TUCoPS :: Unix :: General :: ciack001.txt

Four CDe Vulnerabilities

            _________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

             Four Vulnerabilities in the Common Desktop Environment
                       Updates to CERT Advisory CA-99-11

October 7, 1999 20:00 GMT                                         Number K-001
Updated December 29,1999
______________________________________________________________________________
PROBLEM:       Multiple vulnerabilities exist in some distributions of the 
               Common Desktop Environment (CDE). 
PLATFORM:      Any system running the Common Desktop Environment (CDE). 
DAMAGE:        Each vulnerability may allow arbitrary code on a vulnerable  
               system to be run as root by a local user.  The ToolTalk 
               ttsession vulnerability may also allow arbitrary code to be run   
               as root by a remote user.
SOLUTION:      Apply available vendor patches. 
______________________________________________________________________________
VULNERABILITY  Risk is high. These vulnerabilities have been published on the 
ASSESSMENT:    internet.  Each vulnerability, independent of the others, can
               lead to a total system compromise. 
______________________________________________________________________________

Appended on December 29, 1999 with additional patch updates from Sun
Microsystems. 

[Start CERT Advisory]

CERT Advisory CA-99-11 Four Vulnerabilities in the Common Desktop Environment

   Original release date: September 13, 1999
   Last revised: October 04, 1999 Updated vendor information for Sun
     Microsystems, Inc.
   Source: CERT/CC

   A complete revision history is at the end of this file.
   
Systems Affected

   *  Systems running the Common Desktop Environment (CDE)

I. Description
   Multiple vulnerabilities have been identified in some distributions of the
   Common Desktop Environment (CDE). These vulnerabilities are different from
   those discussed in CA-98.02. We recommend that you install appropriate 
   vendor patches as soon as possible (see Section III below). Until you can 
   do so, we encourage you to disable or uninstall vulnerable copies of the 
   CDE package. Note that disabling these programs will severely affect the 
   utility of the CDE environment. 

   At this time, the CERT/CC has not received any reports of these 
   vulnerabilities being exploited by intruders. 
Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism 
   The ToolTalk messaging server ttsession allows independent applications to 
   communicate without having direct knowledge of each other. Applications can  
   communicate through an associated ttsession which delivers messages via RPC 
   calls between interested agents. 

   On many systems, ttsession uses AUTH_UNIX authentication (a client-based 
   security option) by default. When messages are received, ttsession uses 
   certain environment variables supplied by the client to determine how the 
   message is handled. Because of this, the ttsession process can be 
   manipulated to execute unauthorized arbitrary programs with the privileges 
   of the running ttsession. 
Vulnerability #2: CDE dtspcd relies on file-system based authentication
   The network daemon dtspcd (a CDE desktop subprocess control program) 
   accepts CDE requests from clients to execute commands and launch   
   applications remotely. 

   When a client makes a request, the dtspcd daemon asks the client to create 
   a file that has a predictable name so that the daemon can authenticate the 
   request. If a local user can manipulate the files used for authentication, 
   then that user can craft arbitrary commands that may run as root. 
Vulnerability #3: CDE dtaction buffer overflow
   The dtaction utility allows applications or shell scripts that otherwise 
   are not connected into the CDE development environment, to request that CDE 
   actions be performed. 

   A buffer overflow can occur in some implementations of dtaction when a    
   username argument greater than 1024 bytes is used. 
Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION
   There is a vulnerability in some implementations of the ToolTalk shared 
   library which allows the TT_SESSION environment variable buffer to 
   overflow. A setuid root program using a vulnerable ToolTalk library, such  
   as dtsession, can be exploited to run arbitrary code as root. 

II. Impact
Vulnerability #1: ToolTalk ttsession uses weak RPC authentication mechanism
   A local or remote user may be able to use this vulnerability to run 
   commands on a vulnerable system with the same privileges of the attacked 
   ttsession. For this attack to work, a ttsession must be actively running on 
   the system attacked. The ttsession daemon is started whenever a user logs 
   in using the CDE desktop, or upon interaction with CDE at some future 
   point. 
Vulnerability #2: CDE dtspcd relies on file-system based authentication
   A vulnerable dtspcd may allow a local user to run arbitrary commands as  
   root. 
Vulnerability #3: CDE dtaction buffer overflow
   A local user may be able to exploit this vulnerability to execute arbitrary 
   code with root privileges. 
Vulnerability #4: CDE ToolTalk shared library buffer overflow in TT_SESSION
   A local user may be able to exploit this vulnerability to execute arbitrary 
   code with root privileges. 

III. Solution
Install appropriate patches from your vendor 

We recommend installing vendor patches as soon as possible and disabling the 
vulnerable programs until you can do so (or uninstalling the entire CDE 
package if not needed). Note that disabling these programs will severely 
affect the utility of the CDE environment. 
Appendix A contains information provided by vendors for this advisory. We will 
update the appendix as we receive more information. If you do not see your 
vendor's name, the CERT/CC did not hear from that vendor. Please contact your 
vendor directly. 

Appendix A. Vendor Information
Compaq Computer Corporation
Problem #1 
CDE ToolTalk session daemon & ToolTalk shared library overflow 
This potential security problem has been resolved and a patch for this 
problem has been made available for Tru64 UNIX V4.0D, V4.0E, V4.0F and 
V5.0. 
This patch can be installed on: 
 V4.0D-F, all patch kits
 V5.0, all patch kits
*This solution will be included in a future distributed release of Compaq's 
Tru64/ DIGITAL UNIX. 
This patch may be obtained from the World Wide Web at the following FTP 
address: 
http://www.service.digital.com/patches 
The patch file name is SSRT0617_ttsession.tar.Z 
Problem #2 
Compaq's Tru64/DIGITAL UNIX is not vulnerable. 
Problem #3 
CDE dtaction buffer overflow 
This potential security problem has been resolved and a patch for this 
problem has been made available for Tru64 UNIX V4.0D, V4.0E and V4.0F. 
This patch can be installed on: 
V4.0D Patch kit BL11 or BL12
V4.0E Patch kit BL1 or BL12
V4.0F Patch kit BL1
*This solution will be included in a future distributed release of Compaq's 
Tru64/ DIGITAL UNIX. 
This patch may be obtained from the World Wide Web at the following FTP 
address: 
http://www.service.digital.com/patches 
The patch file name is SSRT0615U_dtaction.tar.Z 
Problem #4 
CDE ToolTalk shared library overflow 
See solution fix described in Problem #1. 
Data General
DG/UX is not subject to any of these vulnerabilities. 
Fujitsu
Fujitsu's UXP/V operating system is not vulnerable to any of these 
vulnerabilities. 
Hewlett-Packard Company
HP-9000 Series 700/800 HP-UX releases 10.X and 11.0 systems with CDE 
patches previously recommended in HP Security Bulletins are not vulnerable 
to vulnerabilities #2, #3, and #4. 
All HP-UX 10.X and 11.0 systems running CDE are vulnerable to vulnerability 
#1. 

[Start Hewlett-Packard Company Update]

HP Support Information Digests

==============================================================================
o  HP Electronic Support Center World Wide Web Service
   ---------------------------------------------------

   If you subscribed through the HP Electronic Support Center and would
   like to be REMOVED from this mailing list, access the
   HP Electronic Support Center on the World Wide Web at:

     http://us-support.external.hp.com

   Login using your HP Electronic Support Center User ID and Password.
   Then select Support Information Digests.  You may then unsubscribe from the
   appropriate digest.
==============================================================================

Digest Name:  Daily Security Bulletins Digest
    Created:  Mon Sep 20  3:00:03 PDT 1999

Table of Contents:

Document ID      Title
---------------  -----------
HPSBUX9909-103   Security Vulnerability in CDE ttsession (Rev.01)

The documents are listed below.
------------------------------------------------------------------------------

Document ID:  HPSBUX9909-103
Date Loaded:  19990919
      Title:  Security Vulnerability in CDE ttsession (Rev.01)

-------------------------------------------------------------------------
**REVISED 01** HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00103, 14 Sep. 99
Last Revised: 20 Sep. 99
-------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

-------------------------------------------------------------------------
PROBLEM:  ttsession uses weak RPC authentication mechanism

PLATFORM: HP-9000 Series 700/800 HP-UX releases 10.X & 11.00 running CDE.

DAMAGE:   Allows remote and local users to execute programs with the
          privileges of the running ttsession.

SOLUTION: **REVISED 01**
          Install the applicable patch.

AVAILABILITY: The patches for 10.2X and 11.00 are available now.
          NOTE: This bulletin will be revised when other patches
                are available.
CHANGE SUMMARY: This revision affects only HP-UX release 10.24.
-------------------------------------------------------------------------
I.
   A. Background
      This problem has been reported in CERT Advisory CA-99-11.

      The advisory reports four vulnerabilities:

        #1: ToolTalk ttsession uses weak RPC authentication mechanism
        #2: CDE dtspcd relies on file-system based authentication
        #3: CDE dtaction buffer overflow
        #4: CDE ToolTalk shared library buffer overflow in TT_SESSION

      With the patches recommended in previous security bulletins
      HP-UX releases 10.X and 11.00 are not vulnerable to #2, #3, nor #4.

      To avoid vulnerability #1 install the applicable patch below.

   B. Fixing the problem - Install the applicable patch:
              HP-UX release 10.10      In progress;
              HP-UX release 10.20      PHSS_19747;
------->>>>   HP-UX release 10.24      PHSS_19819;
              HP-UX release 11.00      PHSS_19748.

      Note:  HP-UX release 10.30 was a development release prior to
             the availability of HP-UX release 11.00.  HP-UX release
             10.30 will not be patched.

   C. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP Electronic Support Center via electronic
      mail, do the following:

      Use your browser to get to the HP Electronic Support Center page
      at:

        http://us-support.external.hp.com
               (for US, Canada, Asia-Pacific, & Latin-America)
        http://europe-support.external.hp.com     (for Europe)

      Login with your user ID and password (or register for one).
      Remember to save the User ID assigned to you, and your password.
      Once you are in the Main Menu:
      To -subscribe- to future HP Security Bulletins,
        click on "Support Information Digests".
      To -review- bulletins already released from the main Menu,
        click on the "Search Technical Knowledge Database."

      Near the bottom of the next page, click on "Browse the HP
      Security Bulletin Archive".
      Once in the archive there is another link to our current Security
      Patch Matrix.  Updated daily, this matrix categorizes security
      patches by platform/OS release, and by bulletin topic.

      The security patch matrix is also available via anonymous ftp:

      us-ffs.external.hp.com
      ~ftp/export/patches/hp-ux_patch_matrix

   D. To report new security vulnerabilities, send email to

       security-alert@hp.com

      Please encrypt any exploit information using the security-alert
      PGP key, available from your local key server, or by sending a
      message with a -subject- (not body) of 'get key' (no quotes) to
      security-alert@hp.com.

     Permission is granted for copying and circulating this Bulletin to
     Hewlett-Packard (HP) customers (or the Internet community) for the
     purpose of alerting them to problems, if and only if, the Bulletin
     is not edited or changed in any way, is attributed to HP, and
     provided such reproduction and/or distribution is performed for
     non-commercial purposes.

     Any other use of this information is prohibited. HP is not liable
     for any misuse of this information by any third party.
________________________________________________________________________

-----End of Document ID:  HPSBUX9909-103--------------------------------------

[End Hewlett-Packard Company Update]

 IBM Corporation
All releases of AIX version 4 are vulnerable to vulnerabilities #1, #3, and 
#4. AIX is not vulnerable to #2. The following APARs will be available 
soon: 
      AIX 4.1.x:  IY03125  IY03847
      AIX 4.2.x:  IY03105  IY03848
      AIX 4.3.x:  IY02944  IY03849
Customers that do not require the CDE desktop functionality can disable CDE 
by restricting access to the CDE daemons and removing the dt entry from 
/etc/inittab. Run the following commands as root to disable CDE: 
      # /usr/dt/bin/dtconfig -d
      # chsubserver -d -v dtspc
      # chsubserver -d -v ttdbserver
      # chsubserver -d -v cmsd
      # chown root.system /usr/dt/bin/*
      # chmod 0 /usr/dt/bin/*
For customers that require the CDE desktop functionality, a temporary fix 
is available via anonymous ftp from: 
ftp://aix.software.ibm.com/aix/efixes/security/cdecert.tar.Z 
   Filename        sum             md5
   =================================================================
   dtaction_4.1    32885    18     82af470bbbd334b240e874ff6745d8ca
   dtaction_4.2    52162    18     b10f21abf55afc461882183fbd30e602
   dtaction_4.3    56550    19     6bde84b975db2506ab0cbf9906c275ed
   libtt.a_4.1     29234  2132     f5d5a59956deb8b1e8b3a14e94507152
   libtt.a_4.2     21934  2132     73f32a73873caff06057db17552b8560
   libtt.a_4.3     12154  2118     b0d14b9fe4a483333d64d7fd695f084d
   ttauth          56348    31     495828ea74ec4c8f012efc2a9e6fa731
   ttsession_4.1   19528   337     bfac4a06b90cbccc0cd494a44bd0ebc9
   ttsession_4.2   46431   338     05949a483c4e390403055ff6961b0816
   ttsession_4.3   54031   339     e1338b3167c7edf899a33520a3adb060
NOTE - This temporary fix has not been fully regression tested. Use the 
following steps (as root) to install the temporary fix. 
   1. Uncompress and extract the fix.

      # uncompress < cdecert.tar.Z | tar xf -
      # cd cdecert

   2. Replace the vulnerable executables with the temporary fix for
      your version of AIX.

      # (cd /usr/dt/lib && mv libtt.a libtt.a.before_security_fix)
      # (cd /usr/dt/bin && mv ttsession ttsession.before_security_fix)
      # (cd /usr/dt/bin && mv dtaction dtaction.before_security_fix)
      # chown root.system /usr/dt/lib/libtt.a.before_security_fix
      # chown root.system /usr/dt/bin/ttsession.before_security_fix
      # chown root.system /usr/dt/bin/dtaction.before_security_fix
      # chmod 0 /usr/dt/lib/libtt.a.before_security_fix
      # chmod 0 /usr/dt/bin/ttsession.before_security_fix
      # chmod 0 /usr/dt/bin/dtaction.before_security_fix
      # cp ./libtt.a_ /usr/dt/lib/libtt.a
      # cp ./ttsession_ /usr/dt/bin/ttsession
      # cp ./dtaction_ /usr/dt/bin/dtaction
      # cp ./ttauth /usr/dt/bin/ttauth
      # chmod 555 /usr/dt/lib/libtt.a
      # chmod 555 /usr/dt/bin/ttsession
      # chmod 555 /usr/dt/bin/dtaction
      # chmod 555 /usr/dt/bin/ttauth
IBM AIX APARs may be ordered using Electronic Fix Distribution (via the 
FixDist program), or from the IBM Support Center. For more information on 
FixDist, and to obtain fixes via the Internet, please reference 
http://techsupport.services.ibm.com/support/rs6000.support/downloads 
or send electronic mail to "aixserv@austin.ibm.com" with the word "FixDist" 
in the "Subject:" line. To facilitate ease of ordering all security related 
APARs for each AIX release, security fixes are periodically bundled into a 
cumulative APAR. For more information on these cumulative APARs including 
last update and list of individual fixes, send electronic mail to 
"aixserv@austin.ibm.com" with the word "subscribe Security_APARs" in the 
"Subject:" line. 
Santa Cruz Operation, Inc.
SCO is investigating these vulnerabilities on SCO UnixWare 7. Other SCO 
products (OpenServer 5.0.x, UnixWare 2.1.x, Open Server / Open Desktop 3.0 
and CMW+) are not vulnerable as CDE is not a component of these releases. 
SCO will make patches and status information available at 
http://www.sco.com/security. 
Silicon Graphics, Inc.
SGI acknowledges the CDE vulnerabilities reported and is currently 
investigating. No further information is available at this time. As further 
information becomes available, additional advisories will be issued via the 
normal SGI security information distribution methods including the wiretap 
mailing list. 
Until SGI has more definitive information to provide, customers are 
encouraged to assume all security vulnerabilities as exploitable and take 
appropriate steps according to local site security policies and 
requirements. 
The SGI Security Headquarters Web page is accessible at the URL 
http://www.sgi.com/Support/security/security.html 
Sun Microsystems, Inc.
Vulnerability #1: 
Systems running Solaris 7, 2.6, and systems running Solaris 2.5.1, 2.5, and 
2.4 installed with CDE are vulnerable if the UNIX authentication mechanism 
(default) is used. Sun recommends that sites using CDE use DES as the 
authentication mechanism. To set the authentication mechanism to DES, use 
the ttsession command with the '-a' option and specify 'des' as the 
argument (see ttsession(1) for more information). The use of DES 
authentication also requires that the system uses Secure NFS, NIS+, or 
keylogin. For more information about Secure NFS, NIS+, or keylogin, please 
see the System Administration Guide, Volume II. Information is also 
available at: 
http://docs.sun.com:80/ab2/coll.47.8/SYSADV2/@Ab2PageView/34908?DwebQuery=s
ecure+rpc 
Sun is producing patches for this vulnerability that will not require the 
use of the DES authentication mechanism. 
Vulnerability #2: 
The following patches are available: 
    CDE version		SunOS version			Patch ID	
    ___________		_____________			_________

    1.3			5.7				108221-01 
    1.3_x86			5.7_x86				108222-01 
    1.2			5.6				108199-01 
    1.2_x86			5.6_x86				108200-01
    1.0.2			5.5.1, 5.5, 5.4			108205-01 
    1.0.2_x86		5.5.1_x86, 5.5_x86, 5.4_x86	108206-01  
    1.0.1			5.5, 5.4			108252-01 
    1.0.1_x86		5.5_x86, 5.4_x86		108253-01 

Vulnerability #3: 
The following patches are available: 
    CDE version		SunOS version			Patch ID	
    ___________		_____________			_________
    
    1.3			5.7				108219-01 
    1.3_x86			5.7_x86				108220-01  
    1.2			5.6				108201-01 
    1.2_x86			5.6_x86				108202-01

Patches for CDE versions 1.0.2 and 1.0.1 are in progress. 
Vulnerability #4: 
The following patches are available: 
SunOS version	Patch ID
_____________	_________

5.7			107893-02
5.7_x86		107894-02

Patches for other supported versions are in progress.
_____________________________________________________________________________

The CERT Coordination Center would like to thank Job de Haas for reporting
these vulnerabilities and working with the vendors to effect fixes.  We would
also like to thank Solutions Atlantic for their efforts in coordinating 
vendor solutions.
______________________________________________________________________________

This document is available from: http://www.cert.org/advisories/CA-99-11-
CDE.html 
_____________________________________________________________________________

CERT/CC Contact Information
   Email: cert@cert.org
   Phone: +1 412-268-7090 (24-hour hotline)
   Fax: +1 412-268-6989
   Postal address:
   CERTŪ Coordination Center
   Software Engineering Institute
   Carnegie Mellon University
   Pittsburgh PA 15213-3890
   U.S.A.

CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday 
through Friday; they are on call for emergencies during other hours, on U.S. 
holidays, and on weekends. 
Using encryption
We strongly urge you to encrypt sensitive information sent by email. Our 
public PGP key is available from 
http://www.cert.org/CERT_PGP.key 
If you prefer to use DES, please call the CERT hotline for more information. 
Getting security information
CERT publications and other security information are available from our web 
site 
http://www.cert.org/ 
To be added to our mailing list for advisories and bulletins, send email to 
cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the 
subject of your message. 
Copyright 1999 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in 
http://www.cert.org/legal_stuff.html 
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and 
Trademark Office. 
_____________________________________________________________________________

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software 
Engineering Institute is furnished on an "as is" basis. Carnegie Mellon 
University makes no warranties of any kind, either expressed or implied as to 
any matter including, but not limited to, warranty of fitness for a particular 
purpose or merchantability, exclusivity or results obtained from use of the 
material. Carnegie Mellon University does not make any warranty of any kind 
with respect to freedom from patent, trademark, or copyright infringement. 
_____________________________________________________________________________

2Revision History 
Oct 04, 1999:  Updated vendor information for Sun Microsystems, Inc.
Oct 01, 1999:  Added vendor information for Data General
Sep 13, 1999:  Initial release
         
[End CERT Advisory]

<B>[  Start Sun Microsystems Advisory  ]</B>
________________________________________________________________________________
                   Sun Microsystems, Inc. Security Bulletin
                
Bulletin Number:        #00192
Date:                   December 29, 1999
Cross-Ref:              CERT CA-99-11
Title:                  CDE and OpenWindows
________________________________________________________________________________


The information contained in this Security Bulletin is provided "AS IS." 
Sun makes no warranties of any kind whatsoever with respect to the information 
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, 
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR 
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE 
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.


IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, 
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL 
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY 
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN 
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF 
THE POSSIBILITY OF SUCH DAMAGES.


If any of the above provisions are held to be in violation of applicable law, 
void, or unenforceable in any jurisdiction, then such provisions are waived 
to the extent necessary for this disclaimer to be otherwise enforceable in 
such jurisdiction.
________________________________________________________________________________


1.  Bulletin Topics


    Sun announces the release of patches for Solaris(tm) 7, 2.6, 2.5.1, 2.5,
    2.4, 2.3 (SunOS(tm) 5.7, 5.6, 5.5.1, 5.5, 5.4, 5.3), and SunOS 4.1.4,
    and 4.1.3_U1 which relate to various vulnerabilities in CDE and 
    OpenWindows.
        
    Sun recommends that you install the patches listed in section 4 
    immediately on systems running SunOS 5.7, 5.6, 5.5.1, 5.5, 5.4, 5.3,
    4.1.4, and 4.1.3_U1.
     
2.  Who is Affected
        
    Vulnerable:     SunOS 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5, 5.4, 5.3,
                          4.1.4, and 4.1.3_U1.
                 
    Not vulnerable: All other supported versions of SunOS.
    
3.  Understanding the Vulnerabilities
    
    The following vulnerabilities have been identified.


3.1 ToolTalk ttsession default authentication mechanism insecure


    The ToolTalk messaging utility, ttsession, allows independent 
    applications to communicate without having direct knowledge of 
    each other. The ttsession daemon is started automatically by 
    any program that needs to send or receive a ToolTalk message. It uses 
    AUTH_UNIX authentication by default. A local or remote attacker may 
    manipulate certain environment variables (which are used by ttsession 
    to determine how client messages are handled) to execute arbitrary 
    commands with the privileges of the running ttsession.
    
3.2 CDE dtspcd relies on file-system based authentication


    The CDE desktop subprocess control program (dtspcd) is a network
    daemon that accepts requests from clients to execute commands and
    launch applications remotely. By manipulating predictable files used 
    for authentication, a local attacker may exploit this vulnerability 
    to execute arbitrary commands and gain root access.


3.3 CDE dtaction buffer overflow 


    The dtaction utility allows applications or shell scripts, which are
    otherwise not connected into the CDE user environment, to request 
    CDE actions be performed. A buffer overflow vulnerability has been 
    discovered which may be exploited by a local attacker to execute 
    arbitrary instructions and gain root access.


3.4 CDE ToolTalk shared library buffer overflow in TT_SESSION


    A buffer overflow vulnerability has been discovered in the ToolTalk
    shared library which may be exploited by a local attacker to execute 
    arbitrary instructions and gain root access.


4.  List of Patches


    Patches for vulnerability described in section 3.1


      SunOS version     Patch ID        
      _____________     _________
    
      5.7               107893-04
      5.7_x86           107894-04               
      5.6               105802-11       
      5.6_x86           105803-13
      5.5.1             104489-10
      5.5.1_x86         105496-08
      5.5               104428-08
      5.5_x86           105495-06
      5.4               102734-05
                        108636-01 (see Note 1)
      5.4_x86           108641-01
                        108637-01 (see Note 1)
      5.3               Patch will be available in 2 weeks
      4.1.4, 4.1.3_U1   Patch will be available in 2 weeks
                        
      Note 1: Install patch if CDE 1.0.2 or 1.0.1 is installed.


    Patches for vulnerability described in section 3.2
        
      CDE version       SunOS version                   Patch ID        
      ___________       _____________                   _________


      1.3               5.7                             108221-01 
      1.3_x86           5.7_x86                         108222-01 
      1.2               5.6                             108199-01 
      1.2_x86           5.6_x86                         108200-01 
      1.0.2             5.5.1, 5.5, 5.4                 108205-01 
      1.0.2_x86         5.5.1_x86, 5.5_x86, 5.4_x86     108206-01  
      1.0.1             5.5, 5.4                        108252-01 
      1.0.1_x86         5.5_x86, 5.4_x86                108253-01 


    Patches for vulnerability described in section 3.3
    
      CDE version       SunOS version                   Patch ID        
      ___________       _____________                   _________
    
      1.3               5.7                             108219-01 
      1.3_x86           5.7_x86                         108220-01  
      1.2               5.6                             108201-01 
      1.2_x86           5.6_x86                         108202-01
      1.0.2             5.5.1, 5.5, 5.4                 108289-02
      1.0.2_x86         5.5.1_x86, 5.5_x86, 5.4_x86     108290-03 
      1.0.1             5.5, 5.4                        108254-01 
      1.0.1_x86         5.5_x86, 5.4_x86                108255-01 
       
    Patches for vulnerability described in section 3.4
    
      SunOS version     Patch ID        
      _____________     _________
    
      5.7               107893-04 
      5.7_x86           107894-04 
      5.6               105802-11       
      5.6_x86           105803-13 
      5.5.1             104489-10
      5.5.1_x86         105496-08
      5.5               104428-08
      5.5_x86           105495-06
      5.4               102734-05
                        108636-01 (see Note 2)
      5.4_x86           108641-01
                        108637-01 (see Note 2)
      5.3               101495-04
      4.1.4, 4.1.3_U1   100626-10


      Note 2: Install patch if CDE 1.0.2 or 1.0.1 is installed.


_______________________________________________________________________________
APPENDICES


A.  Patches listed in this bulletin are available to all Sun customers at:
    
    http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-license&nav=pub-patches


B.  Checksums for the patches listed in this bulletin are available at:


    ftp://sunsolve.sun.com/pub/patches/CHECKSUMS


C.  Sun security bulletins are available at:


    http://sunsolve.sun.com/pub-cgi/secBulletin.pl
        
D.  Sun Security Coordination Team's PGP key is available at:


    http://sunsolve.sun.com/pgpkey.txt
                                    
E.  To report or inquire about a security problem with Sun software, contact 
    one or more of the following:
  
        - Your local Sun Solution Center
        - Your representative computer security response team, such as CERT 
        - Sun Security Coordination Team. Send email to:
         
                security-alert@sun.com


F.  To receive information or subscribe to our CWS (Customer Warning System) 
    mailing list, send email to:
    
                security-alert@sun.com
   
    with a subject line (not body) containing one of the following commands:


        Command         Information Returned/Action Taken
        _______         _________________________________


        help            An explanation of how to get information
        
        key             Sun Security Coordination Team's PGP key
        
        list            A list of current security topics


        query [topic]   The email is treated as an inquiry and is forwarded to 
                        the Security Coordination Team


        report [topic]  The email is treated as a security report and is
                        forwarded to the Security Coordination Team. Please 
                        encrypt sensitive mail using Sun Security Coordination
                        Team's PGP key


        send topic      A short status summary or bulletin. For example, to 
                        retrieve a Security Bulletin #00138, supply the 
                        following in the subject line (not body):
                        
                                send #138


        subscribe       Sender is added to our mailing list.  To subscribe, 
                        supply the following in the subject line (not body):


                                subscribe cws your-email-address
                        
                        Note that your-email-address should be substituted
                        by your email address.
                        
        unsubscribe     Sender is removed from the CWS mailing list.
________________________________________________________________________________


Copyright 1999 Sun Microsystems, Inc. All rights reserved. Sun, 
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks 
of Sun Microsystems, Inc. in the United States and other countries. This 
Security Bulletin may be reproduced and distributed, provided that this 
Security Bulletin is not modified in any way and is attributed to 
Sun Microsystems, Inc. and provided that such reproduction and distribution 
is performed for non-commercial purposes.

[  End Sun Microsystems Advisory  ]

______________________________________________________________________________

CIAC wishes to acknowledge the contributions of the CERT Coordination Center,  
Hewlett-Packard Company, and Sun Microsystems for the information contained in 
this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (198.128.39.53)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name 
  e.g., subscribe ciac-notes 

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

J-063: Domain Name System (DNS) Denial of Service (DoS) Attacks
J-064: ActiveX Controls, Scriptlet.typlib & Eyedog, Vulnerabilities
J-065: Wu-ftpd Vulnerability
J-066: FreeBSD File Flags and Main-In-The-Middle Attack
J-067: Profiling Across FreeBSD Exec Calls
J-068: FreeBSD Vulnerabilities in wu-ftpd and proftpd
J-069: SunOS LC MESSAGES Environment Variable Vulnerability
J-070: Microsoft Windows 95 and 98 Telnet Client Vulnerability
J-071: Buffer Overflow Vulnerability in amd
J-072: IBM AIX Buffer Overflow Vulnerability

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH