TECHNICAL BULLETIN
TECHNICAL BULLETIN
| PROBLEM: | nfs.ext in IBM AIX 5.3.x through 5.3.9 and 6.1.0 through 6.1.2 does not properly use the nfs_portmon setting. |
| PLATFORM: | AIX 5.3.0 through 5.3.9, AIX 6.1.0 through 6.1.2 |
| ABSTRACT: | This vulnerability allows remote attackers to bypass intended access restrictions for NFSv4 shares via unspecified vectors. |
| LINKS: | |
| DOE-CIRC BULLETIN: | http://www.doecirc.energy.gov/bulletins/t-246.shtml |
| OTHER LINKS: |
Security Focus http://www.securityfocus.com/bid/36544/info Vupen Website http://www.vupen.com/english/advisories/2009/2788 |
| CVE: |
CVE-2009-3517 |
| IMPACT ASSESSMENT: | This risk is medium. A remote user can gain unauthorized network access to AIX NFSv4 shares protected by the nfs_portmon tunable. |
[***** Start CVE-2009-3517 *****]
Discussion:
There are two security vulnerabilities in the AIX NFSv4 (Network File System version 4) implementation.
The first vulnerability is an error in the handling of the NFSv4 Kerberos credential cache. The successful exploitation of this vulnerability allows a local user to access Kerberized network shares without authorization.
The second vulnerability is that the nfs_portmon tunable is not utilized correctly in NFSv4. The successful exploitation of this vulnerability allows a remote user to access network shares protected by nfs_portmon without authorization.
The following commands are vulnerable:
/usr/sbin/gssd
/usr/lib/drivers/nfs.ext
To determine if your system is vulnerable, execute the following command:
lslpp -L bos.net.nfs.client
The following fileset levels are vulnerable:
AIX Fileset Lower Level Upper Level
---------------------------------------------------
bos.net.nfs.client all earlier versions of 5.3
bos.net.nfs.client 5.3.7.0 5.3.7.8
bos.net.nfs.client 5.3.8.0 5.3.8.6
bos.net.nfs.client 5.3.9.0 5.3.9.2
bos.net.nfs.client 6.1.0.0 6.1.0.8
bos.net.nfs.client 6.1.1.0 6.1.1.4
bos.net.nfs.client 6.1.2.0 6.1.2.3
Solution:
Fixes are now available. The fixes can be downloaded from:
http://aix.software.ibm.com/aix/efixes/security/nfs4_fix.tar
ftp://aix.software.ibm.com/aix/efixes/security/nfs4_fix.tar
The links above are to a tar file containing this signed advisory, fix packages, and PGP signatures for each package.
AIX Level Fix
----------------------------------------------------
5.3.7 bos.net.nfs.client.5.3.7.9.U
5.3.8 bos.net.nfs.client.5.3.8.7.U
5.3.9 bos.net.nfs.client.5.3.9.3.U
6.1.0 bos.net.nfs.client.6.1.0.9.U
6.1.1 bos.net.nfs.client.6.1.1.5.U
6.1.2 bos.net.nfs.client.6.1.2.4.U
To extract the fixes from the tar file:
tar xvf nfs4_fix.tar
cd nfs4_fix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "csum -h SHA1" (sha1sum) commands and are as follows:
csum -h SHA1 (sha1sum) filename
----------------------------------------------------------------------
6498591e2a75f5081f30487220ef205649be34a3 bos.net.nfs.client.5.3.7.9.U
55ff5576fccb052c05d0432250619ef9e3bd1fe1 bos.net.nfs.client.5.3.8.7.U
c98585939e0bf02c5b88adbb0bbc48c52d261e07 bos.net.nfs.client.5.3.9.3.U
d0d3f99ea11fcae97bacd782b904363f60191351 bos.net.nfs.client.6.1.0.9.U
5c73c73eca95fa782f82ade9c5b56f64217113ab bos.net.nfs.client.6.1.1.5.U
a3251008ee0e4e4a67b7e9beff5a0d9550407fcf bos.net.nfs.client.6.1.2.4.U
IMPORTANT:
If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.
To preview a fix installation:
installp -a -d fix_name -p all # where fix_name is the name of the # fix
package being previewed.
To install a fix package:
installp -a -d fix_name -X all # where fix_name is the name of the # fix
package being installed.
[***** End CVE-2009-3517 *****]
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov