aix.enetwork.firewall.txt

`Date: Tue, 25 May 1999 20:33:53 +0100  
From: Paul Cammidge <[email protected]>  
To: [email protected]  
Subject: IBM eNetwork Firewall for AIX  
  
The IBM eNetwork Firewall for AIX contains some poorly written scripts,  
which create temporary files in /tmp without making any attempt to  
validate the existance of the file. This allows any user with shell  
access to such a firewall to corrupt or possibly modify system files by  
creating links, pipes, etc with the same name.  
  
In a simple example submitted to IBM, /etc/passwd was overwritten. This  
example has been published on one of their support web pages as a 'local  
fix'.  
  
The problem was reported to IBM early in January. To the best of my  
knowledge, the correct procedures have been followed. Initially, IBM  
responded by telling me that it was common practice for software to make  
use of /tmp. They suggested changing the permissions to prevent users  
>from creating symbolic links to sensitive files.  
  
An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The  
fix has not yet been released. This definately applies to version 3.2,  
and probably others.  
  
Anyone running this software and has users with shell accounts should be  
aware that the potential exists for these users to corrupt files which  
they dont have access to.  
  
cheers  
paul  
  
--------------------------------------------------------------------------  
  
Date: Sat, 29 May 1999 00:29:25 +0200  
From: Marc Heuse <[email protected]>  
To: [email protected]  
Subject: Re: IBM eNetwork Firewall for AIX  
  
Hi Paul,  
  
> The IBM eNetwork Firewall for AIX contains some poorly written scripts,  
> which create temporary files in /tmp without making any attempt to  
> validate the existance of the file. This allows any user with shell  
> access to such a firewall to corrupt or possibly modify system files by  
> creating links, pipes, etc with the same name.  
  
your are right, all their scripts have got link vulnerabilities ...  
  
> The problem was reported to IBM early in January. To the best of my  
> knowledge, the correct procedures have been followed. Initially, IBM  
> responded by telling me that it was common practice for software to make  
> use of /tmp. They suggested changing the permissions to prevent users  
> from creating symbolic links to sensitive files.  
  
when I found these in an audit at a customer in february, I opened an APAR  
too, but then discovered yours. When I saw that yours was opened a month  
before mine and not being dealt with, I made noise at IBM management and  
the AIX Security Team, that they issued an emergency fix.  
But this fix only available for those who know that it exists - anyway, the  
quick fix still has /tmp races all over the place - they just added "rm -f  
file" the line before writing into it ....  
  
> An APAR (IR39562) was opened on 18/01/99 and closed on 13/03/99. The  
> fix has not yet been released. This definately applies to version 3.2,  
> and probably others.  
  
I heard that the next IBM Firewall version will fix this ... bah - maybe  
with that quick "fix" ...  
  
But to set one thing straight: It's *not* IBM's fault. The IBM Firewall is a  
product of another company called Raleigh (I hope thats spelled correctly).  
In fact, the IBM AIX Security Team, especially Troy Bollinger, was very  
helpful and getting a fix - a correct one - out. It's the other company  
who writes security software but really seems to have no knowledge.  
sad but true  
  
Greets,  
Marc  
--  
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg  
E@mail: [email protected] Function: Security Support & Auditing  
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"  
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C  
  
--------------------------------------------------------------------------  
  
Date: Sat, 29 May 1999 13:42:25 +0200  
From: Andreas Siegert <[email protected]>  
To: [email protected]  
Subject: Re: IBM eNetwork Firewall for AIX  
  
Hi Marc!  
  
Quoting Marc Heuse ([email protected]) on Sat, May 29, 1999 at 12:29:25AM +0200:  
> But to set one thing straight: It's *not* IBM's fault. The IBM Firewall is a  
> product of another company called Raleigh (I hope thats spelled correctly).  
> In fact, the IBM AIX Security Team, especially Troy Bollinger, was very  
> helpful and getting a fix - a correct one - out. It's the other company  
> who writes security software but really seems to have no knowledge.  
> sad but true  
  
Unfortunately Raleigh is not another company, Raleigh (or RTP) in this case is  
the location in North Carolina of the IBM people who produce the IBM firewall  
and most other IBM products related to networking, whereas AIX is developed  
in Austin,TX. So it is unfortunately really a full IBM product :-(  
  
Me thinks Austin should have developed the IBM firewall, the result would  
probably be much more satisfying.  
  
AIX 4.3 now has a good packet filter as well as IPSEC support (even though  
most people in AIX land don´t seem to know) and there are enough free proxy  
solutions out there to build a decent firewall with AIX without the need to  
use the stuff from Raleigh.  
  
afx  
  
--  
Hackito ergo sum!  
  
`