Topic: IBM AIX mklvcopy Local Privilege Escalation Vulnerability

Release Date: 2006-04-24

CVE CAN ID : CVE-2006-1246

Affected system:
==============
-IBM AIX 5.3

Unaffected system:
==============

Impact:
======
NSFocus Security Team discovered a local privilege escalation vulnerability in IBM AIX mklvcopy which allows users of local system group to gain root privilege.

Description:
==========
The mklvcopy shipped with IBM AIX 5.3 is used to increase the number of copies in each logical partition in LogicalVolume. By default mklvcopy is set with suid root bit, and can be run by system group users.

mklvcopy contains a vulnerability when calling external commands, which allows a local attacker to execute arbitrary command as root. Successful exploitation requires the attacker should gain system group privilege first.

Workaround:
===========
Remove suid root bit from mklvocpy.

# chmod a-s /usr/sbin/mklvcopy

Vendor Status:
============
The vendor has released Patch APAR IY82739 to fix the vulnerability. The related link is:
http://www-1.ibm.com/support/docview.wss?uid=isg1IY82739

AIX 5 APAR Patch can be downloaded at:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html

The temporary patch for the vulnerability can be downloaded at:
ftp://aix.software.ibm.com/aix/efixes/security/mklvcopy_ifix.tar.Z

Additional Information:
==================
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2006-1246 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries.

Credit:
=====
Yang Jilong of NSFocus Security Team found the vulnerability.