Original issue date: March 19,1992<BR> Last revised: September 19, 1997<BR> Attached copyright statement <P>A complete revision history is at the end of this file. <P>The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability with the UUCP software in versions of AIX up to 2007. The vulnerability does not exist in AIX 3.2. <P>IBM is aware of this problem, and a fix is available as apar number "ix18516". This patch is available for all AIX releases from GOLD to 2006. <P>The fix is in the 2007 update and 3.2 release of AIX. IBM customers may call IBM Support (800-237-5511) and ask that the fix be shipped to them. Patches may be obtained outside the U.S. by contacting your local IBM representative. <P><HR> <H2>I. Description</H2> Previous versions, except AIX 3.2, of the UUCP software contained incorrectly configured versions of various files. <H2>II. Impact</H2> Local users can execute unauthorized commands and gain unauthorized root access. <H2>III. Solution</H2> <UL> <LI>If allowing users access to the uucp isn't necessary, disable it. <PRE> % chmod 0100 /usr/bin/uucp </PRE> <LI>Obtain the fix from IBM Support. <LI><P>Install the fix following the instructions in the README file. </UL> <HR> <P>The CERT/CC would like to thank Steve Knodle, Clarkson University, for bringing this security vulnerability to our attention. <!--#include virtual="/include/footer_nocopyright.html" --> <P>Copyright 1992 Carnegie Mellon University.</P> <HR> Revision History <PRE> September 19,1997 Attached copyright statement </PRE> |