|
From longstaf Mon Aug 26 10:18:37 1991 Return-Path: <longstaf> Received: by (4.1/SMI-4.1) id AA03143; Mon, 26 Aug 91 10:17:13 PDT Date: Mon, 26 Aug 91 10:17:13 PDT From: longstaf (Tom Longstaff) Message-Id: <9108261717.AA03143@> To: external Cc: cert@cert.sei.cmu.edu, first-reps@nist.gov, ciac Subject: CIAC Bulletin B-37: Security Problem with UNIX Trusted System Files Status: RO _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Security Problems with /etc/hosts.equiv, /etc/hosts.lpd, and .rhosts files on UNIX Systems August 26, 1991, 1000 PDT Number B-37 Critical Facts about the Security Problem with UNIX Trusted System Files ------------------------------------------------------------------------------- PROBLEM: Some configurations of files providing trusted access to the host including the /etc/hosts.equiv, /etc/hosts.lpd, and .rhosts files may allow unauthorized access to the system. PLATFORM: Many UNIX-based operating systems and platforms including System V and BSD based UNIX systems. DAMAGE: Potentially severe due to unauthorized access to the system. SOLUTIONS: Assure that a character other than '-' is the first character of these files. ------------------------------------------------------------------------------- CIAC has learned of a security problem with files supporting the trusted access on many UNIX-based computers. If your system uses the /etc/hosts.equiv, /etc/hosts.lpd, or .rhosts files (in each user's home directory) for trusted access from other systems, your system may be vulnerable to unauthorized access. This information has recently been posted to a large mailing list and news group on the Internet, so it is important that you check your systems for this vulnerability. To assure that your system does not contain this vulnerability, check for a '-' sign as the first character of any file providing trusted access to the system. These trusted access files include /etc/hosts.equiv , /etc/hosts.lpd, and each user's .rhosts file. Any files containing a '-' as the first character should be rearranged (using a file editor such as 'vi') so that some other entry (without a '-' as the first character) is listed as the first entry of the file. If all entries in one of these files contain a '-' as the first character, the file should be removed. The use of these trusted access files allows access to the system without authentication, and for security reasons, these trusted access files should be removed if not absolutely required. In addition, as mentioned in CIAC Bulletin A-1, the inclusion of a '+' sign alone on a line in any of these files will allow trusted access from *any* system that may connect to the machine. Also note that users may modify their local .rhosts file so as to re-introduce this vulnerability at a later time. CIAC recommends that any system that allows the use of individual .rhosts files inform users of these problems and periodically check to assure that these vulnerabilities have not been re-introduced in an individual's .rhosts file. CIAC has prepared a shell script that may assist system managers in finding files containing this vulnerability on SunOS and some BSD based platforms. For details on obtaining this tool, please send electronic mail to CIAC. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or send e-mail to longstaf@llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@llnl.gov. The assistance of the Computer Emergency Response Team/Coordination Center (CERT/CC) and Sun Microsystems in drafting this bulletin is gratefully acknowledged. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.