|
Vulnerability cdmount Affected AIX Description Following is based on Internet Security Systems Security Advisory. The AIX cdmount program allows regular users to mount CD-ROM filesystems. This program is basically a SUID to root wrapper of the mount command. Insecure handling of the arguments to cdmount may allow a local regular user to execute commands as root. Local users may gain root privileges. Affected systems are AIX systems with the LPP UMS.objects 2.3.0.0 and below installed. Use the command 'lslpp -l UMS.objects' to verify if a vulnerable version is installed. The cdmount program is part of the AIX UltiMedia Services (UMS) package. UMS provides multimedia applications to AIX workstations. The cdmount program is normally used as a helper to UMS multimedia players. It has SUID root permissions to allow regular users to mount a CD-ROM. The system()library subroutine is used within cdmount to invoke the mount program.. This subroutine spawns a shell to execute the mount command with arguments provided by the user. An attacker may execute arbitrary commands as root by calling cdmount with arguments containing shell metacharacters. Solution ISS recommends removing the SUID bit from cdmount by executing the following command: # chmod 555 /usr/lpp/UMS/bin/cdmount IBM is currently working on the following APAR (Authorized Problem Analysis Report), which will be available soon: APAR 4.3.x: IY10903 Until the official fix is available, if UMS is not being used IBM recommends uninstalling UMS or removing the SUID bit from cdmount. APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center.