_____________________________________________________
                          The U.S. Department of Energy
                       Computer Incident Advisory Capability
                              ___  __ __    _     ___
                             /       |     /_\   /   
                             \___  __|__  /   \  \___
               _____________________________________________________

			     Information Bulletin

		Vulnerability in HP-UX systems with HP Vue 3.0

May 18, 1994 1615 PDT                                              Number E-23b
______________________________________________________________________________

PROBLEM:      A Vulnerability exists in HP-UX systems with HP Vue 3.0.
PLATFORM:     HP 9000 series 300/400/700/800 at HP-UX revision 9.x, with HP 
	      Vue 3.0.
DAMAGE:       Local users can raise their privileges to superuser (root) level. 
SOLUTION:     Apply appropriate patch for your system.
______________________________________________________________________________ 

VULNERABILITY CIAC recommends that all systems which have HP Vue 3.0 on their
ASSESSMENT:   systems, whether in use or not, should install this patch.  
______________________________________________________________________________ 

   Critical Information about vulnerability in HP-UX systems with HP Vue 3.0

CIAC has received information regarding a vulnerability in HP9000 computers at
revision 9.x which contain HP Vue 3.0.  This vulnerability can allow a local
user to obtain root access.

CIAC recommends that if you have Vue 3.0 on your system you apply the following
patch appropriate to your system.  For an HP 9000 series 300/400 computer,
apply patch PHSS_4055; for an HP 9000 series 700/800 computer, apply patch
PHSS_4066.

Patches can be obtained in one of three methods:

1. Obtain the patch via E-mail from the HP SupportLine Mail Service. Send the
words, without quotes, "send PHSS_4055" (or "send PHSS_4066") in the TEXT
PORTION of a message addressed to support@support.mayfield.hp.com (no subject
line is required).  The patch will be E-mailed back to you.

2. Download the patch from support.mayfield.hp.com.  To do this, follow the
instructions in the document located on irbis.llnl.gov:
~/pub/ciac/ciacdoc/e-fy94/HPACCESS.TXT-how-to-download-HP-patches.

3. Contact your local HP Response Center. They will provide you with the patch.

The complete instructions for applying the patch are in the file
PHSS_40xx.text, supplied with the patch release.  Checksums for the patch are
included with the release.  After installing the patch, examine /tmp/update.log
for any relevant WARNING's or ERROR's.  To accomplish this, from the shell
prompt type "tail -60 /tmp/update.log | more" and page through the screens via
the space bar, looking for WARNING or ERROR messages.

ATTENTION: This bulletin contains updated information received from
Hewlett-Packard after the electronic version was distributed.  Patch PHSS_4066
supersedes PHSS_4038, and directions to download the patch have been included.
______________________________________________________________________________ 

CIAC would like to thank the CERT-NL for first alerting us to the existance of
this vulnerability and for technical information about this vulnerability, and
John Morris of Hewlett-Packard for patch information and availability.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

CIAC has several self-subscribing mailing lists for electronic publications:

1.  CIAC-BULLETIN for Advisories, highest priority - time critical information
    and Bulletins, important computer security information; 
2.  CIAC-NOTES for Notes, a collection of computer security articles; 
3.  SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
    software updates, new features, distribution and availability; 
4.  SPI-NOTES, an unmoderated forum for discussion of problems and solutions
    regarding the use of SPI products.  

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines.  To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and
"PhoneNumber" when sending

E-mail to ciac-listproc@llnl.gov:
           subscribe  list-name  LastName, FirstName  PhoneNumber
     e.g.: subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.  
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.