search menu icon-carat-right cmu-wordmark

CERT Coordination Center

HP-UX fails to apply standard UNIX filesystem security measures when using OnLineJFS

Vulnerability Note VU#248337

Original Release Date: 2003-06-13 | Last Revised: 2003-06-13

Overview

A vulnerability in OnlineJFS could allow an intruder to gain greater access than expected.

Description

OnlineJFS "provides the online management of the Journaled File System (JFS), a high-integrity, highly available file system supported by HP-UX." According to Hewlett-Packard, there is a vulnerability in OnlineJFS 3.1 in which the sticky bit does not function properly. The sticky bit is a frequently-implemented but non-standard extension to the standard UNIX permission scheme. The symbolic representation of this bit is S_ISVTX, which is mnemonic for "save text," and the historical meaning of the sticky bit related to keeping executable files in memory for faster activation (the file would stick in memory). Many systems that implement sticky bits have abandoned this meaning entirely, although HP-UX retains it The most common modern meaning of sticky bits is in the context of directories. When the sticky bit is set on directories, files in that directory cannot be moved or renamed, except by the owner or superuser, even if the privileges on the file would otherwise permit such modifications. The sticky bit is commonly set on the /tmp directory as a security measure. See for example VU#10277, VU#426273 and the Unix Security Checklist. On HP-UX, the sticky bit has meaning for files, directories, and symbolic links. Furthermore, the sticky bit has meaning when an executable file is loaded remotely. For a description of these different behaviors, see the comp.sys.hp.hpux FAQ.

The specific failure of OnlineJFS regarding sticky bits is unknown. It is likely that at least one security impact of this vulnerability is that the sticky bit on directories is ignored, allowing a variety of race conditions to occur, which could subsequently lead to root access.

Impact

The specific impact of this vulnerability is unknown. The most likely case is that this vulnerability enables certain kinds of attacks which can lead to a root compromise.

Solution

Apply a patch as described in the vendor statement section of this document.

Vendor Information

248337
 

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to te HP IT Resource Center for reporting this vulnerability.

This document was written by Shawn V Hernan based on information from various HP documents.

Other Information

CVE IDs: None
Severity Metric: 17.63
Date Public: 2002-10-14
Date First Published: 2003-06-13
Date Last Updated: 2003-06-13 19:42 UTC
Document Revision: 13

Sponsored by CISA.