Original issue date: June 3, 1994<BR>
Last revised: September 23, 1997<BR>
Updated copyright statement

<P>A complete revision history is at the end of this file.

The CERT Coordination Center has learned of a vulnerability in the
batch queue (bsh) of IBM AIX systems running versions prior to and
including AIX 3.2.

<P>CERT recommends disabling the batch queue by following the workaround
instructions in Section III below.  Section III also includes
information on how to obtain fixes from IBM if the bsh queue
functionality is required by remote systems.

<P>We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

<P><HR>
<H2>I. Description</H2>


The queueing system on IBM AIX includes a batch queue, &quot;bsh&quot;,
which is turned on by default in /etc/qconfig on all versions of
AIX 3 and earlier.

<H2>II. Impact</H2>


If network printing is enabled, remote and local users can gain
access to a privileged account.

<H2>III. Solution</H2>


In the next release of AIX, the bsh queue will be turned off by
default.  CERT/CC recommends that the bsh queue be turned off using
the workaround described in Section A below unless there is an
explicit need to support this functionality for remote hosts.  If
this functionality must be supported, IBM provides fixes as
outlined in Sections B and C below.  For questions concerning
these workarounds or fixes, please contact IBM at the number
provided below.

<H3>A. Workaround</H3>


Disable the bsh queue by following one of the two procedures
outlined below:

<H4>1. As root, from the command line, enter:</H4>
<PRE>
# chque -qbsh -a&quot;up = FALSE&quot;
</PRE>
<H4>2. From SMIT, enter:</H4>
<UL>
<LI>Spooler<BR>
<LI>Manage Local Printer Subsystem<BR>
<LI>Change/Show Characteristics of a Queue
             <UL> <LI>select bsh</UL>
<LI>Activate the Queue
<UL><LI>select no</UL>
</UL>
<H3>B. Emergency fix</H3>


Obtain and install the emergency fix for the version(s) of AIX
used at your site.  Fixes for the various levels of AIX are
available by anonymous FTP from software.watson.ibm.com.  The
files are located in /pub/aix/bshfix.tar.Z in compressed tar
format.  Installation instructions are included in the README
file included as part of the tar file.

<P>The directory /pub/aix contains the latest available emergency
fix for APAR IX44381.  As updates become available, any new
versions will be placed in this directory with the name
bshfix&lt;#&gt;.tar.Z with &lt;#&gt; being incremented for each update.
See the README.FIRST file in that directory for details.

<P>IBM may remove this emergency fix file without prior notice if
flaws are reported.  Due to the changing nature of these
files, no checksum information is available.

<H3>C. Official fix</H3>


The official fix for this problem can be ordered as APAR
IX44381.

<P>To order APARs from IBM in the U.S., call 1-800-237-5511 and
ask that it be shipped to you as soon as it is available.  To
obtain APARs outside of the U.S., contact your local IBM
representative.

<P><HR>

<P>The CERT Coordination Center wishes to thank Gordon C. Galligher of
Information Resources, Inc.  for reporting this problem and IBM
Corporation for their support in responding to this problem.

<P><HR>

<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1994 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
Sep. 23. 1997   Updated copyright statement
Aug. 30, 1996   Removed references to README files because advisories
                themselves are now updated.
</PRE>