HP-UX fails to apply standard UNIX filesystem security measures when using OnLineJFS

2003-06-13T00:00:00
ID VU:248337
Type cert
Reporter CERT
Modified 2003-06-13T00:00:00

Description

Overview

A vulnerability in OnlineJFS could allow an intruder to gain greater access than expected.

Description

OnlineJFS "provides the online management of the Journaled File System (JFS), a high-integrity, highly available file system supported by HP-UX." According to Hewlett-Packard, there is a vulnerability in OnlineJFS 3.1 in which the sticky bit does not function properly. The sticky bit is a frequently-implemented but non-standard extension to the standard UNIX permission scheme. The symbolic representation of this bit is S_ISVTX, which is mnemonic for "save text," and the historical meaning of the sticky bit related to keeping executable files in memory for faster activation (the file would stick in memory). Many systems that implement sticky bits have abandoned this meaning entirely, although HP-UX retains it The most common modern meaning of sticky bits is in the context of directories. When the sticky bit is set on directories, files in that directory cannot be moved or renamed, except by the owner or superuser, even if the privileges on the file would otherwise permit such modifications. The sticky bit is commonly set on the /tmp directory as a security measure. See for example VU#10277, VU#426273 and the Unix Security Checklist. On HP-UX, the sticky bit has meaning for files, directories, and symbolic links. Furthermore, the sticky bit has meaning when an executable file is loaded remotely. For a description of these different behaviors, see the comp.sys.hp.hpux FAQ.

The specific failure of OnlineJFS regarding sticky bits is unknown. It is likely that at least one security impact of this vulnerability is that the sticky bit on directories is ignored, allowing a variety of race conditions to occur, which could subsequently lead to root access.


Impact

The specific impact of this vulnerability is unknown. The most likely case is that this vulnerability enables certain kinds of attacks which can lead to a root compromise.


Solution

Apply a patch as described in the vendor statement section of this document.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Hewlett-Packard Company| | 14 Oct 2002| 13 Jun 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.iss.net/security_center/static/10399.php>
  • <http://www.securityfocus.com/bid/5979>
  • <http://www.securityfocus.com/advisories/4569>
  • <http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B3929CA>
  • <http://www.faqs.org/faqs/hp/hpux-faq/>

Credit

Thanks to te HP IT Resource Center for reporting this vulnerability.

This document was written by Shawn V Hernan based on information from various HP documents.

Other Information

  • CVE IDs: Unknown
  • Date Public: 14 Oct 2002
  • Date First Published: 13 Jun 2003
  • Date Last Updated: 13 Jun 2003
  • Severity Metric: 17.63
  • Document Revision: 13