_____________________________________________________
                          The U.S. Department of Energy
                       Computer Incident Advisory Capability
                              ___  __ __    _     ___
                             /       |     /_\   /
                             \___  __|__  /   \  \___
               _____________________________________________________

                               INFORMATION BULLETIN

                         IBM AIX bsh Queue Vulnerability


June 3, 1994 1500 PDT                                             Number E-29a
______________________________________________________________________________ 

PROBLEM:        Vulnerability in bsh batch queue allows unauthorized access.
PLATFORMS:      IBM AIX 3.2 and earlier.
DAMAGE:         Remote users may gain access to a privileged account.
SOLUTION:       Disable the bsh queue; obtain and install fix from IBM.
______________________________________________________________________________

VULNERABILITY   This vulnerability is being discussed on public mailing lists
ASSESSMENT:     and can be exploited remotely.  CIAC recommends that sites
                disable the bsh queue immediately.
______________________________________________________________________________

        Critical Information about the IBM AIX bsh Queue Vulnerability

CIAC has learned of a vulnerability in the bsh batch queue of IBM AIX systems
running AIX version 3.2 and earlier.  If network printing is enabled, the bsh
queue will permit users on remote systems to execute commands at an elevated
privilege.

CIAC recommends that the bsh queue be disabled immediately as described below.
Administrators should then obtain and install the appropriate fixes from IBM.

Few applications make use of the bsh queue, and IBM has agreed to disable the
queue by default in future AIX releases.  CIAC recommends that the bsh queue
be left disabled unless its functionality is explicitly required.

Disabling bsh
-------------
To disable the bsh queue, perform one of the following procedures:

    A.  As root, from the command line, enter:
        chqueue -qbsh -a"up = FALSE"

    B.  From SMIT enter:
        - Spooler
        - Manage Local Printer Subsystem
        - Local Printer Queues
        - Change/Show Characteristics of a Queue
          select bsh
        - Activate the Queue
          select no

Emergency Fix
-------------
IBM has made available an emergency fix for this vulnerability via anonymous
FTP from software.watson.ibm.com in the directory /pub/aix.  The fix is
contained in the compressed tar file bshfixN.tar.Z, where N is the current
version of the fix.  Installation instructions are provided in a README file
in the tar package.  

Please note: Due to the volatile nature of emergency fixes, IBM may
temporarily remove them from the FTP server while revisions are made.  If you
are unable to retrieve the fix from the FTP server, please try again at a
later time.

Official Fix
------------
The official fix for this problem will be available soon from IBM and can be
ordered as APAR IX44381.  To order an APAR from IBM in the U.S. call
1-800-237-5511 and ask for shipment as soon as it becomes available.  To
obtain APARS outside the U.S., contact a local IBM representative.

______________________________________________________________________________

CIAC thanks IBM and the CERT Coordination Center for the information provided
in this advisory.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous
FTP from ciac.llnl.gov (IP address 128.115.19.53).

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information,
   and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
   software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
   SPI products.

CIAC's mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines.  To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and
"PhoneNumber" when sending.

E-mail to ciac-listproc@llnl.gov:
          subscribe list-name  LastName, FirstName PhoneNumber
    e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.