16 november, 2009
-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Wed Nov 4 10:02:21 CST 2009
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/haport_advisory.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/haport_advisory.asc
VULNERABILITY SUMMARY
VULNERABILITY: PowerHA Cluster Management port vulnerability
PLATFORMS: AIX 5.3, 6.1, and earlier releases
SOLUTION: Apply the fix or workaround as described below.
THREAT: A remote user may may make arbitrary changes to the
AIX configuration.
Reboot required? NO
Workarounds? YES
Protected by FPM? NO
Protected by SED? NO
DETAILED INFORMATION
I. DESCRIPTION
PowerHA Cluster Management monitoring of port 6177 allows a remote
attacker to make arbitrary changes to the local AIX configuration.
II. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
lslpp -L cluster.es.server.diag
The following fileset levels are vulnerable:
PowerHA Release Lower Level Upper Level (Service Pack)
--------------------------------------------------------------
5.4 5.4.0.0 5.4.0.2 (SP02)
5.4.1 5.4.1.0 5.4.1.6 (SP06)
5.5 5.5.0.0 5.5.0.2 (SP03)
6.1 6.1.0.0 6.1.0.0 (BASE)
III. SOLUTIONS
A. APARS
IBM has assigned the following APARs to this problem:
PowerHA Release APAR number Availability
-------------------------------------------------------------------
5.4.1 IZ61325 November 2009
5.5 IZ61323 October 2009
6.1 IZ62630 December 2009
B. FIXES
Fixes are now available. The fixes can be downloaded from:
ftp://aix.software.ibm.com/aix/efixes/security/haport_fix.tar
http://aix.software.ibm.com/aix/efixes/security/haport_fix.tar
The links above are to a tar file containing this signed
advisory, fix packages, and PGP signatures for each package.
PowerHA Level Interim Fix (*.Z)
---------------------------------
5.4 SP02 IZ61325_02.Z
5.4.1 BASE IZ61325gld.Z
5.4.1 SP01 IZ61325s1.Z
5.4.1 SP02 IZ61325s2.Z
5.4.1 SP03 IZ61325s3.Z
5.4.1 SP04 IZ61325s4.Z
5.4.1 SP05 IZ61325s5.Z
5.4.1 SP06 IZ61325s6.Z
5.5 BASE IZ61323gld.Z
5.5 SP01&SP02 IZ61323s12.Z
5.5 SP03 IZ61323s3.Z
6.1 BASE IZ62630gld.Z
To extract the fixes from the tar file:
tar xvf haport_fix.tar
cd haport_fix
Verify you have retrieved the fixes intact:
The checksums below were generated using the "csum -h SHA1"
(sha1sum) commands and are as follows:
csum -h SHA1 (sha1sum) filename
-----------------------------------------------------------
b8efa85cfb8c5d4b169ff48ea633207e330c6635 IZ61323gld.epkg.Z
82e90682da9c7d5e0c670e1a8366be5ef6173003 IZ61323s12.epkg.Z
14fbc05c250648d9d148540a2eb491067378282b IZ61323s3.epkg.Z
4624a6f393b4c03f4ac9b111d1fa0d3e58c1a7d5 IZ61325_02.epkg.Z
9b477cf92066f1f0e085a6f276b3b363cf00aae1 IZ61325gld.epkg.Z
c4658f916ccd775fd55494f3023d3a6a7991cab9 IZ61325s1.epkg.Z
3e0a519ba0a23cef1b23ad2505d2ca8a3a95e2ff IZ61325s2.epkg.Z
bfc4b1a3d720e3eb021d995b786e3de4ca6ceb4e IZ61325s3.epkg.Z
464abbc11a6adaf37f61a355ff5a1c2a528b2a39 IZ61325s4.epkg.Z
51574776245883b140d770ccb80132fce03355cd IZ61325s5.epkg.Z
89969dcc826640cbf7a0e51654a33385c6628ad6 IZ61325s6.epkg.Z
b31438a891948f852b45f0ebbc69963e0a6ee290 IZ62630gld.epkg.Z
To verify the sums, use the text of this advisory as input to
csum or sha1sum. For example:
csum -h SHA1 -i Advisory.asc
sha1sum -c Advisory.asc
These sums should match exactly. The PGP signatures in the tar
file and on this advisory can also be used to verify the
integrity of the fixes. If the sums or signatures cannot be
confirmed, contact IBM AIX Security and describe the
discrepancy at the following address:
security-alert@austin.ibm.com
C. INTERIM FIX INSTALLATION
IMPORTANT: If possible, it is recommended that a mksysb backup
of the system be created. Verify it is both bootable and
readable before proceeding.
Interim fixes have had limited functional and regression
testing but not the full regression testing that takes place
for Service Packs; thus, IBM does not warrant the fully
correct functionality of an interim fix.
Interim fix management documentation can be found at:
http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html
To preview an interim fix installation:
emgr -e ipkg_name -p # where ipkg_name is the name of the
# interim fix package being previewed.
To install an interim fix package:
emgr -e ipkg_name -X # where ipkg_name is the name of the
# interim fix package being installed.
IV. WORKAROUNDS
Run the following commands to comment out the lines in
/etc/inetd.conf and /etc/services dealing with the 'godm' service
and recycle the inetd daemon. Note that subsequent attempts to
verify the cluster will fail, which will effectivly disable
dynamic reconfiguration.
chsubserver -d -v godm -p tcp
chservices -d -v godm -p tcp -n 6177
refresh -s inetd
The workaround can be removed by executing the following commands:
chsubserver -a -v godm -p tcp -t stream -w nowait -u root \
-g /usr/es/sbin/cluster/godmd
chservices -a -v godm -p tcp -n 6177
refresh -s inetd
V. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www.ibm.com/systems/support
and click on the "My notifications" link.
To view previously issued advisories, please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
security-alert@austin.ibm.com
To obtain the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Download the key from our web page:
http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt
B. Download the key from a PGP Public Key Server. The key ID is:
0xADA6EB4D
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFK8c6JP9Qud62m600RApEeAJ9Xs3ahspFRpf7SSrds+QM1w9b/tQCgsACP
SgfUQ9hGBVMg+s+dyQ86/MA=
=FjJZ
-----END PGP SIGNATURE-----