__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
DEC Software Security Kits
July 9, 1996 18:00 GMT Number G-30
______________________________________________________________________________
PROBLEM: DEC has recently released the software security kits that
address recently reported potential security vulnerabilities.
PLATFORM: DIGITAL UNIX (DEC OSF/1) V2.0, V3.0, V3.0b, V3.2, V3.2b, V3.2c,
V3.2d1, V3.2d2, ULTRIX V4.3 - V4.5.
DAMAGE: Several known vulnerabilities have been addressed, reference
the DEC advisory below for the impact and damage assessment.
SOLUTION: CIAC recommends that all users determine the applicability of
this information and take the appropiate action recommended by
DEC.
______________________________________________________________________________
VULNERABILITY Knowledge of how to exploit these vulnerabilties are widely
ASSESSMENT: known. DEC rates the severity level high.
______________________________________________________________________________
[ Start of DEC Bulletin ]
___________________________________________________________________________
#96.0383
SOURCE: 27JUN1996
Digital Equipment Corporation
Software Security Response Team
Copyright (c) Digital Equipment Corporation 1996. All rights reserved.
Digital is broadly distributing this Security Advisory in order to
bring to the attention of users of Digital's products the important
security information contained in this Advisory. Digital recommends
that all users determine the applicability of this information to their
individual situations and take appropriate action.
Digital does not warrant that this information is necessarily accurate
or complete for all user situations and, consequently, Digital will not
be responsible for any damages resulting from user's use or disregard of
the information provided in this Advisory.
SUMMARY DESCRIPTION:
Digital has recently released the software security kits
identified below that address recently reported, potential
security vulnerabilities.
SEVERITY LEVEL: High
SUMMARY ECO KIT INFORMATION:
The ECO Kits identified in this advisory will not be
applicable to versions previous to those identified in the
OP/SYS identified for each ECO.
*****
NOTE* (1) These ECO's must be re-applied if an update or installation
***** is performed thru V3.2d2 of Digital UNIX, and V4.5 of ULTRIX.
(2) The solutions will be included in future releases of these
Operating Systems.
____________________________________________________________________________
|TITLE(s): |
|----------------------------------------------------------------------------|
| SSRT035901_OSF1020 |Digital UNIX (OSF/1) V2.0 (syslog & C2) |
|------------------------|---------------------------------------------------|
| SSRT035901_OSF1030 |Digital UNIX (OSF/1) V3.0 (syslog & C2) |
|------------------------|---------------------------------------------------|
| SSRT035901_OSF1030B |Digital UNIX (OSF/1) V3.0b (syslog & C2) |
|------------------------|---------------------------------------------------|
| SSRT035902_OSF1032 |Digital UNIX (OSF/1) V3.2 (syslog & C2) |
| | Replaces: SSRT035901_OSF1032 |
|------------------------|---------------------------------------------------|
| SSRT035901_OSF1032B |Digital UNIX (OSF/1) V3.2b (syslog & C2) |
|------------------------|---------------------------------------------------|
| SSRT035901_OSF1032C |Digital UNIX (OSF/1) V3.2c (syslog & C2) |
|------------------------|---------------------------------------------------|
| SSRT035901_OSF1032D |Digital UNIX (OSF/1) V3.2d (syslog & C2) |
|------------------------|---------------------------------------------------|
| SSRT035902_ULT45 |Digital ULTRIX V4.3 thru 4.5 (syslog) |
| | Replaces: SSRT035901_ULT45 |
| | Cross Reference: SSRT035901_OSF1020, |
| | SSRT035901_OSF1030, SSRT035901_OSF1030B, |
| | SSRT035902_OSF1032, SSRT035901_OSF1032B, |
| | SSRT035901_OSF1032C, SSRT035901_OSF1032D, |
| | & [ CERT/CC Advisory CA-95:13 ] |
|------------------------|---------------------------------------------------|
| SSRT037901_DUNIX1032D2 |Digital UNIX (OSF/1) V3.0 thru V3.2D2 (mountd) |
| | Cross Reference: SSRT037901_ULT45 |
|------------------------|---------------------------------------------------|
| SSRT038301_DUNIX1032D2 |Digital UNIX (OSF/1) V3.0 thru V3.2D2 (rpc.statd) |
| | Cross Reference: [ CERT/CC Advisory CA-96:09 ] |
|------------------------|---------------------------------------------------|
| SSRT038301_ULT045 |Digital ULTRIX V4.3 thru V4.5 (rpc.statd) |
| | Cross Reference:| SSRT038301_DUNIX1032D2 |
| | Cross Reference: [ CERT/CC Advisory CA-96:09 ] |
|------------------------|---------------------------------------------------|
|SSRT039601_DUNIX1032D2 |Digital UNIX (OSF/1) V3.0 thru V3.2D2 (pcnfsd) |
| | Cross Reference: [ CERT/CC Advisory CA-96:08 ]|
| | |
| | *At the time of writing this document, patches |
| | (binary kits) for Digital's UNIX operating |
| | system are in final testing and packaging. |
| | Digital will provide notice of availability for |
| | the kits through AES services (DIA, DSNlink |
| | FLASH) and also be available from your normal |
| | Digital Support channel. |
| | |
----------------------------------------------------------------------------
=====================================================================
ECO KIT NAME(S): SSRT035901_OSF1020, SSRT035901_OSF1030,
SSRT035901_OSF1030B, SSRT035902_OSF1032,
SSRT035901_OSF1032B, SSRT035901_OSF1032C,
SSRT035901_OSF1032D
=====================================================================
Op/SYS: DIGITAL UNIX (DEC OSF/1)
Kit(s) Apply To: V2.0,V3.0, V3.0b, V3.2, V3.2b,
V3.2c, V3.2d1, V3.2d2
ECO Kits Superseded by These ECO Kits: SSRT0359_OSF1032C
System Reboot Necessary: Yes
---------------------------------------------------------------------
PROBLEM:
1. Digital has discovered a potential security vulnerability identified
with disabled accounts (library routines) for Digital UNIX (OSF/1)
when running C2 security (enhanced).
Cross Reference: none
2. A potential security vulnerability has been identified with syslog,
under certain circumstances, may allow unauthorized file access
from unauthorized systems users.
Cross Reference:
[ CERT/CC Advisory CA-95:13 - Syslog Vulnerability ]
=====================================================================
ECO KIT NAME: SSRT035902_ULT45, (syslog)
=====================================================================
Op/SYS: DIGITAL ULTRIX Operating System
Kit Applies To: V4.3 (VAX & MIPS), V4.3a (MIPS),
V4.4 (VAX & MIPS), V4.5 (VAX & MIPS)
ECO Kits Superseded by This ECO Kit: SSRT0359_ULT45
System Reboot Necessary: Yes
---------------------------------------------------------------------
PROBLEM:
A potential security vulnerability has been identified with syslog
that may, under certain circumstances, allow unauthorized file access
from unauthorized systems users.
Cross Reference:
[ CERT/CC Advisory CA-95:13 - Syslog Vulnerability ]
=====================================================================
ECO KIT NAME: SSRT037901_DUNIX1032D2, (mountd)
=====================================================================
Op/SYS: Digital UNIX (DEC OSF/1)
Kit Applies To: V3.0, V3.0b, V3.2, V3.2b,
V3.2c, V3.2d1, V3.2d2
ECO Kits Superseded by This ECO Kit: None
System Reboot Necessary: Yes
---------------------------------------------------------------------
PROBLEM:
Digital has recently discovered a potential security vulnerability
identified with mountd. This potential vulnerability may, under
certain circumstances, allow an NFS server to be spoofed.
Cross Reference: None
=====================================================================
ECO KIT NAME: SSRT038301_DUNIX1032D2, (rpc.statd)
=====================================================================
Op/SYS: DIGITAL UNIX (DEC OSF/1) Operating System
Kit Applies To: V3.0, V3.0b, V3.2, V3.2b,
V3.2c, V3.2d1, V3.2d2
ECO Kits Superseded by This ECO Kit: None
System Reboot Necessary: Yes
___________________________________________________
ECO KIT NAME: SSRT038301_ULT045 (rpc.statd)
___________________________________________________
Op/SYS: DIGITAL ULTRIX Operating System
Kit Applies To: V4.3, V4.3a, V4.4, V4.5 (VAX & MIPS)
ECO Kits Superseded by This ECO Kit: None
System Reboot Necessary: Yes
---------------------------------------------------------------------
PROBLEM:
A potential security vulnerability has been identified with rpc.statd,
that may, may under certain circumstances, allow unauthorized file
access from unauthorized systems users.
Cross Reference:
[ CERT/CC Advisory CA-96:09 - Vulnerability in rpc.statd ]
[ CIAC/CC Bulletin G-22: rpc.statd Vulnerability ]
=====================================================================
ECO AVAILABILITY:
Software service contract or warranty customers may obtain
the ECO kits through normal Digital support channels, via
AES (Advanced Electronic Service) or from the appropriate OS
type and version directory listed by accessing:
ftp://ftp.service.digital.com/public/{OS/{vn.n}
| |
| |--version
|--osf or ultrix
Please refer to the applicable Release Note information prior
to upgrading your installation.
Note: Non-contract/non-warranty customers should contact
local Digital support channels for information
regarding these kits.
As always, Digital urges you to periodically review your
system management and security procedures. Digital will
continue to review and enhance the security features of its
products and work with customers to maintain and improve the
security and integrity of their systems.
6/96 - DIGITAL EQUIPMENT CORPORATION
[ End of DEC Bulletin ]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Digital Equipment Corporation
(DEC) for the information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
G-20: Vulnerability in NCSA and Apache httpd Servers
G-21: Vulnerabilities in PCNFSD Program
G-22: rpc.statd Vulnerability
G-23: Solaris NIS+ Configuration Vulnerability
G-24: FreeBSD Security Vulnerabilities
G-25: SUN statd Program Vulnerability
G-26: IRIX Desktop Permissions Panel Vulnerability
G-27: SCO Kernel Security Vulnerability
G-28A: suidperl Vulnerability
G-29: dip Program Vulnerability
RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
Notes 07 - 3/29/95 A comprehensive review of SATAN
Notes 08 - 4/4/95 A Courtney update
Notes 09 - 4/24/95 More on the "Good Times" virus urban legend
Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
in S/Key, EBOLA Virus Hoax, and Caibua Virus
Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
America On-Line Virus Scare, SPI 3.2.2 Released,
The Die_Hard Virus
Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X
Windows, beta release of Merlin, Microsoft Word
Macro Viruses, Allegations of Inappropriate Data
Collection in Win95
Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST
Conference Announcement, Security and Web Search
Engines, Microsoft Word Macro Virus Update
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
