search menu icon-carat-right cmu-wordmark

CERT Coordination Center

IBM AIX line printer daemon contains a buffer overflow in kill_print()

Vulnerability Note VU#388183

Original Release Date: 2001-10-16 | Last Revised: 2002-01-03

Overview

The Line Printer daemon (lpd) shipped with AIX systems contains a buffer overflow in kill_print() that potentially allow a malicious remote user to gain root privileges.

Description

A buffer overflow exists in the kill_print() function of the line printer daemon (lpd) on AIX systems. An intruder could exploit this vulnerability to obtain root privileges or cause a denial of service (DoS). The intruder would need to be listed in the victim's /etc/hosts.lpd or /etc/hosts.equiv file, however, to exploit this vulnerability.

Impact

An intruder could exploit this vulnerability to obtain root privileges, or cause a denial of service (DoS).

Solution

IBM has released a VULNERABILITY SUMMARY. Please see the vendor statement for patches and instructions.

Vendor Information

388183
 

IBM Affected

Updated:  October 16, 2001

Status

Affected

Vendor Statement

IBM Global Services
Managed Security Services
Outside Advisory Redistribution

11 SEP 2001 0:53 GMT MSS-OAR-E01-2001:391.1
===========================================================================
The MSS Outside Advisory Redistribution is designed to provide customers of
IBM Managed Security Services with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.

IBM makes no representations and assumes no responsibility for the contents
or accuracy of the advisories themselves.

IBM MSS is forwarding the following information from <INFO SOURCE>.
Contact information for <INFO SOURCE> is included in the forwarded text
below. Please contact them if you have any questions or need further
information.
===========================================================================
----------- Forwarded Information Starts Here.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

Fri Sep 7 11:18:24 CDT 2001
===========================================================================
VULNERABILITY SUMMARY

VULNERABILITY: Buffer Overflow Vulnerabilities in lpd

PLATFORMS: IBM AIX 4.3 and 5.1

SOLUTION: Apply the emergency-fixes described below.

THREAT: Malicious user could obtain root privileges, or cause
a denial of service (DoS).

CERT Advisory: See CERT CA-2001-15 for info on
Solaris vulnerability. Also see the posting,
http://xforce.iss.net/alerts/advise94.php, at the
Internet Security Systems site for info on BSD
implementations of lpd.

CVE Candidate: CAN-2001-0670
CAN-2001-0671
===========================================================================
DETAILED INFORMATION

I. Description

The Line Printer daemon, lpd, shipped with AIX contains several
buffer overflow vulnerabilities that potentially allow a malicious
remote user to gain root privileges.

Two of the three vulnerabilities found require the attacker's system
be listed in /etc/hosts.lpd or /etc/hosts.equiv. The third requires
that the malicious user have control over the victim's domain name
server (DNS).


II. Impact

A malicious local or remote user can use a well-crafted exploit code
to gain root privileges on the attacked system, compromising the
integrity of the system and its attached local network.

If the malicious user is unable to gain root access, he or she could
still cause a system crash (DoS) via this vulnerability.


III. Solutions

A. Official fix

IBM is working on the following fixes which will be available soon:

AIX 4.3: APAR #IY23037
AIX 5.1: APAR #IY23041

NOTE: Fix will not be provided for versions prior to 4.3 as these
are no longer supported by IBM. Affected customers are urged to
upgrade to 4.3.3 at the latest maintenance level, or to 5.1, when it
becomes available.


B. How to minimize the vulnerability


WORKAROUND

None recommended.

IBM advises customers to disable the line printer daemon until an
efix or official APAR is installed.

In general, customers are advised to disable all unused daemon
services as good security practice.

EMERGENCY FIX (efix):

Temporary fixes for AIX 4.3.x and 5.1 systems are available.


The temporary fixes can be downloaded via ftp from:

ftp://aix.software.ibm.com/aix/efixes/security/lpd_efix.tar.Z

The efix tarball consists of two patched lpd binaries, one for AIX
4.3.x systems (lpd.43) and one for AIX 5.1 (scheduled for release
soon; binary is lpd.51). A copy of this Advisory is also included.

These temporary fixes have not been fully regression tested; thus,
IBM does not warrant the fully correct functioning of the efix.
Customers install the efix and operate the modified version of AIX at
their own risk.

To proceed with efix installation:

First, verify the MD5 cryptographic hash sums of each efix files you
obtain from unpacking the efix tarball with those given below. These
should match exactly; if they do not, double check the hash results
and the download site address. If OK, contact IBM AIX Security at
security-alert@austin.ibm.com and describe the discrepancy.


Filename sum md5
=================================================================
lpd.43X.tar 11225 20 3c7e6f0ef29b6147835213253de8f1bf
lpd.51B.tar 35507 80 38bc7f7516d76b8a89914fdab97e1377


Efix Installation Instructions:
-------------------------------

1. Become root, if not already done.

2. In a scratch or tmp directory, uncompress and untar the efix:

a. uncompress lpd_efix.tar.Z
b. tar -xvf lpd_efix.tar

3. If you are running an AIX 4.3.x system, copy the lpd.43 file to
/usr/sbin. Do the same if you have AIX 5.1 running, except copy the
lpd.51 file.

4. Stop the lpd daemon if it is currently running:

a. stopsrc -s lpd

5. Make a backup copy of the existing lpd binary package in case
something goes wrong with the installation of the efix:

a. cp /usr/sbin/lpd /usr/sbin/lpd.original

6. Now copy the efix binary to take the place of the original lpd:

a. cp /usr/sbin/lpd.43 (or lpd.51, as appropriate)
/usr/sbin/lpd.

7. Check to be certain that the new lpd is executable by root and is
assigned proper permissions otherwise.

8. Restart the lpd daemon:

a. startsrc -s lpd



IV. Obtaining Fixes

IBM AIX APARs may be ordered using Electronic Fix Distribution (via
the FixDist program), or from the IBM Support Center. For more
information on FixDist, and to obtain fixes via the Internet, please
reference

http://techsupport.services.ibm.com/rs6k/fixes.html

or send email to "aixserv@austin.ibm.com" with the word "FixDist" in
the "Subject:" line.

To facilitate ease of ordering all security related APARs for each
AIX release, security fixes are periodically bundled into a
cumulative APAR. For more information on these cumulative APARs
including last update and list of individual fixes, send email to
"aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in
the "Subject:" line.


V. Acknowledgements

Many thanks to Internet Security Services (ISS) for identifying these
vulnerabilities in lpd, and to the CERT/CC for preparing and
distributing the Vulnerability Notes provided to us vendors.

VI. Contact Information

Comments regarding the content of this announcement can be directed
to:

security-alert@austin.ibm.com

To request the PGP public key that can be used to encrypt new AIX
security vulnerabilities, send email to security-alert@austin.ibm.com
with a subject of "get key".

If you would like to subscribe to the AIX security newsletter, send a
note to aixserv@austin.ibm.com with a subject of "subscribe
Security". To cancel your subscription, use a subject of
"unsubscribe Security". To see a list of other available
subscriptions, use a subject of "help".

IBM and AIX are a registered trademark of International Business
Machines Corporation. All other trademarks are property of their
respective holders.

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3

iQA/AwUBO51SPcXrSKQHhgFwEQLSAQCglnEAvxiWRujJvjLTc1C4W6Gu1OEAoNAJ
v5NsLwb8f7D/EkUSjvjRS9Qj
=HoWQ
-----END PGP SIGNATURE-----
----------- Forwarded Information Ends Here.
===========================================================================
IBM's Managed Security Services (MSS) is a subscription-based Internet
security response service that includes computer security incident response
and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment. By acting as an extension
of your own internal security staff, IBM MSS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures
across your Internet connection(s).

As a part of IBM's Business Continuity and Recovery Service IBM's Managed
Security Services is a component of IBM Global Services Privacy and
Security Services suite of offerings. To find out more about IBM Managed
Security Services, send an electronic mail message to
ers-sales@ers.ibm.com, or call 1-800-426-7378.

IBM MSS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security
alerts, team contact information, and other items.

IBM MSS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
for security vulnerability alerts and other distributed information. The
IBM MSS PGP* public key is available from
http://www.ers.ibm.com/team-info/pgpkey.html
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.

IBM MSS is a Member Team of the Forum of Incident Response and Security
Teams (FIRST), a global organization established to foster cooperation and
response coordination among computer security teams worldwide.

The information in this document is provided as a service to customers of
IBM Managed Security Services. Neither International Business Machines
Corporation, nor any of its employees, makes any warranty, express or
implied, or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, apparatus, product, or
process contained herein, or represents that its use would not infringe any
privately owned rights. Reference herein to any specific commercial
products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by IBM or its subsidiaries. The views and
opinions of authors expressed herein do not necessarily state or reflect
those of IBM or its subsidiaries, and may not be used for advertising or
product endorsement purposes.
===========================================================================

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The reference to CERT CA-2001-15 may be misleading. It describes a different vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Not Affected

Updated:  November 09, 2001

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Caldera Not Affected

Notified:  September 04, 2001 Updated: November 01, 2001

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Not Affected

Updated:  November 01, 2001

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Engarde Not Affected

Updated:  November 01, 2001

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Not Affected

Updated:  November 05, 2001

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fujitsu Not Affected

Updated:  November 01, 2001

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Not Affected

Updated:  November 08, 2001

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Not Affected

Updated:  November 01, 2001

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Compaq Computer Corporation Unknown

Updated:  November 05, 2001

Status

Unknown

Vendor Statement

Compaq has not been able to reproduce the problems identified in this advisory for TRU64 UNIX. We will continue testing and address the LPD issues if a problem is discovered and provide patches as necessary.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC wishes to thank IBM for their help in identifying and analyzing this vulnerability.

This document was written by Jason Rafail.

Other Information

CVE IDs: CVE-2001-0671
Severity Metric: 9.84
Date Public: 2001-09-11
Date First Published: 2001-10-16
Date Last Updated: 2002-01-03 19:09 UTC
Document Revision: 12

Sponsored by CISA.