Bookmark and Share
RSS

Recent Posts

The Danger of SUID, and using FLRTVC to Identify Vulnerabilities

February 08, 2018

Earlier this week, IBM Security released a notification about “an unspecified vulnerability that would allow a locally authenticated user to obtain root."
 
Reading deeper, it seems the programs listed (bellmail, caccelstat, iostat, lquerypv, restbyinode, and vmstat) all use “suid” to root, and are executable by anyone. (Note, caccelstat is only available on AIX 7.2, which I do not have immediate access to. Must assume here!)
 

Picture1.jpg
Click on image to open full-size in new screen.


This has been business as usual on UNIX since “forever.” This is called “privilege escalation” and programs “built for it” are OK. However, even programs that are “built for it” may use a shared library that has redeveloped (my guess of the root cause) and that shared library is “not built for it”—potentially) breaking everything that uses it. Remember, this is just my guess – as suddenly seemingly unrelated SUID programs are now a vulnerability.

Note: While SUID to root may be “business as normal” they’re always programs that need to be monitored.
 
How do I keep track of this?

Fancy ways:
 
BigFix LifeCycle for AIX
  • topic for another time
PowerSC PM
  • also a topic for another time
Simple way
FLRTVC (Fix Level Recommendation Tool Vulnerability Checker)

On the IBM FLRT portal, there is a “new” program (actually been there quite a while already) named FLRTVC. There is even a new flag added to  lslpp(-lcq) to provide input for a script you can download. (flrtvc.ksh). This tries to download a file named apar.csv. If your AIX server cannot access the “network” directly using any of curl, wget, or ftp (part of AIX) then you will need to download it separately.

Easy to use: assuming you must download the apar.csv file the command syntax (for the human readable report) is:
 
# flrtvc.ksh -f apar.csv -v
The output looks something like this:
 
--------------------------------------------------------------------------------
bos.net.tcp.client - 6.1.9.201 - Vulnerabilities (2)
--------------------------------------------------------------------------------
 
 (1) NOT FIXED - (bellmail) Vulnerabilities in bellmail / caccelstat / iostat / lquerypv / restbyinode / vmstat affect AIX (CVE-2017-1692)
 
     Type:         sec
     Score:        8.4
     Versions:     6.1.9.0-6.1.9.201
     APARs/CVEs:   IV97356
     Last Update:  02/05/2018
     Bulletin:     http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc
     Download:     ftp://aix.software.ibm.com/aix/efixes/security/suid_fix.tar
     Fixed In:     6100-09-10
 
 (2) NOT FIXED - There are vulnerabilities in BIND that impact AIX.
 
     Type:         sec
     Versions:     6.1.9.0-6.1.9.300
     APARs/CVEs:   IV98826
     Last Update:  11/13/2017
     Bulletin:     http://aix.software.ibm.com/aix/efixes/security/bind_advisory16.asc
     Download:     ftp://aix.software.ibm.com/aix/efixes/security/bind_fix16.tar
     Fixed In:     6100-09-11
 
The above is just one section. Without the -v flag, output looks like:
 

Picture2.png
Click on image to open full-size in new screen.


Recommendation:
Visit the FLRTVC Home Page, download the script and give it a test drive!
 

Posted February 08, 2018 | Permalink