TUCoPS :: Unix :: Various Flavours :: ciacb039.txt

Cray Unicos Vulnerability

From pon Thu Aug 29 15:28:28 1991
Return-Path: <pon>
Received: by  (4.1/SMI-4.1)
	id AA11876; Thu, 29 Aug 91 15:28:28 PDT
From: pon (Ken Pon)
Message-Id: <9108292228.AA11876@>
Subject: New B-39
To: gschultz (Gene Schultz)
Date: Thu, 29 Aug 91 15:28:27 PDT
X-Mailer: ELM [version 2.3 PL0]
Status: RO


                              ROUGH DRAFT
      VENDOR RESTRICTED--FOR DEPARTMENT OF ENERGY CRAY SITES ONLY
                           DO NOT DISTRIBUTE
        _____________________________________________________
               The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                         Information Bulletin

                 Latest Security Mods for CRAY UNICOS

August 29, 1215 PST                                          Number B-39

__________________________________________________________________________
PROBLEM:  UNICOS security holes in cleantmp, cron, mail, nfs/automount,
  and MLS rexec/remsh/rshd
PLATFORM: Many versions of the Cray UNICOS operating system (as described
  below for each SPR) 
DAMAGE:   The UNICOS bugs allow unauthorized system privileges to
  non-privileged users
SOLUTIONS:  Install UNICOS mods that apply to your version of UNICOS
__________________________________________________________________________
            Critical Information About UNICOS Security Holes

CIAC has been working with Cray Research Incorporated on the resolution
of several critical security holes in the Cray UNICOS operating system.
These UNICOS bugs may allow unauthorized system privileges to normal 
users.  More explicit information on these problems can be found
in Cray Field Alerts #122 ADDENDUM, #123 ADDENDUM, and #126, or by 
contacting CIAC or Cray Research International Software Technical Support
directly.

The mods listed below are Cray binary files available to correct each
problem described.  A valid user on crayamid.cray.com can use the
FTP "put" command to transfer mods to another system.  Note that
crayamid.cray.com does not support the FTP "get" command.  Alternatively,
contact your Cray support representative to facilitate access to the 
appropriate mods.

Mods are available on crayamid.cray.com in the specified file and 
directory.  Each UNICOS mod has a unique identification and may be 
specific to a particular version of the UNICOS operating system.
Unless otherwise stated, the mod will apply to the entire family of
Cray hardware, including Cray-1, X-MP, Y-MP, and Cray-2.

1.	Cray SPR 45292 - CLEANTMP allows any user to remove any file
	Reference Cray Field Alert #123 - ADDENDUM

	UNICOS version		Cray Mod #	crayamid Directory
	    5.1			d20705cmda	/u/mods/unicos.common/5.1/cmd
	    6.0			60cmd21458a	/u/mods/unicos.common/6.0/cmd
	    6.1			6Ecmd21458a	/u/mods/unicos.common/6.1/cmd

2.	Cray SPR 45753 - CRON allows any user to read protected files
	Reference Cray Field Alert #123 - ADDENDUM

	UNICOS version		Cray Mod #	crayamid Directory
	    5.1		    	51cmd22270c,	/u/mods/unicos.common/5.1/cmd
				51cmd22562d
	    6.0			60cmd22671c	/u/mods/unicos.common/6.0/cmd
	    6.1			6Ecmd22671a	/u/mods/unicos.common/6.1/cmd

3.	Cray SPR 45743 - /BIN/MAIL allows users to read protected files
	Reference Cray Field Alert #123 - ADDENDUM

	UNICOS version		Cray Mod #	crayamid Directory
	    5.1			51cmd22391b	/u/mods/unicos.common/5.1/cmd
	    6.0			60cmd22391a	/u/mods/unicos.common/6.0/cmd
	    6.1			6Ecmd22391a	/u/mods/unicos.common/6.1/cmd

4.	Cray SPR 45455 - PORTMAP allows forwarding of mount requests
	Reference Cray Field Alert #122, #122 - ADDENDUM

Cray Field Alert #122 discusses how one can obtain a file handle and
access files from an unauthorized machine using NFS.  The following mods
closed this vulnerability by modifying portmap to disable the forwarding 
of mount requests on a server:

	UNICOS version		Cray Mod #	crayamid Directory
	    5.1			d20688rpca	/u/mods/nfs/5.1
	    6.0			60RPC22343A	/u/mods/rpc/6.0
	    6.1			6ERPC22329A	/u/mods/rpc/6.1

However, the above mods may affect RPC applications that depend on portmap
to forward their RPC requests to mountd.  One of these applications is the
automount command, which will not work if the mod from Field Alert #122 is
installed.  The appropriate mods to allow automount to work for Cray NFS
clients is given below.  For non-Cray systems, contact your vendor
specific technical support representative to obtain a version of the 
automounter that does not make its requests via portmap.  (Note that the 
SunOS 4.1 version of automount already contains this fix.)  Refer to Cray 
Field Alert #122 - Addendum for more information.
  
	UNICOS version		Cray Mod #	crayamid Directory
	    5.1			NONE, automounter not supported in release 5.1
	    6.0			60nfs23984a	/u/mods/nfs/6.0
	    6.1			6Enfs23984a	/u/mods/nfs/6.E

5.	Cray SPR 45405 - RSHD under UNICOS MLS grants unauthorized MLS 
              privileges
        Cray SPR 46445 - REMSH/REXEC allows users to obtain permits, levels,
              and compartments not in the UDB
	Reference Cray Field Alert #126

	UNICOS version		Cray Mod #	crayamid Directory
	    5.1			e20716tcpa,	/u/mods/tcp_ip
                                e20717cmda
	    6.0			60tcp21801a	/u/mods/tcp_ip
	    6.1			6Etcp21801a	/u/mods/tcp_ip

CIAC recommends that you upgrade your version of UNICOS to the most recent 
available, since many improvements to the security of your system have been 
integrated into the most recent base operating system.  In addition, you
should install all mods (listed above) appropriate to your UNICOS system.

For additional information or assistance, please contact CIAC:   
 
        Kenneth L. Pon
        (415) 422-1783 until Sept. 1; afterwards call (510) 422-1783 
        or (FTS) 532-1783
        send e-mail to pon@cheetah.llnl.gov
 
        Call CIAC at (415) 422-8193 until Sept. 1; afterwards call 
        (510) 422-8193 
        or (FTS) 532-8193
        send e-mail to ciac@.llnl.gov.
 
        Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913.
 
James Ellis, Karis Forster, and Cray Research provided some of the 
information used in this bulletin.  This document was prepared as an 
account of work sponsored by an agency of the United States Government. 
Neither the United States Government nor the University of California 
nor any of their employees, makes any warranty, express or implied, or 
assumes any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, apparatus, product, or process disclosed,
or represents that its use would not infringe privately owned rights. 
Reference herein to any specific commercial products, process, or service 
by trade name, trademark, manufacturer, or otherwise, does not necessarily 
constitute or imply its endorsement, recommendation or favoring by the 
United States Government or the University of California. The views and 
opinions of authors expressed herein do not necessarily state or reflect 
those of the United States Government or the University of California, and 
shall not be used for advertising or product endorsement purposes.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH