TUCoPS :: Networks :: 46.txt

CORRECTION FOR FTP RELATED SECURITY FLAW

********************************************************************** 
DDN MGT Bulletin 46              DCA DDN Defense Communications System   
1 Dec 88                         Published by: DDN Network Info Center
                                    (NIC@SRI-NIC.ARPA)  (800) 235-3155


                        DEFENSE  DATA  NETWORK

                         MANAGEMENT  BULLETIN

The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network
Information Center under DCA contract as a means of communicating
official policy, procedures and other information of concern to
management personnel at DDN facilities.  Back issues may be read
through the TACNEWS server ("@n" command at the TAC) or may be
obtained by FTP (or Kermit) from the SRI-NIC host [26.0.0.73 or
10.0.0.51] using login="anonymous" and password="guest".  The pathname
for bulletins is DDN-NEWS:DDN-MGT-BULLETIN-nn.TXT (where "nn" is the
bulletin number).
**********************************************************************

            CORRECTION FOR FTP RELATED SECURITY FLAW

Vulnerabilities exist for sites using Berkeley UNIX software or
software derived from Berkeley UNIX.  If you don't know if your
system uses Berkeley derived UNIX, contact your vendor.
 
The following direction has been prepared with assistance from
Berkeley and the Computer Emergency Reaction Team (CERT).  The
fix was independently validated.  If you are running FTP service
(with ftpd) then you will need to take the following steps:
 
Steps (1), (2), and (3) below should be taken NOW.  Follow up
shortly afterward with the remaining steps.
 
(1) Become root.
 
(2) Remove the FTP server program (ftpd).  One of the following
will work.  It is OK to do all four.
    rm /etc/ftpd
    rm /usr/etc/ftpd
    rm /etc/in.ftpd
    rm /usr/etc/in.ftpd
 
(3) EITHER reboot your system OR kill the running ftpd process.
 
(4) You are safe at this point, but your system is no longer
providing an FTP server.  (You have removed the FTP server
program from your disk.)  NOTE: You will still be able to use
FTP to obtain the fix from the Network Information Center (NIC),
but you will not be able to accept externally initiated file
transfers.
 
(5) Obtain the ftpd fix from the NIC, from Berkeley, from the
CERT, or from your vendor.  Install according to the instructions.
NOTE: A version of the patch was disseminated about a month ago
from Berkeley, and many sites will already have installed the
fix.  The fix that is now being released is a slight improvement
to this earlier fix, and we suggest making this additional
upgrade.
 
The fix is available from the NIC through anonymous FTP.  To get
a copy:
 
    Open an FTP connection to SRI-NIC.ARPA
    Retrieve the contents of NETINFO:UNIX-FTPD.SHAR

(NOTE! If you obtained a copy of the fix prior to receiving this
 bulletin you will need to retrieve a fresh copy of the fix.)

For further information about the retrieval of the patch, call
the NIC at (800) 235-3155.
 
The fix is also available from the CERT; send computer mail to:
CERT [at] SEI.CMU.EDU to get the fix via computer mail.
 
(6) Once the fix is installed, you can resume providing an FTP
server.  For further information about the patch itself call
the Computer Emergency Response Team Coordination Center at
(412) 268-7090, Keith Bostic (Berkeley) at (415) 642-8524, or
Phil Lapsley or Peter Yee (Berkeley) at (415) 642-7447.
 
(7) Be sure you have installed the SENDMAIL and FINGERD fixes
that were previously provided (see DDN Management Bulletin #43).
It is important that these fixes be installed.  The FINGERD hole
is sufficiently dangerous that you should remove fingerd pending
installation of the fix.  Follow steps (1), (2), and (3) above
substituting "fingerd" for "ftpd".  The fixes for these problems
are also available from the NIC.
 
(8) If you are running an (obsolete) BSD 4.2 derived system, then
it is strongly advised that you obtain an upgrade to 4.3 (or its
descendants).


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH