Date: Tue, 25 May 1999 20:33:53 +0100 From: Paul Cammidge To: BUGTRAQ@netspace.org Subject: IBM eNetwork Firewall for AIX The IBM eNetwork Firewall for AIX contains some poorly written scripts, which create temporary files in /tmp without making any attempt to validate the existance of the file. This allows any user with shell access to such a firewall to corrupt or possibly modify system files by creating links, pipes, etc with the same name. In a simple example submitted to IBM, /etc/passwd was overwritten. This example has been published on one of their support web pages as a 'local fix'. The problem was reported to IBM early in January. To the best of my knowledge, the correct procedures have been followed. Initially, IBM responded by telling me that it was common practice for software to make use of /tmp. They suggested changing the permissions to prevent users >from creating symbolic links to sensitive files. An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The fix has not yet been released. This definately applies to version 3.2, and probably others. Anyone running this software and has users with shell accounts should be aware that the potential exists for these users to corrupt files which they dont have access to. cheers paul -------------------------------------------------------------------------- Date: Sat, 29 May 1999 00:29:25 +0200 From: Marc Heuse To: BUGTRAQ@netspace.org Subject: Re: IBM eNetwork Firewall for AIX Hi Paul, > The IBM eNetwork Firewall for AIX contains some poorly written scripts, > which create temporary files in /tmp without making any attempt to > validate the existance of the file. This allows any user with shell > access to such a firewall to corrupt or possibly modify system files by > creating links, pipes, etc with the same name. your are right, all their scripts have got link vulnerabilities ... > The problem was reported to IBM early in January. To the best of my > knowledge, the correct procedures have been followed. Initially, IBM > responded by telling me that it was common practice for software to make > use of /tmp. They suggested changing the permissions to prevent users > from creating symbolic links to sensitive files. when I found these in an audit at a customer in february, I opened an APAR too, but then discovered yours. When I saw that yours was opened a month before mine and not being dealt with, I made noise at IBM management and the AIX Security Team, that they issued an emergency fix. But this fix only available for those who know that it exists - anyway, the quick fix still has /tmp races all over the place - they just added "rm -f file" the line before writing into it .... > An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The > fix has not yet been released. This definately applies to version 3.2, > and probably others. I heard that the next IBM Firewall version will fix this ... bah - maybe with that quick "fix" ... But to set one thing straight: It's *not* IBM's fault. The IBM Firewall is a product of another company called Raleigh (I hope thats spelled correctly). In fact, the IBM AIX Security Team, especially Troy Bollinger, was very helpful and getting a fix - a correct one - out. It's the other company who writes security software but really seems to have no knowledge. sad but true Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C -------------------------------------------------------------------------- Date: Sat, 29 May 1999 13:42:25 +0200 From: Andreas Siegert To: BUGTRAQ@netspace.org Subject: Re: IBM eNetwork Firewall for AIX Hi Marc! Quoting Marc Heuse (marc@SUSE.DE) on Sat, May 29, 1999 at 12:29:25AM +0200: > But to set one thing straight: It's *not* IBM's fault. The IBM Firewall is a > product of another company called Raleigh (I hope thats spelled correctly). > In fact, the IBM AIX Security Team, especially Troy Bollinger, was very > helpful and getting a fix - a correct one - out. It's the other company > who writes security software but really seems to have no knowledge. > sad but true Unfortunately Raleigh is not another company, Raleigh (or RTP) in this case is the location in North Carolina of the IBM people who produce the IBM firewall and most other IBM products related to networking, whereas AIX is developed in Austin,TX. So it is unfortunately really a full IBM product :-( Me thinks Austin should have developed the IBM firewall, the result would probably be much more satisfying. AIX 4.3 now has a good packet filter as well as IPSEC support (even though most people in AIX land donīt seem to know) and there are enough free proxy solutions out there to build a decent firewall with AIX without the need to use the stuff from Raleigh. afx -- Hackito ergo sum!