TUCoPS :: Unix :: Various Flavours :: ciacg030.txt

DEC OSF/1 Software Security Kits


             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                           DEC Software Security Kits

July 9, 1996 18:00 GMT                                             Number G-30
______________________________________________________________________________
PROBLEM:       DEC has recently released the software security kits that
               address recently reported potential security vulnerabilities.
PLATFORM:      DIGITAL UNIX (DEC OSF/1) V2.0, V3.0, V3.0b, V3.2, V3.2b, V3.2c,
               V3.2d1, V3.2d2, ULTRIX V4.3 - V4.5.
DAMAGE:        Several known vulnerabilities have been addressed, reference
               the DEC advisory below for the impact and damage assessment.
SOLUTION:      CIAC recommends that all users determine the applicability of
               this information and take the appropiate action recommended by
               DEC.
______________________________________________________________________________
VULNERABILITY  Knowledge of how to exploit these vulnerabilties are widely
ASSESSMENT:    known. DEC rates the severity level high.
______________________________________________________________________________

[ Start of DEC Bulletin ]
___________________________________________________________________________
#96.0383

SOURCE:                                                         27JUN1996
   Digital Equipment Corporation
   Software Security Response Team
   Copyright (c) Digital Equipment Corporation 1996. All rights reserved.

   Digital is broadly  distributing this  Security Advisory  in  order to
   bring to the  attention of  users of Digital's  products  the important
   security  information  contained in  this Advisory.  Digital recommends
   that all users determine the applicability of this information to their
   individual situations and take appropriate action.

   Digital does not warrant  that this information is necessarily accurate
   or complete for all user situations and, consequently, Digital will not
   be responsible for any damages resulting from user's use or disregard of
   the information provided in this Advisory.


SUMMARY DESCRIPTION:
         Digital has recently released the software security kits
         identified below that address recently reported, potential
         security vulnerabilities.

SEVERITY LEVEL: High

SUMMARY ECO KIT INFORMATION:
         The ECO Kits identified in this advisory will not be
         applicable to versions previous to those identified in the
         OP/SYS identified for each ECO.
*****
NOTE*  (1) These ECO's must be re-applied if an update or installation
*****      is performed thru V3.2d2 of Digital UNIX, and V4.5 of ULTRIX.
       (2) The solutions will be included in future releases of these
           Operating Systems.


 ____________________________________________________________________________
|TITLE(s):                                                                   |
|----------------------------------------------------------------------------|
| SSRT035901_OSF1020     |Digital UNIX (OSF/1) V2.0  (syslog & C2)           |
|------------------------|---------------------------------------------------|
| SSRT035901_OSF1030     |Digital UNIX (OSF/1) V3.0  (syslog & C2)           |
|------------------------|---------------------------------------------------|
| SSRT035901_OSF1030B    |Digital UNIX (OSF/1) V3.0b (syslog & C2)           |
|------------------------|---------------------------------------------------|
| SSRT035902_OSF1032     |Digital UNIX (OSF/1) V3.2  (syslog & C2)           |
|                        |   Replaces: SSRT035901_OSF1032                    |
|------------------------|---------------------------------------------------|
| SSRT035901_OSF1032B    |Digital UNIX (OSF/1) V3.2b (syslog & C2)           |
|------------------------|---------------------------------------------------|
| SSRT035901_OSF1032C    |Digital UNIX (OSF/1) V3.2c (syslog & C2)           |
|------------------------|---------------------------------------------------|
| SSRT035901_OSF1032D    |Digital UNIX (OSF/1) V3.2d (syslog & C2)           |
|------------------------|---------------------------------------------------|
| SSRT035902_ULT45       |Digital ULTRIX V4.3 thru 4.5 (syslog)              |
|                        |   Replaces: SSRT035901_ULT45                      |
|                        |   Cross Reference: SSRT035901_OSF1020,            |
|                        |        SSRT035901_OSF1030,  SSRT035901_OSF1030B,  |
|                        |        SSRT035902_OSF1032,  SSRT035901_OSF1032B,  |
|                        |        SSRT035901_OSF1032C, SSRT035901_OSF1032D,  |
|                        |        & [ CERT/CC Advisory CA-95:13 ]            |
|------------------------|---------------------------------------------------|
| SSRT037901_DUNIX1032D2 |Digital UNIX (OSF/1) V3.0 thru V3.2D2 (mountd)     |
|                        |   Cross Reference:   SSRT037901_ULT45             |
|------------------------|---------------------------------------------------|
| SSRT038301_DUNIX1032D2 |Digital UNIX (OSF/1) V3.0 thru V3.2D2 (rpc.statd)  |
|                        |    Cross Reference: [ CERT/CC Advisory CA-96:09 ] |
|------------------------|---------------------------------------------------|
| SSRT038301_ULT045      |Digital ULTRIX V4.3 thru V4.5 (rpc.statd)          |
|                        |    Cross Reference:| SSRT038301_DUNIX1032D2       |
|                        |    Cross Reference: [ CERT/CC Advisory CA-96:09 ] |
|------------------------|---------------------------------------------------|
|SSRT039601_DUNIX1032D2  |Digital UNIX (OSF/1) V3.0 thru V3.2D2 (pcnfsd)     |
|                        |     Cross Reference: [ CERT/CC Advisory CA-96:08 ]|
|                        |                                                   |
|                        |  *At the time of writing this document, patches   |
|                        |  (binary kits) for Digital's   UNIX operating     |
|                        |  system are in final testing and packaging.       |
|                        |  Digital will provide notice of availability for  |
|                        |  the kits through AES services (DIA, DSNlink      |
|                        |  FLASH) and also be available from your normal    |
|                        |  Digital Support channel.                         |
|                        |                                                   |
 ----------------------------------------------------------------------------


=====================================================================
ECO KIT NAME(S):   SSRT035901_OSF1020, SSRT035901_OSF1030,
                    SSRT035901_OSF1030B, SSRT035902_OSF1032,
                     SSRT035901_OSF1032B, SSRT035901_OSF1032C,
                      SSRT035901_OSF1032D
=====================================================================
Op/SYS:         DIGITAL UNIX (DEC OSF/1)
                Kit(s) Apply To: V2.0,V3.0, V3.0b, V3.2, V3.2b,
                                V3.2c, V3.2d1, V3.2d2

ECO Kits Superseded by These ECO Kits:  SSRT0359_OSF1032C
System Reboot Necessary:  Yes

---------------------------------------------------------------------
PROBLEM:
  1.    Digital has discovered a potential security vulnerability identified
        with disabled accounts (library routines) for Digital UNIX (OSF/1)
        when running C2 security (enhanced).
                Cross Reference:   none
  2.    A potential security vulnerability has been identified with syslog,
        under certain circumstances, may allow unauthorized file access
        from unauthorized systems users.
                Cross Reference:
                [ CERT/CC Advisory CA-95:13  - Syslog Vulnerability ]


=====================================================================
ECO KIT NAME:   SSRT035902_ULT45, (syslog)
=====================================================================
Op/SYS:         DIGITAL ULTRIX Operating System
                Kit Applies To: V4.3 (VAX & MIPS), V4.3a (MIPS),
                                V4.4 (VAX & MIPS), V4.5 (VAX & MIPS)

ECO Kits Superseded by This ECO Kit:  SSRT0359_ULT45
System Reboot Necessary:  Yes

---------------------------------------------------------------------
PROBLEM:
  A potential security vulnerability has been identified with syslog
  that may, under certain circumstances, allow unauthorized file access
  from unauthorized systems users.
                Cross Reference:
                [ CERT/CC Advisory CA-95:13  - Syslog Vulnerability ]


=====================================================================
ECO KIT NAME:   SSRT037901_DUNIX1032D2, (mountd)
=====================================================================
Op/SYS:         Digital UNIX (DEC OSF/1)
                Kit Applies To: V3.0, V3.0b, V3.2, V3.2b,
                                V3.2c, V3.2d1, V3.2d2
ECO Kits Superseded by This ECO Kit:  None
System Reboot Necessary:  Yes

---------------------------------------------------------------------
PROBLEM:
 Digital has recently discovered a potential security vulnerability
 identified with mountd. This potential vulnerability may, under
 certain circumstances, allow an NFS server to be spoofed.

                Cross Reference: None

=====================================================================
ECO KIT NAME:   SSRT038301_DUNIX1032D2, (rpc.statd)
=====================================================================
Op/SYS:         DIGITAL UNIX (DEC OSF/1) Operating System
                Kit Applies To: V3.0, V3.0b, V3.2, V3.2b,
                                V3.2c, V3.2d1, V3.2d2

ECO Kits Superseded by This ECO Kit:  None
System Reboot Necessary:  Yes

 ___________________________________________________
 ECO KIT NAME:   SSRT038301_ULT045       (rpc.statd)
 ___________________________________________________
        Op/SYS:         DIGITAL ULTRIX   Operating System
        Kit Applies To: V4.3, V4.3a, V4.4, V4.5 (VAX & MIPS)

ECO Kits Superseded by This ECO Kit:  None
System Reboot Necessary:  Yes

---------------------------------------------------------------------
PROBLEM:
  A potential security vulnerability has been identified with rpc.statd,
  that may, may under certain circumstances, allow unauthorized file
  access from unauthorized systems users.

                Cross Reference:

                [ CERT/CC Advisory CA-96:09 - Vulnerability in rpc.statd ]
                [ CIAC/CC Bulletin G-22: rpc.statd Vulnerability ]


=====================================================================
ECO AVAILABILITY:

         Software service contract or warranty customers may obtain
         the ECO  kits through normal Digital support channels, via
         AES (Advanced Electronic Service) or from the appropriate OS
         type and version directory listed by accessing:

          ftp://ftp.service.digital.com/public/{OS/{vn.n}
                                                |     |
                                                |     |--version
                                                |--osf or ultrix


         Please refer to the applicable Release Note information prior
         to upgrading your installation.

  Note:  Non-contract/non-warranty customers should contact
         local Digital support channels for information
         regarding these kits.


         As always, Digital urges you to periodically review your
         system management and security procedures. Digital will
         continue to review and enhance the security features of its
         products and work with customers to maintain and improve the
         security and integrity of their systems.

 6/96                                   - DIGITAL EQUIPMENT CORPORATION

[ End of DEC Bulletin ]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Digital Equipment Corporation 
(DEC) for the information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

G-20:  Vulnerability in NCSA and Apache httpd Servers
G-21:  Vulnerabilities in PCNFSD Program
G-22:  rpc.statd Vulnerability
G-23:  Solaris NIS+ Configuration Vulnerability
G-24:  FreeBSD Security Vulnerabilities
G-25:  SUN statd Program Vulnerability
G-26:  IRIX Desktop Permissions Panel Vulnerability
G-27:  SCO Kernel Security Vulnerability
G-28A: suidperl Vulnerability
G-29:  dip Program Vulnerability

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released,
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH