INFORMATION BULLETIN

E-29a: IBM AIX bsh Queue Vulnerability

June 3, 1994 1500 PDT


PROBLEM:        Vulnerability in bsh batch queue allows unauthorized access.
PLATFORMS:      IBM AIX 3.2 and earlier.
DAMAGE:         Remote users may gain access to a privileged account.
SOLUTION:       Disable the bsh queue; obtain and install fix from IBM.

VULNERABILITY   This vulnerability is being discussed on public mailing lists
ASSESSMENT:     and can be exploited remotely.  CIAC recommends that sites
                disable the bsh queue immediately.

Critical Information about the IBM AIX bsh Queue Vulnerability

CIAC has learned of a vulnerability in the bsh batch queue of IBM AIX systems running AIX version 3.2 and earlier. If network printing is enabled, the bsh queue will permit users on remote systems to execute commands at an elevated privilege.

CIAC recommends that the bsh queue be disabled immediately as described below. Administrators should then obtain and install the appropriate fixes from IBM.

Few applications make use of the bsh queue, and IBM has agreed to disable the queue by default in future AIX releases. CIAC recommends that the bsh queue be left disabled unless its functionality is explicitly required.

Disabling bsh

To disable the bsh queue, perform one of the following procedures:

As root, from the command line, enter:
- chqueue -qbsh -a"up = FALSE"
From SMIT enter:
- Spooler
- Manage Local Printer Subsystem
- Local Printer Queues
- Change/Show Characteristics of a Queue
- select bsh
- Activate the Queue
- select no

Emergency Fix

IBM has made available an emergency fix for this vulnerability via anonymous FTP from software.watson.ibm.com in the directory /pub/aix. The fix is contained in the compressed tar file bshfixN.tar.Z, where N is the current version of the fix. Installation instructions are provided in a README file in the tar package.

Please note: Due to the volatile nature of emergency fixes, IBM may temporarily remove them from the FTP server while revisions are made. If you are unable to retrieve the fix from the FTP server, please try again at a later time.

Official Fix

The official fix for this problem will be available soon from IBM and can be ordered as APAR IX44381. To order an APAR from IBM in the U.S. call 1-800-237-5511 and ask for shipment as soon as it becomes available. To obtain APARS outside the U.S., contact a local IBM representative.

CIAC thanks IBM and the CERT Coordination Center for the information provided in this advisory.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]