February 08, 2018
Reading deeper, it seems the programs listed (bellmail, caccelstat, iostat, lquerypv, restbyinode, and vmstat) all use “suid” to root, and are executable by anyone. (Note, caccelstat is only available on AIX 7.2, which I do not have immediate access to. Must assume here!)
Click on image to open full-size in new screen.
This has been business as usual on UNIX since “forever.” This is called “privilege escalation” and programs “built for it” are OK. However, even programs that are “built for it” may use a shared library that has redeveloped (my guess of the root cause) and that shared library is “not built for it”—potentially) breaking everything that uses it. Remember, this is just my guess – as suddenly seemingly unrelated SUID programs are now a vulnerability.
Note: While SUID to root may be “business as normal” they’re always programs that need to be monitored.
How do I keep track of this?
Fancy ways:
BigFix LifeCycle for AIX
PowerSC PM
-
also a topic for another time
Simple way
FLRTVC (Fix Level Recommendation Tool Vulnerability Checker)
On the IBM FLRT portal, there is a “new” program (actually been there quite a while already) named FLRTVC. There is even a new flag added to
lslpp(-lcq) to provide input for a script you can download. (
flrtvc.ksh). This tries to download a file named apar.csv. If your AIX server cannot access the “network” directly using any of
curl,
wget, or ftp (part of AIX) then you will need to download it separately.
Easy to use: assuming you must download the apar.csv file the command syntax (for the human readable report) is:
# flrtvc.ksh -f apar.csv -v
The output looks something like this:
--------------------------------------------------------------------------------
bos.net.tcp.client - 6.1.9.201 - Vulnerabilities (2)
--------------------------------------------------------------------------------
(1) NOT FIXED - (bellmail) Vulnerabilities in bellmail / caccelstat / iostat / lquerypv / restbyinode / vmstat affect AIX (CVE-2017-1692)
Type: sec
Score: 8.4
Versions: 6.1.9.0-6.1.9.201
APARs/CVEs: IV97356
Last Update: 02/05/2018
Bulletin: http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc
Download: ftp://aix.software.ibm.com/aix/efixes/security/suid_fix.tar
Fixed In: 6100-09-10
(2) NOT FIXED - There are vulnerabilities in BIND that impact AIX.
Type: sec
Versions: 6.1.9.0-6.1.9.300
APARs/CVEs: IV98826
Last Update: 11/13/2017
Bulletin: http://aix.software.ibm.com/aix/efixes/security/bind_advisory16.asc
Download: ftp://aix.software.ibm.com/aix/efixes/security/bind_fix16.tar
Fixed In: 6100-09-11
The above is just one section. Without the -v flag, output looks like:
Click on image to open full-size in new screen.
Recommendation:
Posted February 08, 2018 | Permalink