORM:      IBM AIX 4.2.x, 4.3.x
DAMAGE:        A malicious user could exploit the NLSPATH setting to gain root
               access. Through the use of BIND, 8.2.2 versions below patch
               level 7, a malicious user could perform two types of
               denial-of-service attacks. Both the "NLSPATH" vulnerability and
               the BIND vulnerability are possible through flaws in the libc.a
               library.
SOLUTION:      Users should apply the work-around as specified by IBM. Pay
               particular attention to the upgrade warning, which states that
               a system MUST be at level 4.3.3.25. To prevent the BIND
               exploits, users may upgrade BIND to the latest version. This
               would eliminate the need for the IBM patch. No fix will be
               provided for users running AIX version 4.2.x because it is no
               longer supported by IBM. Users running 4.2.x must upgrade to
               Version 4.3.3.25.
VULNERABILITY  The risk is HIGH. The NLSPATH vulnerability allows root access.
ASSESSMENT:    The Vulnerabilities in BIND are actively exploited.


NOTE:  There are two notices from IBM.  The first notice was an FYI from IBM.
       The second notice is a Security Advisory on BIND.

[******  Begin IBM FYI Alert ******]

IBM Global Services
                        Emergency Response Service
                           For Your Information
                THIS IS NOT A SECURITY VULNERABILITY ALERT

27 NOV 2000  13:47 GMT                             ERS-FYI-E01-2000:082.1
===========================================================================
IBM-ERS For Your Information (FYI) documents are designed to provide customers
of the IBM Emergency Response Service with information about current topics in
the fields of Internet and virus security.  FYI documents will be issued
periodically as the need arises.  Topics may include security implications of
new protocols in use on the Internet, implementation suggestions for certain
types of services, virus hype and hoaxes, and answers to frequently asked questions.
===========================================================================


IBM AIX SECURITY NOTIFICATION

SUBJECT: 

The IBM AIX Security Response Team has posted an e-fix to
ftp.software.ibm.com/aix/efixes/security that is intended to close two potential
security exploits in libc.a until the appropriate APARs are made available that
offer a fully tested, permanent fix. Details are given below.

BACKGROUND INFO: 

Two exploits have been recently identified in IBM's AIX operating system that
compromise the host systems' reliability and security.

One of these vulnerabilities is a format string exploit present in the locale
subsytem and is implemented via the attacker's use of setting NLSPATH to point
to his or her tainted message file that contains a carefully selected set of
format strings that allow the attacker to gain root privileges. The locale
subsystem code is contained within libc.a.

The other vulnerability consists of two potential denial-of-service exploits in
BIND  (named). Only a specific range of versions of BIND are affected. The most
recent versions  (above patch level 6) are not affected. Portions of the BIND
code are within libc.a also.

IBM has issued e-fixes that contain temporary fixes for each of the two
vulnerabilities just described. However, the libc.a file in each does not
incorporate the fix for both of these exploits. Thus, a customer will not be
protected from both exploits using either of the libc.a libraries. IBM's
recommendation (see the README file in this ftp directory) was to choose the
e-fix for the locale subsystem vulnerability over that of the DoS exploits in
BIND. The former is a more serious security hole, and the BIND problems have not
been consistently demonstrated in the BIND version AIX uses.

WHAT THIS E-FIX CONTAINS: 

This e-fix package has a libc.a file that incorporates e-fixes for both the
vulnerabilities described above. This version of the library is for AIX 4.3 at
version level 4.3.3.25.  Customers MUST have their systems at this level for the
e-fix to work properly and avoid serious OS difficulties on their hosts. If you
are not at this level DO NOT install this e-fix. To upgrade to 4.3.3.25, install
APAR #IY12541.

Customers must download the e-fix for the BIND vulnerabilities first, and
install the e-fix as instructed in the package README file. Again, see the
(other)  README file in this ftp directory to identify the proper packages.

Then, this package can be used: substitute the libc.a library in this package
for the one in the /tmp/testnamed (or whatever name for the subdirectory the
customer chooses under /tmp) directory described in the BIND package
instructions, and repeat the installation instructions as before for the BIND
e-fix. Remember to use a non-essential "victim" machine to test the installation
and proper operation of the e-fix BEFORE doing the same on an "in-service" box.

DISCLAIMER: 

The e-fix in this package has not been subjected to full regression testing for
proper security and functioning of the operating system. Hence, customers are
employing this e-fix at their own risk. The e-fix is an emergency, temporary
patch only; when the applicable APAR is released for each of the
vulnerabilities, customers are urged to install these APARs.

===========================================================================
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  IBM's Virus Emergency Response
Service is a subscription-based service that provides assistance with virus risk
and emergency management.  By acting as an extension of your own internal
security staff, IBM-ERS's team of security experts helps you quickly detect and
respond to attacks and exposures to your I/T infrastructre.

As a part of IBM's Business Continuity Recovery Services organization, the IBM
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to protect
your valuable business resources.  To find out more about the IBM Emergency
Response Service, send an electronic mail message to ers-sales@ers.ibm.com, or
call 1-800-426-7378.

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.

Visit the site for information about the service, copies of security alerts,
team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information.  The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

Copyright 2000 International Business Machines Corporation.

The information in this document is provided as a service to customers of the
IBM Emergency Response Service.  Neither International Business Machines
Corporation, nor any of its employees, makes any warranty, express or implied,
or assumes any legal liability or responsibility for the accuracy, complete-
ness, or usefulness of any information, apparatus,  product, or process
contained herein, or represents that its use would not infringe any privately
owned rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark,  manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring by
IBM or its subsidiaries.  The views and opinions of authors expressed herein do
not necessarily state or reflect those of IBM or its subsidiaries, and may not
be used for advertising or product endorsement purposes.

The material in this document may be reproduced and distributed, without
permission, in whole or in part, by other security incident response teams
(both commercial and non-commercial), provided the above copyright is kept
intact and due credit is given to IBM-ERS.

This document may be reproduced and distributed, without permission, in its
entirety only, by any person provided such reproduction and/or distribution is
performed for non-commercial purposes and with the intent of increasing the
awareness of the Internet community.
===========================================================================


 [******  End IBM FYI Alert ******]


 [******  Begin IBM BIND Security Alert  ******]

IBM Global Services
                        Emergency Response Service
                       Security Vulnerability Alert

27 NOV 2000  11:30 GMT                             ERS-SVA-E01-2000:005.1
===========================================================================


                           VULNERABILITY SUMMARY

VULNERABILITY:    Two DoS Vulnerabilities in BIND

PLATFORMS:        IBM AIX 4.2.x, 4.3.x

SOLUTION:         Apply the fixes listed below.

THREAT:           DNS can be completely disrupted on affected servers.

CERT Advisory:    CA-2000-20

===========================================================================
                           DETAILED INFORMATION

I.  Description


    The Internet Software Consortium, the maintainer of BIND, the software
    used to provide domain name resolution services, has recently posted
    information about several denial-of-service vulnerabilities. If
    exploited, any of these vulnerabilities could allow remote intruders
    to cause site DNS services to be stopped.

    For more information about these vulnerabilities, please
    see

     http://www.isc.org/products/BIND/bind-security.html

    Two vulnerabilities in particular are especially serious:
The "zxfr bug"

    Using this vulnerability, attackers on sites which are permitted to
    request zone transfers can force the named daemon running on
    vulnerable DNS servers to crash, disrupting name resolution service
    until the named daemon is restarted. The only preconditions for this
    attack to succeed is that a compressed zone transfer (ZXFR) request be
    made from a site allowed to make any zone transfer request (not just
    ZXFR), and that a subsequent name service query of an authoritative
    and non-cached record be made. The time between the attack and the
    crash of named may vary from system to system.

    This vulnerability has been discussed in public forums. The ISC has
    confirmed that all platforms running version 8.2.2 of the BIND
    software prior to patch level 7 are vulnerable to this attack.

The "srv bug"

    This vulnerability can cause affected DNS servers running named to go
    into an infinite loop, thus preventing further name requests to be
    handled. This can happen if an SRV record is sent to the vulnerable
    server.


II.  Impact

     Domain name resolution services can be completely negated on DNS
     servers from remote systems.


II.  Solutions

  A.  Official fix

      IBM is working on the following fix which will be available
      soon:

      AIX 4.3.x:  APAR IY14512

      NOTE: Fix will not be provided for versions prior to 4.3 as
      these are no longer supported by IBM. Affected customers are
      urged to upgrade to 4.3, or higher.

  B.  How to minimize the vulnerability

    A temporary fix for AIX 4.3.x systems is available.

    The temporary fix can be downloaded via ftp from:

    ftp://aix.software.ibm.com/aix/efixes/security/named8_DoS_efix.tar.Z

    The MD5 checksums for the efix tarfiles are:

    Filename                sum             md5
    =================================================================
    named43Service.tar      29576  6880
7389bc7758a92f1fccb01fcadbf24166
    named43Sgold.tar        28101  6930
b266377a22f869ece15c4046a9827b2a

This e-fix contains two tarfiles: named43Service.tar and named43Sgold.tar,
each of which contains the files libc.a, named8, and named8-xfer. These are the
executables you will need. Choose the tarfile most appropriate for your site.

IMPORTANT NOTICE: Your operating system MUST be at this level for the e-fix
to work properly and to keep your machines properly operating:
fileset bos.net.tcp.server is 4.3.3.25 & bos.rte.libc is 4.3.3.25.

You can determine what level your system is at by examining the output from
these commands:

# lslpp -l bos.rte.libc
# lslpp -l bos.net.tcp.server

Also, these e-fixes have not been fully regression tested. Customers
installing
and using these e-fixes do so at their own risk.


INSTALLATION STEPS: 

- - - ----------------------------------------
Perform all steps given below as "root".
- - - ----------------------------------------

NOTICE: Test this e-fix FIRST on a test machine (i.e. non-production
machine).

1) Setup the test machine with the same data as your production
DNS/nameserver
   has.

2) mkdir /tmp/testnamed

3) cp named43Sgold.tar /tmp/testnamed  (or cp named43Sservice.tar
/tmp/testnamed)

4) cd /tmp/testnamed

5) tar -xvf *tar

6) mount libc.a /usr/lib/libc.a

7) mount named8 /usr/sbin/named8

8) mount named8-xfer /usr/sbin/named8-xfer

9) startsrc -s named

10) Run some tests to verify the name server's proper operation.

11) If all the tests are successful, then repeat the above on the
production machine.

We recommend that backup copies of the original "libc.a" and the "named8"
Files be made.


IV. Obtaining Fixes

IBM AIX APARs may be ordered using Electronic Fix Distribution (via the
FixDist program), or from the IBM Support Center.  For more information
on FixDist, and to obtain fixes via the Internet, please reference

        http://techsupport.services.ibm.com/rs6k/fixes.html

or send email to "aixserv@austin.ibm.com" with the word "FixDist" in the
"Subject:" line.

To facilitate ease of ordering all security related APARs for each AIX
release, security fixes are periodically bundled into a cumulative APAR.
For more information on these cumulative APARs including last update and
list of individual fixes, send email to "aixserv@austin.ibm.com" with
the word "subscribe Security_APARs" in the "Subject:" line.


V.  Acknowledgements

Thanks to the correspondents to BUGTRAQ and the CERT/CC for bringing
this vulnerability to our attention.

VI.  Contact Information

Comments regarding the content of this announcement can be directed to:

 security-alert@austin.ibm.com

To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".

If you would like to subscribe to the AIX security newsletter, send a
note to aixserv@austin.ibm.com with a subject of "subscribe Security".
To cancel your subscription, use a subject of "unsubscribe Security".
To see a list of other available subscriptions, use a subject of
"help".

IBM and AIX are a registered trademark of International Business
Machines Corporation.  All other trademarks are property of their
respective holders.

===========================================================================
IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  IBM's Virus Emergency
Response Service is a subscription-based service that provides assistance
with virus risk and emergency management.  By acting as an extension of
your own internal security staff, IBM-ERS's team of security experts helps
you quickly detect and respond to attacks and exposures to your I/T
infrastructre.

As a part of IBM's Business Continuity Recovery Services organization, the
IBM Emergency Response Service is a component of IBM's SecureWay(tm) line
of security products and services.  From hardware to software to
consulting, SecureWay solutions can give you the assurance and expertise
you need to protect your valuable business resources.  To find out more
about the IBM Emergency Response Service, send an electronic mail message
to ers-sales@ers.ibm.com, or call 1-800-426-7378.

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security
alerts, team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
for security vulnerability alerts and other distributed information.  The
IBM-ERS PGP* public key is available from
http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.

IBM-ERS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation and
response coordination among computer security teams worldwide.

Copyright 2000 International Business Machines Corporation.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business
Machines Corporation, nor any of its employees, makes any warranty, express
or implied, or assumes any legal liability or responsibility for the
accuracy, complete- ness, or usefulness of any information, apparatus,
product, or process contained herein, or represents that its use would not
infringe any privately owned rights.  Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by IBM or its subsidiaries.  The
views and opinions of authors expressed herein do not necessarily state or
reflect those of IBM or its subsidiaries, and may not be used for
advertising or product endorsement purposes.

The material in this security alert may be reproduced and distributed,
without permission, in whole or in part, by other security incident
response teams (both commercial and non-commercial), provided the above
copyright is kept intact and due credit is given to IBM-ERS.

This security alert may be reproduced and distributed, without permission,
in its entirety only, by any person provided such reproduction and/or
distribution is performed for non-commercial purposes and with the intent
of increasing the awareness of the Internet community.
===========================================================================

[******  End IBM BIND Security Alert  ******]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)