Vulnerabilities > CVE-2017-1692 - Unspecified vulnerability in IBM AIX
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
IBM AIX 5.3, 6.1, 7.1, and 7.2 contains an unspecified vulnerability that would allow a locally authenticated user to obtain root level privileges. IBM X-Force ID: 134067.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 4 |
Nessus
NASL family AIX Local Security Checks NASL id AIX_SUID_ADVISORY_BELLMAIL.NASL description The version of bellmail installed on the remote AIX host is affected by a privilege escalation vulnerability. A local attacker can exploit this to gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 111969 published 2018-08-17 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111969 title AIX bellmail Advisory : suid_advisory.asc (IV97356) (IV99497) (IV99498) (IV99499) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(111969); script_version("1.2"); script_cvs_date("Date: 2018/09/17 21:46:52"); script_cve_id("CVE-2017-1692"); script_name(english:"AIX bellmail Advisory : suid_advisory.asc (IV97356) (IV99497) (IV99498) (IV99499)"); script_summary(english:"Checks the version of the bellmail packages."); script_set_attribute(attribute:"synopsis", value: "The remote AIX host has a version of bellmail installed that is affected by a privilege escalation vulnerability."); script_set_attribute(attribute:"description", value: "The version of bellmail installed on the remote AIX host is affected by a privilege escalation vulnerability. A local attacker can exploit this to gain root privileges."); script_set_attribute(attribute:"see_also", value:"http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc"); script_set_attribute(attribute:"solution", value: "A fix is available and can be downloaded from the IBM AIX website."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1692"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/05"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:bellmail:bellmail"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"AIX Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version"); exit(0); } include("aix.inc"); include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); oslevel = get_kb_item("Host/AIX/version"); if (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, "AIX"); oslevel = oslevel - "AIX-"; oslevelcomplete = chomp(get_kb_item("Host/AIX/oslevelsp")); if (isnull(oslevelcomplete)) audit(AUDIT_UNKNOWN_APP_VER, "AIX"); oslevelparts = split(oslevelcomplete, sep:'-', keep:0); if ( max_index(oslevelparts) != 4 ) audit(AUDIT_UNKNOWN_APP_VER, "AIX"); ml = oslevelparts[1]; sp = oslevelparts[2]; if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING); if ( get_kb_item("Host/AIX/emgr_failure" ) ) exit(0, "This AIX package check is disabled because : "+get_kb_item("Host/AIX/emgr_failure") ); flag = 0; aix_bellmail_vulns = { "6.1": { "09": { "07": { "bos.net.tcp.client": { "minfilesetver":"6.1.9.0", "maxfilesetver":"6.1.9.201", "patch":"(IV97356m9a)" } }, "08": { "bos.net.tcp.client": { "minfilesetver":"6.1.9.0", "maxfilesetver":"6.1.9.201", "patch":"(IV97356m9a)" } }, "09": { "bos.net.tcp.client": { "minfilesetver":"6.1.9.0", "maxfilesetver":"6.1.9.201", "patch":"(IV97356m9a)" } } } }, "7.1": { "04": { "03": { "bos.net.tcp.client": { "minfilesetver":"7.1.4.0", "maxfilesetver":"7.1.4.32", "patch":"(IV99497m5a)" } }, "04": { "bos.net.tcp.client": { "minfilesetver":"7.1.4.0", "maxfilesetver":"7.1.4.32", "patch":"(IV99497m5a)" } }, "05": { "bos.net.tcp.client": { "minfilesetver":"7.1.4.0", "maxfilesetver":"7.1.4.32", "patch":"(IV99497m5a)" } } } }, "7.2": { "00": { "03": { "bos.net.tcp.client_core": { "minfilesetver":"7.2.0.0", "maxfilesetver":"7.2.0.4", "patch":"(IV99498m5a)" } }, "04": { "bos.net.tcp.client_core": { "minfilesetver":"7.2.0.0", "maxfilesetver":"7.2.0.4", "patch":"(IV99498m5a)" } }, "05": { "bos.net.tcp.client_core": { "minfilesetver":"7.2.0.0", "maxfilesetver":"7.2.0.4", "patch":"(IV99498m5a)" } } }, "01": { "01": { "bos.net.tcp.client_core": { "minfilesetver":"7.2.1.0", "maxfilesetver":"7.2.1.2", "patch":"(IV99499m3a)" } }, "02": { "bos.net.tcp.client_core": { "minfilesetver":"7.2.1.0", "maxfilesetver":"7.2.1.2", "patch":"(IV99499m3a)" }, }, "03": { "bos.net.tcp.client_core": { "minfilesetver":"7.2.1.0", "maxfilesetver":"7.2.1.2", "patch":"(IV99499m3a)" } } } } }; version_report = "AIX " + oslevel; if ( empty_or_null(aix_bellmail_vulns[oslevel]) ) { os_options = join( sort( keys(aix_bellmail_vulns) ), sep:' / ' ); audit(AUDIT_OS_NOT, os_options, version_report); } version_report = version_report + " ML " + ml; if ( empty_or_null(aix_bellmail_vulns[oslevel][ml]) ) { ml_options = join( sort( keys(aix_bellmail_vulns[oslevel]) ), sep:' / ' ); audit(AUDIT_OS_NOT, "ML " + ml_options, version_report); } version_report = version_report + " SP " + sp; if ( empty_or_null(aix_bellmail_vulns[oslevel][ml][sp]) ) { sp_options = join( sort( keys(aix_bellmail_vulns[oslevel][ml]) ), sep:' / ' ); audit(AUDIT_OS_NOT, "SP " + sp_options, version_report); } foreach package ( keys(aix_bellmail_vulns[oslevel][ml][sp]) ) { package_info = aix_bellmail_vulns[oslevel][ml][sp][package]; minfilesetver = package_info["minfilesetver"]; maxfilesetver = package_info["maxfilesetver"]; patch = package_info["patch"]; if (aix_check_ifix(release:oslevel, ml:ml, sp:sp, patch:patch, package:package, minfilesetver:minfilesetver, maxfilesetver:maxfilesetver) < 0) flag++; } if (flag) { aix_report_extra = ereg_replace(string:aix_report_get(), pattern:"[()]", replace:""); aix_report_extra = ereg_replace(string:aix_report_extra, pattern:"[|]", replace:" or "); security_report_v4( port : 0, severity : SECURITY_HOLE, extra : aix_report_extra ); } else { tested = aix_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bos.net.tcp.client / bos.net.tcp.client_core"); }
NASL family AIX Local Security Checks NASL id AIX_SUID_ADVISORY_LQUERYPV.NASL description The version of lquerypv installed on the remote AIX host is affected by a privilege escalation vulnerability. A local attacker can exploit this to gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 111971 published 2018-08-17 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111971 title AIX lquerypv Advisory : suid_advisory.asc (IJ00951) (IV99548) (IV99550) (IV99551) (IV99552) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(111971); script_version("1.2"); script_cvs_date("Date: 2018/09/17 21:46:52"); script_cve_id("CVE-2017-1692"); script_name(english:"AIX lquerypv Advisory : suid_advisory.asc (IJ00951) (IV99548) (IV99550) (IV99551) (IV99552)"); script_summary(english:"Checks the version of the lquerypv packages."); script_set_attribute(attribute:"synopsis", value: "The remote AIX host has a version of lquerypv installed that is affected by a privilege escalation vulnerability."); script_set_attribute(attribute:"description", value: "The version of lquerypv installed on the remote AIX host is affected by a privilege escalation vulnerability. A local attacker can exploit this to gain root privileges."); script_set_attribute(attribute:"see_also", value:"http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc"); script_set_attribute(attribute:"solution", value: "A fix is available and can be downloaded from the IBM AIX website."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-1692"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/05"); script_set_attribute(attribute:"patch_publication_date", value:"2018/02/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:lquerypv:lquerypv"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"AIX Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version"); exit(0); } include("aix.inc"); include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); oslevel = get_kb_item("Host/AIX/version"); if (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, "AIX"); oslevel = oslevel - "AIX-"; oslevelcomplete = chomp(get_kb_item("Host/AIX/oslevelsp")); if (isnull(oslevelcomplete)) audit(AUDIT_UNKNOWN_APP_VER, "AIX"); oslevelparts = split(oslevelcomplete, sep:'-', keep:0); if ( max_index(oslevelparts) != 4 ) audit(AUDIT_UNKNOWN_APP_VER, "AIX"); ml = oslevelparts[1]; sp = oslevelparts[2]; if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING); if ( get_kb_item("Host/AIX/emgr_failure" ) ) exit(0, "This AIX package check is disabled because : "+get_kb_item("Host/AIX/emgr_failure") ); flag = 0; aix_lquerypv_vulns = { "5.3": { "12": { "09": { "bos.rte.lvm": { "minfilesetver":"5.3.12.0", "maxfilesetver":"5.3.12.8", "patch":"(IJ00951s9a)" } } } }, "6.1": { "09": { "07": { "bos.rte.lvm": { "minfilesetver":"6.1.9.0", "maxfilesetver":"6.1.9.201", "patch":"(IV99548m9a)" } }, "08": { "bos.rte.lvm": { "minfilesetver":"6.1.9.0", "maxfilesetver":"6.1.9.201", "patch":"(IV99548m9a)" } }, "09": { "bos.rte.lvm": { "minfilesetver":"6.1.9.0", "maxfilesetver":"6.1.9.201", "patch":"(IV99548m9a)" } } } }, "7.1": { "04": { "03": { "bos.rte.lvm": { "minfilesetver":"7.1.4.0", "maxfilesetver":"7.1.4.32", "patch":"(IV99550m5a)" } }, "04": { "bos.rte.lvm": { "minfilesetver":"7.1.4.0", "maxfilesetver":"7.1.4.32", "patch":"(IV99550m5a)" } }, "05": { "bos.rte.lvm": { "minfilesetver":"7.1.4.0", "maxfilesetver":"7.1.4.32", "patch":"(IV99550m5a)" } } } }, "7.2": { "00": { "03": { "bos.rte.lvm": { "minfilesetver":"7.2.0.0", "maxfilesetver":"7.2.0.4", "patch":"(IV99551m5a)" } }, "04": { "bos.rte.lvm": { "minfilesetver":"7.2.0.0", "maxfilesetver":"7.2.0.4", "patch":"(IV99551m5a)" } }, "05": { "bos.rte.lvm": { "minfilesetver":"7.2.0.0", "maxfilesetver":"7.2.0.4", "patch":"(IV99551m5a)" } } }, "01": { "01": { "bos.rte.lvm": { "minfilesetver":"7.2.1.0", "maxfilesetver":"7.2.1.2", "patch":"(IV99552m3a)" } }, "02": { "bos.rte.lvm": { "minfilesetver":"7.2.1.0", "maxfilesetver":"7.2.1.2", "patch":"(IV99552m3a)" } }, "03": { "bos.rte.lvm": { "minfilesetver":"7.2.1.0", "maxfilesetver":"7.2.1.2", "patch":"(IV99552m3a)" } } } } }; version_report = "AIX " + oslevel; if ( empty_or_null(aix_lquerypv_vulns[oslevel]) ) { os_options = join( sort( keys(aix_lquerypv_vulns) ), sep:' / ' ); audit(AUDIT_OS_NOT, os_options, version_report); } version_report = version_report + " ML " + ml; if ( empty_or_null(aix_lquerypv_vulns[oslevel][ml]) ) { ml_options = join( sort( keys(aix_lquerypv_vulns[oslevel]) ), sep:' / ' ); audit(AUDIT_OS_NOT, "ML " + ml_options, version_report); } version_report = version_report + " SP " + sp; if ( empty_or_null(aix_lquerypv_vulns[oslevel][ml][sp]) ) { sp_options = join( sort( keys(aix_lquerypv_vulns[oslevel][ml]) ), sep:' / ' ); audit(AUDIT_OS_NOT, "SP " + sp_options, version_report); } foreach package ( keys(aix_lquerypv_vulns[oslevel][ml][sp]) ) { package_info = aix_lquerypv_vulns[oslevel][ml][sp][package]; minfilesetver = package_info["minfilesetver"]; maxfilesetver = package_info["maxfilesetver"]; patch = package_info["patch"]; if (aix_check_ifix(release:oslevel, ml:ml, sp:sp, patch:patch, package:package, minfilesetver:minfilesetver, maxfilesetver:maxfilesetver) < 0) flag++; } if (flag) { aix_report_extra = ereg_replace(string:aix_report_get(), pattern:"[()]", replace:""); aix_report_extra = ereg_replace(string:aix_report_extra, pattern:"[|]", replace:" or "); security_report_v4( port : 0, severity : SECURITY_HOLE, extra : aix_report_extra ); } else { tested = aix_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bos.rte.lvm"); }
NASL family AIX Local Security Checks NASL id AIX_SUID_ADVISORY_RESTBYINODE.NASL description The version of restbyinode installed on the remote AIX host is affected by a privilege escalation vulnerability. A local attacker can exploit this to gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 111972 published 2018-08-17 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111972 title AIX restbyinode Advisory : suid_advisory.asc (IV97852) (IV97957) (IV97958) (IV97959) (IV98013) NASL family AIX Local Security Checks NASL id AIX_SUID_ADVISORY_BOS_ACCT.NASL description The version of bos_acct installed on the remote AIX host is affected by a privilege escalation vulnerability. A local attacker can exploit this to gain root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 111970 published 2018-08-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111970 title AIX bos.acct Advisory : suid_advisory.asc (IV97810) (IV97811) (IV97896) (IV97897) (IV97898) (IV97899) (IV97900) (IV97901)
References
- http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc
- http://aix.software.ibm.com/aix/efixes/security/suid_advisory.asc
- http://www.securitytracker.com/id/1040330
- http://www.securitytracker.com/id/1040330
- https://exchange.xforce.ibmcloud.com/vulnerabilities/134067
- https://exchange.xforce.ibmcloud.com/vulnerabilities/134067