Previous Post | Next Post | See All Posts

Earlier this week, IBM Security released a notification about “an unspecified vulnerability that would allow a locally authenticated user to obtain root."

 

Reading deeper, it seems the programs listed (bellmail, caccelstat, iostat, lquerypv, restbyinode, and vmstat) all use “suid” to root, and are executable by anyone. (Note, caccelstat is only available on AIX 7.2, which I do not have immediate access to. Must assume here!)
 

Click on image to open full-size in new screen.

This has been business as usual on UNIX since “forever.” This is called “privilege escalation” and programs “built for it” are OK. However, even programs that are “built for it” may use a shared library that has redeveloped (my guess of the root cause) and that shared library is “not built for it”—potentially) breaking everything that uses it. Remember, this is just my guess – as suddenly seemingly unrelated SUID programs are now a vulnerability.

Note: While SUID to root may be “business as normal” they’re always programs that need to be monitored.
 

How do I keep track of this?

Fancy ways:
 

BigFix LifeCycle for AIX

PowerSC PM

Simple way

FLRTVC (Fix Level Recommendation Tool Vulnerability Checker)

On the IBM FLRT portal, there is a “new” program (actually been there quite a while already) named FLRTVC. There is even a new flag added to  lslpp(-lcq) to provide input for a script you can download. (flrtvc.ksh). This tries to download a file named apar.csv. If your AIX server cannot access the “network” directly using any of curl, wget, or ftp (part of AIX) then you will need to download it separately.

Easy to use: assuming you must download the apar.csv file the command syntax (for the human readable report) is:
 

# flrtvc.ksh -f apar.csv -v

The output looks something like this:
 

--------------------------------------------------------------------------------

bos.net.tcp.client - 6.1.9.201 - Vulnerabilities (2)

--------------------------------------------------------------------------------

 

 (1) NOT FIXED - (bellmail) Vulnerabilities in bellmail / caccelstat / iostat / lquerypv / restbyinode / vmstat affect AIX (CVE-2017-1692)

 

     Type:         sec

     Score:        8.4

     Versions:     6.1.9.0-6.1.9.201

     APARs/CVEs:   IV97356

     Last Update:  02/05/2018

     Bulletin:     http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc

     Download:     ftp://aix.software.ibm.com/aix/efixes/security/suid_fix.tar

     Fixed In:     6100-09-10

 

 (2) NOT FIXED - There are vulnerabilities in BIND that impact AIX.

 

     Type:         sec

     Versions:     6.1.9.0-6.1.9.300

     APARs/CVEs:   IV98826

     Last Update:  11/13/2017

     Bulletin:     http://aix.software.ibm.com/aix/efixes/security/bind_advisory16.asc

     Download:     ftp://aix.software.ibm.com/aix/efixes/security/bind_fix16.tar

     Fixed In:     6100-09-11

 

The above is just one section. Without the -v flag, output looks like:
 

Click on image to open full-size in new screen.


Recommendation:

Visit the FLRTVC Home Page, download the script and give it a test drive!