| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> ISSalert: ISS Security Advisory: Insecure file handling in IBM AIXfrcactrl program
Just FYI....
Wilmont C. Belfry
> ISS Security Advisory
> April 26, 2000
>
> Insecure file handling in IBM AIX frcactrl program
>
> Synopsis:
>
> Internet Security Systems (ISS) X-Force has discovered a vulnerability in
> the AIX frcactrl program. The Fast Response Cache Accelerator (FRCA) is a
> kernel module that can be used with the IBM HTTP server to improve the
> performance of a web server. If the FRCA module is loaded, a local
attacker
> could use frcactrl, a program used to manage FRCA configuration, to modify
> files.
>
> Impact:
>
> An attacker could gain root privileges by using the frcactrl program if
the
> FRCA kernel module is loaded.
>
> Affected Versions:
>
> The frcactrl command shipped with AIX 4.3 APAR IY02669 is vulnerable.
>
> Description:
>
> The AIX Fast Response Cache Accelerator (FRCA) is a kernel extension
module
> that improves the performance of a web server by using a memory cache to
> store data being served from the web server. FRCA is used primarily with
the
> Apache-based IBM HTTP server, but it may also be used with other web
> servers. The frcactrl program is used to manage the FRCA configuration and
> is distributed as part of the base operating system in AIX 4.3. The
> vulnerability is present on systems with AIX fix IY02669 applied and with
> the FRCA kernel extension loaded (the kernel extension is not enabled by
> default). The setuid bit of the frcactrl file is turned on by APAR
> (Authorized Problem Analysis Report) IY02669, which allows non-root users
to
> configure the module. A malicious user may use frcactrl to manipulate the
> configuration of the FRCA log files to create, append, or overwrite files
as
> root.
>
> Recommendations:
>
> ISS recommends that if FRCA is not needed, the module can be unloaded with
> the following command:
> # /usr/sbin/frcactrl unload ; /usr/sbin/slibclean
>
> Until an official fix is available, IBM recommends removing the setuid bit
> from the frcactrl command:
> # chmod 555 /usr/sbin/frcactrl
>
> IBM is currently working on the following APARs, which will be available
> soon:
> APAR 4.3.x: IY09514
>
> APARs may be ordered using Electronic Fix Distribution (via FixDist) or
from
> the IBM Support Center. For more information on Fix Distribution go to:
> http://service.software.ibm.com/support/rs6000 or send an email to
> aixserv_at_austin.ibm.com with a subject of "FixDist".
>
> Additional Information:
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
name
> CAN-2000-0249 to this issue. This is a candidate for inclusion in the CVE
> list (http://cve.mitre.org), which standardizes names for security
problems.
>
> Credits:
>
> This vulnerability was discovered and researched by Oliver Atoa-Ortiz of
the
> ISS X-Force. ISS would like to thank IBM for their response and handling
of
> this vulnerability.
>
> _____
>
> About Internet Security Systems (ISS)
> ISS is a leading global provider of security management solutions for
> e-business. By offering best-of-breed SAFEsuite (tm) security software,
> industry-leading ePatrol (tm) managed security services, and strategic
> consulting and education services, ISS is a trusted security provider to
its
> customers, protecting digital assets and ensuring the availability,
> confidentiality and integrity of computer systems and information critical
> to e-business success. ISS' lifecycle e-business security management
> solutions protect more than 5,000 customers including 21 of the 25 largest
> U.S. commercial banks, 9 of the 10 largest telecommunications companies
and
> over 35 government agencies. Founded in 1994, ISS is headquartered in
> Atlanta, GA, with additional offices throughout North America and
> international operations in Asia, Australia, Europe, Latin America and the
> Middle East. For more information, visit the ISS Web site at www.iss.net
or
> call 888-901-7477.
>
> Copyright (c) 2000 by Internet Security Systems, Inc.
>
> Permission is hereby granted for the redistribution of this Alert
> electronically. It is not to be edited in any way without express consent
of
> the X-Force. If you wish to reprint the whole or any part of this Alert in
> any other medium excluding electronic medium, please e-mail xforce_at_iss.net
> for permission.
>
> Disclaimer
>
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
are
> NO warranties with regard to this information. In no event shall the
author
> be liable for any damages whatsoever arising out of or in connection with
> the use or spread of this information. Any use of this information is at
the
> user's own risk.
>
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
> as on MIT's PGP key server and PGP.com's key server.
>
> Please send suggestions, updates, and comments to: X-Force
(xforce_at_iss.net)
> of Internet Security Systems, Inc.
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3a
> Charset: noconv
>
> iQCVAwUBOQcnEDRfJiV99eG9AQGu+wP/UpKWzpOqg+u8DEy2e+4OS+hNieSEaFXg
> FhSupLuxlutQKZlKdNDI91OKnKxLG977QkpQzCkZvWRIwYooLsL0Jm/UH9ZDdKyo
Received on Wed Apr 26 2000 - 12:57:06 CDT
 |
 |