CERT Advisory CA-94:10.IBM.AIX.bsh.vulnerability

CERT Advisory cert-advisory at cert.org
Fri Jun 3 18:22:45 UTC 1994

CA-94:10                         CERT Advisory
                                 June 3, 1994
                           IBM AIX bsh Vulnerability

The CERT Coordination Center has learned of a vulnerability in the
batch queue (bsh) of IBM AIX systems running versions prior to and
including AIX 3.2.

CERT recommends disabling the batch queue by following the workaround
instructions in Section III below.  Section III also includes
information on how to obtain fixes from IBM if the bsh queue
functionality is required by remote systems.

As we receive additional information relating to this advisory, we
will place it, along with any clarifications, in a CA-94:10.README
file. CERT advisories and their associated README files are available
by anonymous FTP from info.cert.org. We encourage you to check the
README files regularly for updates on advisories that relate to your


I.   Description

     The queueing system on IBM AIX includes a batch queue, "bsh",
     which is turned on by default in /etc/qconfig on all versions of
     AIX 3 and earlier.

II.  Impact 

     If network printing is enabled, remote and local users can gain
     access to a privileged account.

III. Solution

     In the next release of AIX, the bsh queue will be turned off by
     default.  CERT recommends that the bsh queue be turned off using
     the workaround described in Section A below unless there is an
     explicit need to support this functionality for remote hosts.  If
     this functionality must be supported, IBM provides fixes as
     outlined in Sections B and C below.  For questions concerning
     these workarounds or fixes, please contact IBM at the number
     provided below.

     A. Workaround 

        Disable the bsh queue by following one of the two procedures
        outlined below:

        1. As root, from the command line, enter:
           # chque -qbsh -a"up = FALSE"
        2. From SMIT, enter:
           - Spooler
           - Manage Local Printer Subsystem
           - Change/Show Characteristics of a Queue
              select bsh
           - Activate the Queue
              select no

     B. Emergency fix

        Obtain and install the emergency fix for the version(s) of AIX
        used at your site.  Fixes for the various levels of AIX are
        available by anonymous FTP from software.watson.ibm.com.  The
        files are located in /pub/aix/bshfix.tar.Z in compressed tar
        format.  Installation instructions are included in the README
        file included as part of the tar file.

        The directory /pub/aix contains the latest available emergency
        fix for APAR IX44381.  As updates become available, any new
        versions will be placed in this directory with the name
        bshfix<#>.tar.Z with <#> being incremented for each update.
        See the README.FIRST file in that directory for details.  

        IBM may remove this emergency fix file without prior notice if
        flaws are reported.  Due to the changing nature of these
        files, no checksum information is available.

     C. Official fix

        The official fix for this problem can be ordered as APAR

        To order APARs from IBM in the U.S., call 1-800-237-5511 and
        ask that it be shipped to you as soon as it is available.  To
        obtain APARs outside of the U.S., contact your local IBM

The CERT Coordination Center wishes to thank Gordon C. Galligher of
Information Resources, Inc.  for reporting this problem and IBM
Corporation for their support in responding to this problem.

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in Forum of Incident
Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to
CERT via electronic mail, CERT strongly advises that the e-mail be
encrypted.  CERT can support a shared DES key, PGP (public key
available via anonymous FTP on info.cert.org), or PEM (contact CERT
for details).

Internet E-mail: cert at cert.org
Telephone: 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Past advisories and their associated README files, information about FIRST
representatives, and other information related to computer security are
available for anonymous FTP from info.cert.org.

More information about the NANOG mailing list