Re: IBM eNetwork Firewall for AIX

From: Marc Heuse (marcat_private)
Date: Fri May 28 1999 - 15:29:25 PDT

Next message: Davin Milun: "Re: Citrix Winframe client for Linux"

Previous message: David Kennedy CISSP: "Re: ICSA - Certified Sites and Criteria Issues"
Maybe in reply to: Paul Cammidge: "IBM eNetwork Firewall for AIX"
Next in thread: Andreas Siegert: "Re: IBM eNetwork Firewall for AIX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Paul,

> The IBM eNetwork Firewall for AIX contains some poorly written scripts,
> which create temporary files in /tmp without making any attempt to
> validate the existance of the file.  This allows any user with shell
> access to such a firewall to corrupt or possibly modify system files by
> creating links, pipes, etc with the same name.

your are right, all their scripts have got link vulnerabilities ...

> The problem was reported to IBM early in January.  To the best of my
> knowledge, the correct procedures have been followed.  Initially, IBM
> responded by telling me that it was common practice for software to make
> use of /tmp.  They suggested changing the permissions to prevent users
> from creating symbolic links to sensitive files.

when I found these in an audit at a customer in february, I opened an APAR
too, but then discovered yours. When I saw that yours was opened a month
before mine and not being dealt with, I made noise at IBM management and
the AIX Security Team, that they issued an emergency fix.
But this fix only available for those who know that it exists - anyway, the
quick fix still has /tmp races all over the place - they just added "rm -f
file" the line before writing into it ....

> An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99.  The
> fix has not yet been released.  This definately applies to version 3.2,
> and probably others.

I heard that the next IBM Firewall version will fix this ... bah - maybe
with that quick "fix" ...

But to set one thing straight: It's *not* IBM's fault. The IBM Firewall is a
product of another company called Raleigh (I hope thats spelled correctly).
In fact, the IBM AIX Security Team, especially Troy Bollinger, was very
helpful and getting a fix - a correct one - out. It's the other company
who writes security software but really seems to have no knowledge.
sad but true

Greets,
	Marc
--
   Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
   E@mail: marcat_private  Function: Security Support & Auditing
   "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE  16 D9 70 D4 87 B5 63 6C

Next message: Davin Milun: "Re: Citrix Winframe client for Linux"
Previous message: David Kennedy CISSP: "Re: ICSA - Certified Sites and Criteria Issues"
Maybe in reply to: Paul Cammidge: "IBM eNetwork Firewall for AIX"
Next in thread: Andreas Siegert: "Re: IBM eNetwork Firewall for AIX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:34 PDT