-----BEGIN PGP SIGNED MESSAGE-----
- -----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-2000.03 AUSCERT Advisory
Compaq Tru64 UNIX kdebugd Vulnerability
21 September 2000
Last Revised: --
- - ---------------------------------------------------------------------------
AusCERT has received information that a vulnerability exists in the
Tru64 UNIX V4.0D/F/G & V5.* program /usr/sbin/kdebugd
This vulnerability may allow remote users to obtain access to the
system and modify or delete files.
AusCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- - ---------------------------------------------------------------------------
1. Description
The kdebugd is part of the Kernel Debugging tools optional subset that
may be installed on a Tru64 UNIX system, it provides remote kernel
debugging capability.
An unauthorized user may obtain access to the system and modify or
delete files if the kdebug daemon is enabled.
Sites can determine if this program is installed by checking for the
following line in /etc/inetd.conf:
kdebug stream tcp nowait root /usr/sbin/kdebugd kdebugd
Currently there are no vendor patches available that address this
vulnerability. AusCERT recommends that official vendor patches be
installed when they are made available.
A permanent fix is being developed (QAR # 82228) and will be in a patch
kit for Tru64 UNIX V5.1 (Compaq expects it to be in the Initial V5.1 Patch
Kit).
Compaq has indicated that the patch will be back ported to
earlier supported versions of Tru64 UNIX, if possible. Until
a fix is available you can use the recommended workaround given in
Section 3.1.
2. Impact
Remote users may be able to create or modify arbitrary files
on the system. This can be leveraged to gain privileged access.
3. Workarounds/Solution
AusCERT recommends that sites prevent the exploitation of the
vulnerability in kdebugd by immediately applying the workaround
given in Section 3.1.
3.1 Until a patch becomes available for this vulnerability, Compaq
recommends the following workaround to disable kdebugd:
In the /etc/inetd.conf file comment-out the line:
kdebug stream tcp nowait root /usr/sbin/kdebugd kdebugd
The inetd process must then be restarted. Find the procees ID for
inetd and send a HUP signal to the daemon:
$ kill -HUP <inetd PID>
Now kdebugd will no longer start when requested.
Compaq has informed AusCERT that they are aware of this problem
and a resolution is in progress. AusCERT recommends that
official vendor patches be installed when they are made available.
4.0 Vendor Information
If you have any questions or need further information, please
contact Compaq Computer Corporation directly.
4.1 Compaq have released an advisory to their clients regarding
this vulnerability which will be publicly available at the
following URL within the next 24 hours:
http://ftp.support.compaq.com/patches/.new/security.html
- - ---------------------------------------------------------------------------
AusCERT would like to acknowledge the assistance of the Compaq Software
Security Response Team and Mark Dowd of IT Audit & Consulting in producing
this Advisory.
- - ---------------------------------------------------------------------------
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The
appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AusCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AusCERT
Advisories, and other computer security information.
AusCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOm/0QSh9+71yA2DNAQGNcQP6AjGZphxpEv+guM5p28XOrYs57GndWfZh
3wXCX6HkizaRAaGoEf0X54dSCbuh1RrI98WhKxaOqdpYtyjBDqWozROuvKK1eORk
G205Xgg/6+0427FpBqYiT7Xol3xPX4Xg5VSCP5g2vTmNLXylGHr8pjLz9XJMXsmL
GslXt3W89G0=
=+RrC
- -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOnA1+yh9+71yA2DNAQFWzwP/RCZpry990PXQHxdkp70x2tJqmHSd8b1g
DDDr3v1X/43y0w4XMdeOYeueHHUa5owdA3FjjOgkW+NmvWTEbs7UFbK7bms6r1sw
Lo+Q7tN3S+aX0cVQakJFjUiIyRK54DZStncdP3xIVkpVTJ2NdDJzCREe1i307a2V
N/Q94wz3BNs=
=g1+/
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
