_____________________________________________________
                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
            _____________________________________________________

                            INFORMATION BULLETIN

        Novell UnixWare sadc, urestore, and suid_exec Vulnerabilities

December 14, 1994 0800 PST                                        Number F-06
_____________________________________________________________________________

PROBLEM:       Security vulnerabilities exist in Novell UnixWare.
PLATFORMS:     Novell UnixWare 1.1 on Intel-based platforms.
DAMAGE:        Local users may gain privileged access to the system.
SOLUTION:      Install fixes as described below.
_____________________________________________________________________________

VULNERABILITY  These vulnerabilities have been announced and openly
ASSESSMENT:    discusssed in an Internet forum.  CIAC urges sites to install
               these fixes as soon as possible.
_____________________________________________________________________________

      Critical Information about the Novell UnixWare Vulnerabilities

CIAC has received information from Novell regarding vulnerabilities in
UnixWare 1.1 system software.  These vulnerabilities will allow local users
to gain privileged access to the system.  The Novell advisory announcing
these vulnerabilities and available fixes is reprinted in its entirety below.
Please refer any questions to CIAC.
_____________________________________________________________________________
[Begin Novell Advisory]

Recently, there were three security advisories posted on the
"net" associated with several versions of the Unix Operating System.
These advisories are related to the following:

	/usr/lib/sa/sadc	The command is sgid-on-exec to "sys"

	/usr/sbin/urestore	The command is suid-on-exec to "root"

	suid_exec feature	This pertains to "ksh".

One of the operating system versions affected was the UnixWare 1.1
product distributed by Novell, Inc.  Listed below are the results of
the investigation that took place concerning the affected binaries:

	With respect to the "sadc" problem, the "sadc" binary in the
	UnixWare 1.1 product has been modified such that it no longer
	poses a security threat.
	
	This modification is provided as PTF683 and is available from
	Novell Technical Support at (800) 486-4835.
	
	With respect to the "urestore" problem, this requires an attribute
	modification to remove the suid-on-exec bit.  The functionality of
	"urestore" should remain unchanged.  This modification is also
	included in PTF683.
	
	The last advisory, suid_exec for ksh, does not apply to the version
	of "ksh" supplied with the UnixWare 1.1 product.
	
	This advisory relates to a feature in "ksh" that allows for the
	execution of suid-on-exec shell scripts.  Since the UnixWare 1.1
	product provides this capability in the exec(2) system call in
	the kernel, the UnixWare 1.1 product does not need to set that
	DEFINE value when compiling "ksh" to achieve this capability and
	hasn't since SVR4.0.

Novell, Inc. has sent source fixes to all SVR4.0, SVR4.2, and SVR4.2MP
OEM customers for both the "sadc" and "urestore" advisories.  These vendors
should be making them available to licensees of their SVR4.X-based operating
systems.  If you are using any of the versions mentioned above, you should
contact the appropriate vendor to obtain their official update.

[End Novell Advisory]
_____________________________________________________________________________

If you require additional assistance or wish to report a vulnerability,
contact CIAC at:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC notices, anti-virus software, and other information are
available on the Internet via anonymous FTP from ciac.llnl.gov (IP address
128.115.19.53).

CIAC has several self-subscribing mailing lists for electronic publications:
1.  CIAC-BULLETIN for Advisories, highest priority - time critical
    information, and Bulletins, important computer security information;
2.  CIAC-NOTES for Notes, a collection of computer security articles;
3.  SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
    software updates, new features, distribution and availability;
4.  SPI-NOTES, for discussion of problems and solutions regarding the use of
    SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:

subscribe list-name LastName, FirstName PhoneNumber

as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber."  Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov

e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.