1. Introduction
The AIX bos.acct package is affected by a privilege escalation vulnerability, identified as suid_advisory.asc (IV97810) and (IV97811). A local attacker could exploit this to gain root privileges on the system. This poses a high risk to confidentiality, integrity, and availability of data and services running on affected AIX hosts.
2. Technical Explanation
The vulnerability exists due to insecure permissions set on files within the bos.acct package. A local attacker can exploit this by modifying these files to execute arbitrary code with root privileges. The CVE associated with this issue is CVE-2017-1692.
- Root cause: Incorrect file permissions allow unauthorized modification of critical system files.
- Exploit mechanism: An attacker modifies a suid executable within bos.acct to execute a shell script or other malicious code as root. For example, an attacker could overwrite the contents of a setuid binary with their own code.
- Scope: AIX systems running vulnerable versions of the bos.acct package are affected.
3. Detection and Assessment
You can confirm if your system is vulnerable by checking the installed version of bos.acct, or looking for specific file permissions.
- Quick checks: Use the following command to list the bos.acct package details:
lslpp -a | grep bos.acct - Scanning: Nessus plugin ID 1048956 can detect this vulnerability, but results should be verified manually.
- Logs and evidence: Check system logs for unusual file modifications within the /opt/bos.acct directory.
lslpp -a | grep bos.acct4. Solution / Remediation Steps
Apply the fix available from IBM to resolve this vulnerability.
4.1 Preparation
- No services need to be stopped for this update.
- Roll back plan: If the patch causes issues, restore from backup or revert the snapshot. Change window approval may be required depending on internal policies.
4.2 Implementation
- Step 1: Download the appropriate fix package from https://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc
- Step 2: Install the fix package using the following command:
installp -a - Step 3: Verify the installation was successful by checking the installed files and versions.
4.3 Config or Code Example
There is no specific config change needed, this vulnerability requires a patch to be applied.
Before
# No relevant configuration changes before applying the fixAfter
# Verify installation with lslpp -a | grep bos.acct after patching. Permissions will be corrected by the patch.4.4 Security Practices Relevant to This Vulnerability
Several security practices can help prevent this type of issue.
- Practice 1: Least privilege – Limit user accounts’ access rights to only what is necessary, reducing potential impact if an account is compromised.
- Practice 2: Patch cadence – Regularly apply security patches and updates to address known vulnerabilities promptly.
4.5 Automation (Optional)
Automation scripts are not provided as this requires specific system configurations.
5. Verification / Validation
Confirm the fix by verifying the installed version of bos.acct and re-running the detection check.
- Post-fix check: Run
lslpp -a | grep bos.acctto confirm the patch is installed and the package version has been updated. - Re-test: Re-run the initial command
lslpp -a | grep bos.acctto ensure it shows the patched version. - Smoke test: Verify core system functionality, such as user login and basic file operations, are still working correctly.
lslpp -a | grep bos.acct6. Preventive Measures and Monitoring
Regular security baselines and asset management can help prevent this issue.
- Baselines: Update your AIX security baseline to include the latest patch levels for all packages, including bos.acct.
- Asset and patch process: Establish a regular patch review cycle (e.g., weekly or monthly) to ensure timely application of security updates.
7. Risks, Side Effects, and Roll Back
Applying the patch may cause temporary service interruptions during installation.
- Risk or side effect 1: Potential for brief service interruption during patch installation. Mitigation: Schedule patching during a maintenance window.
8. References and Resources
Refer to official IBM documentation for more information.
- Vendor advisory or bulletin: https://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc
- NVD or CVE entry: CVE-2017-1692