Original issue date: May 26, 1992<BR> Last revised: September 19, 1997<BR> Attached copyright statement <P>A complete revision history is at the end of this file. <P>The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability in <I>crontab(1)</I> in version 3.2 of IBM's AIX operating system. <P>IBM is aware of this problem and a fix is available as apar number "ix26997" for AIX version 3.2. The version information for the patched /usr/bin/crontab is shown in the following <I>what(1)</I> output: <PRE> % what /usr/bin/crontab 04 1.23 com/cmd/cntl/cron/crontab.c, cmdcntl, bos320, 9218320f 4/8/92 11:50:42 07 1.8 com/cmd/cntl/cron/permit.c, bos, bos320 4/25/91 17:16:59 11 1.15 com/cmd/cntl/cron/cronsub.c, bos, bos320 8/18/91 20:42:32 06 1.9 com/cmd/cntl/cron/funcs.c, bos, bos320 6/8/91 21:22:40 </PRE> If your crontab contains older modules than the above output indicates, we suggest that you install the fix. <P><HR> <H2>I. Description</H2> The distributed version of /usr/bin/crontab contains a security vulnerability. <H2>II. Impact</H2> Local users can gain unauthorized root access to the system. <H2>III. Solution</H2> The CERT/CC suggests that sites install the fix that IBM has made available. As an interim step, we suggests that sites prevent all non-root users from running /usr/bin/crontab by removing (or renaming) the /var/adm/cron/cron.allow and /var/adm/cron/cron.deny files. <UL><LI> Obtain the fix from IBM Support. <P> <OL><LI> To order from IBM call 1-800-237-5511 and ask that the fix be shipped. Patches may be obtained outside the U.S. by contacting your local IBM<BR> representative. <LI><P>If you are on the Internet, use anonymous ftp to obtain the fix from software.watson.ibm.com (129.34.139.5). <PRE> Patch Filename Checksum AIX 3.2 pub/aix3/cronta.tar.Z 02324 154 </PRE> The patch must be retrieved using binary mode. </OL> <P><LI> Install the fix following the instructions in the README file.</UL> <HR> <P>The CERT/CC would like to thank Fuat Baran of Advanced Network & Services, Inc. for bringing this security vulnerability to our attention and IBM for their quick response to this problem. <P> <!--#include virtual="/include/footer_nocopyright.html" --> <P>Copyright 1992 Carnegie Mellon University.</P> <HR> Revision History <PRE> September 19,1997 Attached copyright statement </PRE> |