TUCoPS :: Unix :: Various Flavours :: ciacb031.txt

Cray Unicos Accton Vulnerability

              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
                          Information Bulletin
June 25, 1991, 1500 PST                                        Number B-31
               CRAY UNICOS 6.0 and 6.1 accton vulnerability
PROBLEM: A flaw in accton allows unauthorized users limited root privileges
PLATFORM: 6.0 and later versions of CRAY UNICOS
DAMAGE: Unauthorized read access to files, including sensitive and system
	files; any user can turn system accounting on or off
SOLUTIONS: Obtain and apply appropriate Cray mod as specified below
                   Critical Facts About accton Problem

CIAC has learned of a bug in 6.0 and later versions of the CRAY UNICOS
operating system (CRAY SPR 45291) which allows an unauthorized user to obtain
read access to sensitive and system files.  The bug also allows a normal
user to turn system accounting on or off.

Cray Research has developed architecture specific patches for this 
vulnerability in the accton(1) command.  The mod numbers and the archi-
tectures for which they apply are listed below and can be obtained by 
contacting your local technical support representative from Cray Research.

		Architecture				mod
		------------				---

		X/Y 6.0					60c1act20477b
		C2  6.0					60c2act20477c
		X/Y 6.E/6.1 (any Y-MP/2E site would	6Ec1act20477b
		   be running this level of UNICOS)
		C2  6.1 mod  (this is not yet a		6Ec2act20477c
		   released level of UNICOS but it is
		   running at field test sites)
For additional information or assistance, please contact CIAC:

	Kenneth L. Pon
        (415) 422-1783 or (FTS) 532-1783

 	Call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail
 	to ciac@.llnl.gov.  

 	Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913.

James Ellis, Bryan Koch, and Elaine Stuber provided some of the information
used in this bulletin.  This document was prepared as an account of work 
sponsored by an agency of the United States Government. Neither the United 
States Government nor the University of California nor any of their employees,
makes any warranty, express or implied, or assumes any legal liability
or responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents that 
its use would not infringe privately owned rights. Reference herein to any 
specific commercial products, process, or service by trade name, trademark, 
manufacturer, or otherwise, does not necessarily constitute or imply its 
endorsement, recommendation or favoring by the United States Government or 
the University of California. The views and opinions of authors expressed 
herein do not necessarily state or reflect those of the United States 
Government or the University of California, and shall not be used for 
advertising or product endorsement purposes.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH