Hi Paul, > The IBM eNetwork Firewall for AIX contains some poorly written scripts, > which create temporary files in /tmp without making any attempt to > validate the existance of the file. This allows any user with shell > access to such a firewall to corrupt or possibly modify system files by > creating links, pipes, etc with the same name. your are right, all their scripts have got link vulnerabilities ... > The problem was reported to IBM early in January. To the best of my > knowledge, the correct procedures have been followed. Initially, IBM > responded by telling me that it was common practice for software to make > use of /tmp. They suggested changing the permissions to prevent users > from creating symbolic links to sensitive files. when I found these in an audit at a customer in february, I opened an APAR too, but then discovered yours. When I saw that yours was opened a month before mine and not being dealt with, I made noise at IBM management and the AIX Security Team, that they issued an emergency fix. But this fix only available for those who know that it exists - anyway, the quick fix still has /tmp races all over the place - they just added "rm -f file" the line before writing into it .... > An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The > fix has not yet been released. This definately applies to version 3.2, > and probably others. I heard that the next IBM Firewall version will fix this ... bah - maybe with that quick "fix" ... But to set one thing straight: It's *not* IBM's fault. The IBM Firewall is a product of another company called Raleigh (I hope thats spelled correctly). In fact, the IBM AIX Security Team, especially Troy Bollinger, was very helpful and getting a fix - a correct one - out. It's the other company who writes security software but really seems to have no knowledge. sad but true Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marcat_private Function: Security Support & Auditing "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:34 PDT