-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Nico de Koo)                       Index  :    S-94-16
Distribution  : World                                       Page   :          1
Classification: External                                    Version:      Final
Subject       : IBM AIX bsh Vulnerability                   Date   :  07-Jun-94
===============================================================================

   CERT-NL received information on a vulnerabilty in IBM AIX bsh vulnerability
   CERT-NL wishes to thank CERT/CC for providing this information.

- ----------------------------------------------------------------------------

   CERT-NL recently received  information about a  security vulnerability
   in the batch queue (bsh) of IBM AIX systems running versions prior to
   and including AIX 3.2.

   CERT-NL recommends disabling the batch queue by following the workaround
   instructions in Section III below.  Section III also includes
   information on how to obtain fixes from IBM if the bsh queue
   functionality is required by remote systems.

   As we receive additional information relating to this advisory, we
   will place it, along with any clarifications, in a security bulletin 
   addendum S-94-16.README file. 
   CERT advisories and their associated README files are available
   by anonymous FTP from ftp.nic.surfnet.nl. In the directory 
   "surfnet/net-security/cert-nl/docs/bulletin"
   We encourage you to check the README files regularly for updates on 
   advisories that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     The queueing system on IBM AIX includes a batch queue, "bsh",
     which is turned on by default in /etc/qconfig on all versions of
     AIX 3 and earlier.

II.  Impact 

     If network printing is enabled, remote and local users can gain
     access to a privileged account.

III. Solution

     In the next release of AIX, the bsh queue will be turned off by
     default.  CERT recommends that the bsh queue be turned off using
     the workaround described in Section A below unless there is an
     explicit need to support this functionality for remote hosts.  If
     this functionality must be supported, IBM provides fixes as
     outlined in Sections B and C below.  For questions concerning
     these workarounds or fixes, please contact IBM at the number
     provided below.

     A. Workaround 

        Disable the bsh queue by following one of the two procedures
        outlined below:

        1. As root, from the command line, enter:
           # chque -qbsh -a"up = FALSE"
        
        2. From SMIT, enter:
           - Spooler
           - Manage Local Printer Subsystem
           - Change/Show Characteristics of a Queue
              select bsh
           - Activate the Queue
              select no

     B. Emergency fix

        Obtain and install the emergency fix for the version(s) of AIX
        used at your site.  Fixes for the various levels of AIX are
        available by anonymous FTP from ftp.nic.surfnet.nl.  The
        file is located in:
        /surfnet/net-security/cert-nl/patches/ibm-fixes/bshfix.tar.Z 
        in compressed tar format.  Installation instructions are included 
        in the README file included as part of the tar file.

        The directory /surfnet/net-security/cert-nl/patches/ibm-fixes
        contains the latest available emergency
        fix for APAR IX44381.  As updates become available, any new
        versions will be placed in this directory with the name
        bshfix<#>.tar.Z with <#> being incremented for each update.

        IBM may remove this emergency fix file without prior notice if
        flaws are reported.  Due to the changing nature of these
        files, no checksum information is available.

     C. Official fix

        The official fix for this problem can be ordered as APAR
        IX44381.

        To order APARs from IBM contact your local IBM representative and
        ask that it be shipped to you as soon as it is available.

   If you believe that your system has been compromised, contact the CERT-NL
   or your representative in Forum of Incident Response and Security Teams 
   (FIRST).

   CERT-NL will continue to monitor this situation and will post additional
   information should it become necessary. If you have any questions about
   this bulletin, please contact CERT-NL via any of the venues below.

   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   CERT-NL ACKNOWLEDGES: 
   The CERT Coordination Center and wishes to thank Gordon C. Galligher of
   Information Resources, Inc.  for reporting this problem and IBM
   Corporation for their support in responding to this problem.
   =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 ==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WFjSYjBqwfc9jEQIAGQCfWDUAkjTiG01SmdtvgODd5zWD6s8An0XF
fPj8ikOSccgBoMby71Xqbe5u
=Dl8L
-----END PGP SIGNATURE-----