Vulnerability

    SecurID

Affected

    Systems using SecurID

Description

    Drew Dean found following.  He had a SecurID card for my Princeton
    Computer Science  department account.   The setup  is that  an old
    Sun, running  SunOS 4.1.4,  is running  the SecurID  software; you
    telnet to it, authenticate, and  then rlogin to where you  want to
    go.   While this  setup isn't  perfect, the  router hooking  these
    machines to the  outside world is  setup to prevent  spoofing, and
    the local network is deemed to be under reasonable control.

    While  back,  when  he  logged  in,  and  tried  to  rlogin to the
    workstation  on  my  (former)  desk.   It  said,  "Not  on  system
    console." Funny,  it only  says that  if you  attempt to rlogin as
    root.  Oops, a # prompt, and /usr/bin/id reported UID 0.

    Further investigation yielded that our entries in /etc/passwd were
    of the form  +<username>:::::: i.e., to  get our information  from
    NIS.   However,  due  to  a  pending  network reconfiguration, the
    machine was temporarily not using NIS, and no ypbind was  running.
    It  appears  that  the  SecurID  software  didn't check the return
    value, and used a default value of 0.  (The SecurID software keeps
    a  separate  database  for  its  authentication information.) This
    raises  interesting  questions  about  a  denial of service attack
    escalating  to  a  root  compromise  (for  local users; you need a
    SecurID card to login with).

Solution

    Security Dynamics has been notified.