-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
NEC /UNIX "nosuid" mount option Vulnerability
October 14, 1997 20:00 GMT Number I-004
______________________________________________________________________________
PROBLEM: NEC Corporation has identified and corrected a vulnerability
with the "nosuid" mount(1) option.
PLATFORM: The following NEC/UNIX platforms are affected:
EWS-UX/V(Rel4.2) R7.x - R10.x
EWS-UX/V(Rel4.2MP) R10.x
UP-UX/V(Rel4.2MP) R5.x - R7.x
UX/4800 R11.x - 12.1
DAMAGE: Local users may invoke commands as other users and possibly
achieve root privileges to execute arbitrary commands.
SOLUTION: Apply patches or workarounds as listed below.
______________________________________________________________________________
VULNERABILITY NEC strongly recommends that administrators of affected systems
ASSESSMENT: follow the instructions in section 3 of this bulletin.
______________________________________________________________________________
[ Start NEC Corporation Advisory ]
______________________________________________________________________________
NEC Corporation Security Bulletin
Title: Vulnerability in "nosuid" mount option
Affects: EWS-UX/V(Rel4.2) R7.x - R10.x
EWS-UX/V(Rel4.2MP) R10.x
UP-UX/V(Rel4.2MP) R5.x - R7.x
UX/4800 R11.x - 12.1
Document ID: SB-19971010-01
Date Issued: October 10, 1997
______________________________________________________________________________
1. Description
NEC Corporation has identified and corrected a problem with the
"nosuid" mount(1) option. The "nosuid" mount(1) option nullifies
the effect of setuid and setgid bits for files on a particular file
system. This problem manifests itself by allowing setuid and setgid
program execution on file systems mounted with "nosuid".
The following NEC/UNIX platforms are affected:
EWS-UX/V(Rel4.2) R7.x - R10.x
EWS-UX/V(Rel4.2MP) R10.x
UP-UX/V(Rel4.2MP) R5.x - R7.x
UX/4800 R11.x - 12.1
NEC strongly recommends that administrators of affected systems
follow the instructions in section 3 of this bulletin.
2. Impact
By exploiting this vulnerability, local users can invoke commands
as other users and possibly achieve root privileges to execute
arbitrary commands.
3. Workarounds/Solution
The patches listed below change the way execution privileges are
calculated so that setuid and setgid bits are correctly ignored on
file systems mounted with the "nosuid" option.
Patches for platforms not listed in Section 3.2 are still in progress.
For these systems, we recommend either unmounting file systems mounted
"nosuid" or applying the workaround as described in Section 3.1 until
patches are made available.
3.1. Remove setuid/setgid permission (workaround)
To prevent possible exploitation of this vulnerability, until a patch
is made available for your platform, we recommend the following steps:
1) Make a local copy of each remote file system mounted with the
"nosuid" option.
# find <mountpoint> -depth -print | cpio -pdm <localcopy>
2) Unmount the remote file system and replace it with the local copy.
# umount <mountpoint>
# mount <localdev> <mountpoint>
3) Run the find(1) command below to remove all setuid and setgid bits
on files in the local copy of the remote hierarchy.
# find <mountpoint> -print -exec chmod ug-s {} \;
3.2. Install a patch
This vulnerability is corrected by the following patches:
OS version Patch ID
---------- --------
EWS-UX/V(Rel4.2) R7.x NECe70093
EWS-UX/V(Rel4.2) R8.x NECe80121
EWS-UX/V(Rel4.2) R9.x NECe90281, NECe90282(for 110N)
EWS-UX/V(Rel4.2) R10.x NECea0168
EWS-UX/V(Rel4.2MP) R10.x NECma0378
UP-UX/V(Rel4.2MP) R5.x NECu50078
UP-UX/V(Rel4.2MP) R6.x NECu60217
UP-UX/V(Rel4.2MP) R7.x NECu70541
UX/4800 R11.x NECmb0668
UX/4800 R12.x NECmc0054
See section 4 of this bulletin for checksum information.
These patches are available from:
ftp://ftp.meshnet.or.jp/pub/48pub/security
For a directory tree map, consult the README file.
For further information, please contact by e-mail:
UX48-security-support@nec.co.jp
4. Checksum and additional information for patches.
Patch ID: NECe70093
Patch : NECe70093.210.pkg.Z
Target Hardware: 210,120LT,215,130LT,210II
sum : 17018 22
md5 : 56CE37185FD7D5BCB6D28F6BD8DEFFBB
Patch : NECe70093.220.pkg.Z
Target Hardware: 220,260,230
sum : 16078 22
md5 : 251A0B2239B415A6F9324F68C99F8B14
Patch : NECe70093.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
sum : 18075 22
md5 : 54A7DA54894E470CC8F4C879E6283AD0
Patch : NECe70093.350.pkg.Z
Target Hardware: 350,350F,380
sum : 892 21
md5 : BCBB5A319A0AB471ECB8EE5F154ECDCE
Patch ID: NECe80121
Patch : NECe80121.210.pkg.Z
Target Hardware: 210,120LT,215,130LT,210II
sum : 35542 21
md5 : 6D33DCE306B41996CB671EB9DB3DADD3
Patch : NECe80121.220.pkg.Z
Target Hardware: 220,260,230
sum : 19176 21
md5 : 32F955A3DEA4B76D552ACE5C3125AA9B
Patch : NECe80121.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
140LT,150LT,360AD,360A,OM
sum : 6993 21
md5 : 9425197116B75C919B10DF0F2A948A78
Patch : NECe80121.350.pkg.Z
Target Hardware: 350,350F,380
sum : 4723 21
md5 : 5A86DA101711317C1DA87541155229CC
Patch ID: NECe90281
Patch : NECe90281.210.pkg.Z
Target Hardware: 210,120LT,215,130LT,210II
sum : 1426 20
md5 : 1BE96184A9C6645899DD6CFFC1C5E00D
Patch : NECe90281.220.pkg.Z
Target Hardware: 220,260,230
sum : 4671 20
md5 : CA002CF9C4B86880D044F320B80D9800
Patch : NECe90281.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
140LT,150LT,360AD,360A,OM
310LC,320EX,320SX,330EX,330AD
360EX,360ADII
sum : 49879 20
md5 : 2045FF5FC608600DBE87D8C2AF08F7AA
Patch : NECe90281.350.pkg.Z
Target Hardware: 350,350F,380
sum : 53666 20
md5 : D0722E3257CEADFA8E3B60D68EAA9C8C
Patch ID: NECe90282
Patch : NECe90282.110N.pkg.Z
Target Hardware: 110N
sum : 49054 20
md5 : A244594291D8A8E398105EF1786B5A2A
Patch ID: NECma0378
Patch : NECma0378.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
140LT,150LT,360AD,360A,OM
310LC,320EX,320SX,330EX,330AD
360EX,360ADII,320VX,360SX
sum : 62412 25
md5 : 0ABDB0D337474622A178B5A90010DF1F
Patch : NECma0378.360MP.pkg.Z
Target Hardware: 360MP
sum : 23244 25
md5 : 682AA6A8BC97E91DBC14253F8E9C6FFC
Patch ID: NECea0168
Patch : NECea0168.110N.pkg.Z
Target Hardware: 110N,310EC
sum : 13328 21
md5 : 21D6648E69158622AECAD8A1F1538511
Patch ID: NECmb0668
Patch : NECmb0668.110N.pkg.Z
Target Hardware: 110N,310EC,310LX,310ECII,110NII
sum : 61039 24
md5 : 066DBA2EBAAB87B10D3C55C4161232F1
Patch : NECmb0668.210.pkg.Z
Target Hardware: 210,120LT,215,130LT,210II
sum : 43893 24
md5 : D6A0A08C2008F11BF1D11D670910893F
Patch : NECmb0668.220.pkg.Z
Target Hardware: 220,260,230
sum : 47818 24
md5 : A93FA1EE90055120892BF96FED4071C9
Patch : NECmb0668.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
140LT,150LT,360AD,360A,OM
310LC,320EX,320SX,330EX,330AD
360EX,360ADII,320VX,360SX
sum : 63097 24
md5 : FBEEC273976D44E8593791CBC3006E94
Patch : NECmb0668.350.pkg.Z
Target Hardware: 350,350F,380
sum : 46118 24
md5 : 14AFB2F7CBE0FECE66C43E15D53A6959
Patch : NECmb0668.360MP.pkg.Z
Target Hardware: 360MP
sum : 34423 24
md5 : 04FFC169C0056C2E0E991C5593EC13EB
Patch : NECmb0668.FM.pkg.Z
Target Hardware: 760,660R
sum : 34722 24
md5 : 0E875E8E6677223C19EF92FFD8AAA17B
Patch : NECmb0668.ML.pkg.Z
Target Hardware: 610
sum : 31695 24
md5 : 43F48AE10F46DD5675F54C4171979B93
Patch : NECmb0668.RH.pkg.Z
Target Hardware: 660,680,690,670,675
675AD
sum : 42993 24
md5 : 84FCEF5034A0E5A430367A6F4F813839
Patch : NECmb0668.RH0.pkg.Z
Target Hardware: 640,650
sum : 26945 24
md5 : 5CC49D44154183D39DD18C51BA6D8BD9
Patch : NECmb0668.RL.pkg.Z
Target Hardware: 605,615,615AD,615A
sum : 2916 24
md5 : 0C88DA08FF160A1B132538E8A46E9E4B
Patch : NECmb0668.RM.pkg.Z
Target Hardware: 625,635,635AD
sum : 63205 24
md5 : 47D10396FC39C0FB7FE617D0B180DF08
Patch : NECmb0668.TH2.pkg.Z
Target Hardware: 310PX,320PX,330PX
sum : 56681 24
md5 : 12BC633B68667D8EC08E56B95CD1EC5B
Patch : NECmb0668.UD2.pkg.Z
Target Hardware: 360PX,360PXII
sum : 26095 24
md5 : 53251D6148665B16ADF3DF224485BA96
Patch ID: NECmc0054
Patch : NECmc0054.110N.pkg.Z
Target Hardware: 110N,310EC,310LX,310ECII,110NII
sum : 38080 23
md5 : B27726AA05A082079E951F00222D6E7D
Patch : NECmc0054.210.pkg.Z
Target Hardware: 210,120LT,215,130LT,210II
sum : 39082 23
md5 : 590586BE5E847BD34780D2A68A908495
Patch : NECmc0054.220.pkg.Z
Target Hardware: 220,260,230
sum : 37616 23
md5 : CA9AD4DB7476E6753C7E06F5835AC61B
Patch : NECmc0054.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
140LT,150LT,360AD,360A,OM
310LC,320EX,320SX,330EX,330AD
360EX,360ADII,320VX,360SX
sum : 42500 23
md5 : 31F228CA399A16DCEC4C7641D63D2E54
Patch : NECmc0054.350.pkg.Z
Target Hardware: 350,350F,380
sum : 47172 23
md5 : 711FBF6BD131FFA6FB1AC2E82BDB863D
Patch : NECmc0054.360MP.pkg.Z
Target Hardware: 360MP
sum : 32933 23
md5 : 20C52796D74B8FE1CD7FEC7CEA116708
Patch : NECmc0054.EH3.pkg.Z
Target Hardware: 410,420
sum : 33478 23
md5 : 5DE177B5E0BA6517192A6CB6DB53E4E8
Patch : NECmc0054.EL.pkg.Z
Target Hardware: 710
sum : 2088 23
md5 : 35908F4C918DA2D164D8C9B27A71061A
Patch : NECmc0054.FL.pkg.Z
Target Hardware: 740
sum : 31787 23
md5 : A4DD978D309F37DA72151247770ECC0D
Patch : NECmc0054.FM.pkg.Z
Target Hardware: 760,660R,760R
sum : 31135 23
md5 : F5FC7DBA2CFAD595FE72B520268BA02B
Patch : NECmc0054.ML.pkg.Z
Target Hardware: 610
sum : 18801 23
md5 : AD5954BF0E57B1593B12BAEB5A0C7151
Patch : NECmc0054.RH.pkg.Z
Target Hardware: 660,680,690,670,675
675AD,770
sum : 18516 23
md5 : A84E91CE094441E55BC967F0A33129E5
Patch : NECmc0054.RH0.pkg.Z
Target Hardware: 640,650
sum : 27899 23
md5 : 5B47CABA685D0C428869CC300BB1E8DE
Patch : NECmc0054.RL.pkg.Z
Target Hardware: 605,615,615AD,615A
sum : 48090 23
md5 : 5AD2B54F85BF83EE934D10BA8ABA3637
Patch : NECmc0054.RM.pkg.Z
Target Hardware: 625,635,635AD
sum : 49278 23
md5 : 3EEEAB2D6B42B8EF58291F07F7986E0E
Patch : NECmc0054.TH2.pkg.Z
Target Hardware: 310PX,320PX,330PX
sum : 36503 23
md5 : 7F937DFCAC8A09E39CDFA3DB757C7529
Patch : NECmc0054.UD2.pkg.Z
Target Hardware: 360PX,360PXII
sum : 34087 23
md5 : 7BD3E3E1C0C44AC0FF96071F0D7E3B04
Patch : NECmc0054.UD3.pkg.Z
Target Hardware: 460
sum : 21713 23
md5 : 02850DACF247867594A999A9CF32E5C3
Patch ID: NECu50078
Patch : NECu50078.RH.pkg.Z
Target Hardware: 660,680
sum : 24590 23
md5 : A0CB7CE51889544BA00BA8600CA64068
Patch ID: NECu60217
Patch : NECu60217.RH.pkg.Z
Target Hardware: 660,680,690
sum : 12320 23
md5 : B2853692FDB387C7A132BF5AE5047B33
Patch : NECu60217.RH0.pkg.Z
Target Hardware: 640,650
sum : 18714 23
md5 : EB2AD3AD7F0AC59E0750491D19446115
Patch : NECu60217.RL.pkg.Z
Target Hardware: 605,615,615AD,615A
sum : 40312 24
md5 : 3EFBE0C6873017ABFA7D2632BB7F686D
Patch : NECu60217.RM.pkg.Z
Target Hardware: 625,635,635AD
sum : 21912 24
md5 : 6B5B2936D081D849DEBC649595F917DD
Patch ID: NECu70541
Patch : NECu70541.ML.pkg.Z
Target Hardware: 610
sum : 43559 25
md5 : E009D5CC456DDB3E5347038A584C724C
Patch : NECu70541.RH.pkg.Z
Target Hardware: 660,680,690
sum : 47473 25
md5 : 26A98C96AF71341961CC57CC5E55EB27
Patch : NECu70541.RH0.pkg.Z
Target Hardware: 640,650
sum : 36458 25
md5 : EAD7B3F4A48E97E4BCBAE83B298EE265
Patch : NECu70541.RL.pkg.Z
Target Hardware: 605,615,615AD,615A
sum : 56520 25
md5 : 593BD721536ABC1BC0694D757DD4387B
Patch : NECu70541.RM.pkg.Z
Target Hardware: 625,635,635AD
sum : 5840 25
md5 : 5D9AA821BE9D01AF39512E448E3F520E
============================================================================
[ End NEC Corporation Advisory ]
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of NEC Corporation for the
information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (198.128.39.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-notes
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
H-104: HP-UX libXt Vulnerability
H-105: HP-UX vuefile, vuepad, dtfile, & dtpad Vulnerabilities
H-106: SGI IRIX LOCKOUT & login/scheme Vulnerabilities
H-107: UNIX Buffer Overflow in rdist Vulnerability
H-108: SunOS, Solaris libX11 Buffer Overflow Vulnerability
H-109: Solaris DCE and AFS Integrated login Vulnerability
H-110: Samba Servers Vulnerability
I-001: HP-UX Denial of Service via telnet Vulnerability
I-002: Cisco CHAP Authentication Vulnerability
I-003: HP-UX mediainit(1) Vulnerability
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNEUC97nzJzdsy3QZAQFLSwP+MGifaeGhaY4+l4yxlv7zWuZIjESp9UnW
SN1XTTzDTdpjFxJfmqMXJdHRcUElDDAeosPjsuCLLftQUzN4AFf9/UMa4oR5f1hu
T8MQvHqv5XFAuLlzeRfAx6eB2ZBclpeRI8mCFjh3ec8CycplLih4AYIP3/etVQKw
HK2LJyJUy8o=
=lJo/
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
