[10673] in bugtraq
Re: IBM eNetwork Firewall for AIX
daemon@ATHENA.MIT.EDU (Marc Heuse)
Fri May 28 18:57:58 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19990528222925.7024D9410@Galois.suse.de>
Date: Sat, 29 May 1999 00:29:25 +0200
Reply-To: Marc Heuse <marc@SUSE.DE>
From: Marc Heuse <marc@SUSE.DE>
To: BUGTRAQ@NETSPACE.ORG
Hi Paul,
> The IBM eNetwork Firewall for AIX contains some poorly written scripts,
> which create temporary files in /tmp without making any attempt to
> validate the existance of the file. This allows any user with shell
> access to such a firewall to corrupt or possibly modify system files by
> creating links, pipes, etc with the same name.
your are right, all their scripts have got link vulnerabilities ...
> The problem was reported to IBM early in January. To the best of my
> knowledge, the correct procedures have been followed. Initially, IBM
> responded by telling me that it was common practice for software to make
> use of /tmp. They suggested changing the permissions to prevent users
> from creating symbolic links to sensitive files.
when I found these in an audit at a customer in february, I opened an APAR
too, but then discovered yours. When I saw that yours was opened a month
before mine and not being dealt with, I made noise at IBM management and
the AIX Security Team, that they issued an emergency fix.
But this fix only available for those who know that it exists - anyway, the
quick fix still has /tmp races all over the place - they just added "rm -f
file" the line before writing into it ....
> An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The
> fix has not yet been released. This definately applies to version 3.2,
> and probably others.
I heard that the next IBM Firewall version will fix this ... bah - maybe
with that quick "fix" ...
But to set one thing straight: It's *not* IBM's fault. The IBM Firewall is a
product of another company called Raleigh (I hope thats spelled correctly).
In fact, the IBM AIX Security Team, especially Troy Bollinger, was very
helpful and getting a fix - a correct one - out. It's the other company
who writes security software but really seems to have no knowledge.
sad but true
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc@suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
