search menu icon-carat-right cmu-wordmark

CERT Coordination Center

IBM AIX setsenv buffer overflow

Vulnerability Note VU#886953

Original Release Date: 2001-09-28 | Last Revised: 2001-09-28

Overview

There is a buffer overflow in the IBM AIX setsenv command that may allow local attackers to gain root privileges.

Description

The setsenv command is used to set protected state environment variables. There is a buffer overflow in a variable value parameter to the setsenv command on IBM AIX systems. An exploit for this vulnerability is publicly available, and is reported to have been used to compromise systems.

Impact

An attacker with access to a local user account can execute arbitrary code on the vulnerable system as root.

Solution

Apply a Patch

IBM has released patches to correct this problem. For AIX version 4.2, system adminstrators should apply APAR#IY10721. For AIX version 4.3, system administrators should apply APAR#IY08812.

Vendor Information

886953
 

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This document was written by Cory F. Cohen.

Other Information

CVE IDs: CVE-2000-1119
Severity Metric: 15.19
Date Public: 2000-12-01
Date First Published: 2001-09-28
Date Last Updated: 2001-09-28 15:37 UTC
Document Revision: 5

Sponsored by CISA.