TUCoPS :: SunOS/Solaris :: ciace013.txt

SunOS Patch etc/utmp Vulnerability 

             _____________________________________________________
                         The U.S. Department of Energy
                     Computer Incident Advisory Capability
                             ___  __ __    _     ___
                            /       |     / \   /
                            \___  __|__  /___\  \___
             _____________________________________________________

			       ADVISORY NOTICE

	      Sun Announces Patches for /etc/utmp Vulnerability

March 21, 1994 1200 PST                                           Number E-13
______________________________________________________________________________
PROBLEM: Vulnerability in SunOS /etc/utmp.  
PLATFORM: SunOS 4.1.x systems (but not SunOS 4.1.3_U1 or Solaris 2.x).
DAMAGE: Manipulation of /etc/utmp can result in unauthorized root access.
SOLUTION: Retrieve and install applicable patches.
______________________________________________________________________________
______________________________________________________________________________
VULNERABILITY ASSESSMENT: CIAC considers this vulnerability serious and
advises all system administrators to install these security patches
immediately.  This vulnerability is being actively exploited on the Internet.
______________________________________________________________________________

		    Critical Information about Sun Patches

CIAC has received information from Sun Microsystems regarding the availability
of six patches which will fix the /etc/utmp vulnerability.  The following text
is from the Sun Microsystems Security Bulletin #00126:

      SunOS 4.1.x systems have been found to be vulnerable to an attack
      on the /etc/utmp file. The manipulation of this file, which on
      SunOS 4.1.x systems is world-writable, can result in unauthorized root
      access for the attacker. We are releasing today patches to several
      utilities which close that security hole, identified as bug 1140162.
  
      If the new patches are installed, no other changes--such as making
      the /etc/utmp file not world-writable--are necessary to close the
      security hole. We recommend that all of the patches be installed. 

      Solaris 2.x systems, including Solaris x86 systems, are not
      susceptible to this attack. SunOS 4.1.3_U1 (Solaris 1.1.1) systems
      are also not susceptible. The patches were integrated into
      that system before it was released.

The table below contains patch numbers and checksums for the six patches.

Program   Patch ID   BSD        SVR4       MD5 Digital Signature
                     Checksum   Checksum   
-------   ---------  ---------  ---------  -------------------------------- 
dump      100593-03  52095 242  41650 484  CDBA530226E8735FAE2BD9BCBFA47DD0 
in.comsat 100272-07  26553  39  64651  78  912FF4A0CC8D16A10EECBD7BE102D45C
in.talkd  101480-01  47917  44  32598  88  5C3DFD6F90F739100CFA4AA4C97F01DF
shutdown  101481-01  46562  80  56079 159  BFC257EC795D05646FFA733D1C03855B
syslogd   100909-02  61539 108  38239 216  B5F70772384A3E58678C9C1F52D81190
write     101482-01  61148  41  48636  81  F93276529AA9FC25B35679EBF00B2D6F

The filename for each patch consists of the Patch ID followed by ".tar.Z". For
example, the filename for the dump patch is 100593-03.tar.Z.  The checksums
shown in the table are from the BSD-based checksum program distributed with
the system software (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and
from the SVR4 version checksum program distributed with Solaris 2.x
(/usr/bin/sum).  MD5 software can be retrieved via anonymous FTP from
irbis.llnl.gov in the file /pub/util/crypto/md5.tar (MD5 checksum:
B6B90CC7C56353FC643DF25B6F730D21).

Individuals with Sun support contracts may obtain these patches from their
local Sun Answer Center or from SunSolve Online.  Security patches are also
available without a support contract via anonymous FTP from ftp.uu.net (IP
address 192.48.96.9) in the directory /systems/sun/sun-dist.
______________________________________________________________________________

CIAC would like to thank Mark Graff of Sun Microsystems for the information
contained in this advisory.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest).  Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines.  To subscribe (add yourself) to one of our mailing lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail
message body, substituting CIAC-BULLETIN or CIAC-NOTES for (service) and valid
information for the other items in parentheses:

        subscribe  (service)  (Full_Name)  (Phone_number)

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.  Currently, to subscribe to both you must send two separate requests.  To
subscribe an address which is a distribution list, first subscribe the person
responsible for your distribution list.  You will receive an acknowledgment,
containing address and initial PIN.  Change the address to be the distribution
list address by sending a second E-mail request.  As the body of this message,
send the following request, substituting valid information for items in
parenthesis:

        set  (service)  address  (PIN)  (distribution_list_address)
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.
______________________________________________________________________________

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH