TUCoPS :: Unix :: Various Flavours :: ciach040.txt

Digital Unix Dop Deltatime

-----BEGIN PGP SIGNED MESSAGE-----





             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

               DIGITAL Security Vulnerabilities (DoP, delta-time)

March 11, 1997 19:00 GMT                                           Number H-40
______________________________________________________________________________
PROBLEM:       Two vulnerabilities have been identified by DIGITAL: 1) 
               Division of Privilege (DoP), 2) delta-time limit. 
PLATFORM:      1) DIGITAL UNIX v4.0, v4.0A and v4.0B. 2) DIGITAL OpenVMS 
               system. 
DAMAGE:        1) this vulnerability may allow local users to gain root 
               privileges. 2) may cause a serious error on or around 
               19-MAY-1997. 
SOLUTION:      Install the proper patches and/or use the workarounds provided 
               below. 
______________________________________________________________________________
VULNERABILITY  Exploit details involving these vulnerabilities have been made 
ASSESSMENT:    publicly available. 
______________________________________________________________________________

[ Start DIGITAL Advisories ]


1.  Division of Privilege (DoP) 
______________________________________________________________________________

PRODUCT:  DIGITAL UNIX[TM] V4.0, V4.0A, V4.0B           MARCH 6, 1997

  TITLE:  Division of Privilege (DoP) - Potential Security Vulnerability
  SOURCE: Digital Equipment Corporation
          Software Security Response Team/Colorado Springs USA

  "Digital is broadly distributing this Security Advisory in order to
  bring to the attention of users of Digital's products the important
  security information contained in this Advisory.  Digital recommends
  that all users determine the applicability of this information to
  their individual situations and take appropriate action.

  Digital does not warrant that this information is necessarily
  accurate or complete for all user situations and, consequently,
  Digital will not be responsible for any damages resulting from
  user's use or disregard of the information provided in this
  Advisory."

- ----------------------------------------------------------------------
IMPACT:

  Digital has discovered a potential vulnerability with the
  Division of Privilege (DoP), "/usr/sbin/dop" for DIGITAL UNIX
  V4.0, V4.0A and V4.0B, where under certain circumstances,
  an unauthorized user may gain unauthorized privileges.  Digital
  strongly recommends that the workaround be implemented
  immediately for any version affected, and that the
  appropriate patch kit be installed as soon as it becomes
  available.
 

- ----------------------------------------------------------------------
RESOLUTION:

  This potential security issue has been resolved and an
  official fix for this problem will be made available
  beginning the 13th of March 1997. As the patches become
  available per affected version, Digital will provide them
  through:
  
  o the World Wide Web at the following FTP address:

    ftp://ftp.service.digital.com/public/
        the sub directory Digital_UNIX, key identifier SSRT0435U


  Note: [1]The patch kits mentioned above will be replaced in
        the near future through normal patch release
        procedures.

        [2]The appropriate patch kit must be reinstalled
        following any upgrade beginning with V4.0 
        up to and including V4.0b.
        

- ----------------------------------------------------------------------
TEMPORARY WORKAROUND:

  Prior to receiving the official patch for this fix, a
  temporary workaround for this problem is to clear the
  setuid bit from the /usr/sbin/dop command as follows:

                # chmod 0 /usr/sbin/dop

  This temporary workaround will resolve the security issue,
  but will also defeat DoP's purpose.  See "ADDITIONAL
  COMMENTS" below for the purpose of DoP, the effect of
  using this temporary workaround, and what to do as a
  solution while using this temporary workaround.

- ----------------------------------------------------------------------
ADDITIONAL COMMENTS:

  The DoP command is used to provide non-root users with the
  ability to enter the root password to access the graphical
  system management applications via the CDE application
  manager or the Host Manager.  When a non-root user
  attempts to execute a system management application
  through one of these applications, the user will be
  prompted with a password dialog.  If the user enters the
  correct root password, they will gain root privilege while
  running the given application.

  If the setuid bit is cleared from /usr/sbin/dop, then
  users will not be able to access the system management
  applications from either the CDE application manager or
  the Host Manager.

  The following are workarounds to allow users to run the
  graphical system management applications with DoP
  disabled:

  [1] Log into a CDE session as root and access the system
  management applications.

  [2] If logged in as a normal user, become root in your
  preferred X-based terminal emulator (xterm, dxterm, dtterm,
  etc.) and run the graphical system management application
  via the command line.

  If you need further information, please contact your
  normal DIGITAL support channel.

  DIGITAL appreciates your cooperation and patience. We
  regret any inconvenience applying this information may cause.

  __________________________________________________________________
  Copyright (c) Digital Equipment Corporation, 1995 All
  Rights Reserved.
  Unpublished Rights Reserved Under The Copyright Laws Of
  The United States.

______________________________________________________________________________

2. delta-time limit
______________________________________________________________________________
DIGITAL EQUIPMENT CORPORATION

             "Digital is broadly distributing this Security Advisory
             in order to bring to the attention of users of Digital's
             products the important security information contained in
             this Advisory.  Digital recommends that all users
             determine the applicability of this information to their
             individual situations and take appropriate action.

             Digital does not warrant that this information is
             necessarily accurate or complete for all user situations
             and, consequently, Digital will not be responsible for
             any damages resulting from user's use or disregard of the
             information provided in this Advisory."

  DIGITAL EQUIPMENT CORPORATION

  OpenVMS[TM] Delta-Time Limit Notification Cover Letter

  AV-R4Y1A-TE

  February 1997

  Dear OpenVMS Customer,

  The OpenVMS operating system has a documented delta-time
  limit that may cause a serious error in some applications
  and OpenVMS components beginning on or around 19-MAY-1997.
  DIGITAL has provided ECOs (Engineering Change Orders) that
  remove the delta-time limit.

  Applications and OpenVMS components most likely to
  experience errors are those that pass delta-time arguments
  with values exceeding 9999 days on system-supplied date
  routines. The most likely date that these errors will
  occur is 19-MAY-1997:00:00, which is 10,000 days after the
  common UNIX time origin of 1-JAN-1970.

  DIGITAL strongly recommends that all customers running the
  affected versions of OpenVMS install the appropriate ECO,
  as follows:

    For OpenVMS Alpha Version 6.1 through Version 7.0:  ALPLIBR05_070
    For OpenVMS VAX Version 5.5 through Version 7.0:    VAXLIBR05_070

  Systems running OpenVMS Alpha Version 7.1 and OpenVMS VAX
  Version 7.1 are not affected and do not need to install
  the ECO.

  The following OpenVMS components and software products are
  known to be affected by the delta-time limit. The ECOs
  correct the problems observed in these products.

  ________________________________________________________________
  Product________________________________OpenVMS_Version__________

  OpenVMS SECURITY Server                OpenVMS Alpha V7.0 only

  DECwindows Motif for OpenVMS           OpenVMS Alpha V7.0 only

  Distributed Computing Environment      OpenVMS Alpha V6.2 only
          (DCE) for OpenVMS

  OpenVMS DECthreads                     OpenVMS Alpha and OpenVMS
                                                 VAX V5.5 through V7.0
  
  (OSU) DECthreads HTTP Server (free-    OpenVMS Alpha and OpenVMS
  ware provided with the OpenVMS         VAX V5.5 through V7.0
  Internet_Product_Suite)_________________________________________

  Other software products running on OpenVMS might also
  experience errors stemming from this delta-time limit.
  Contact the appropriate software vendor for more
  information.

  Impact on Application Developers

  Application developers and their customers must install
  the appropriate ECO.

  If an application developer uses OpenVMS shareable images,
  there is no required code change and relinking is not
  necessary; installing the ECO on the customer system
  corrects the problem.

  If an application developer does not use OpenVMS shareable
  images (that is, links using STARLET) and the application
  is subject to the 10,000 day restriction, no code change
  is required. However, the developer must relink the
  application after installing the ECO and might need to
  redistribute the software. The application developer's
  customers must also install the ECO on their systems.

  If your application calls the following OpenVMS RTL
  Library (LIB$) routines, you may encounter errors due to
  the 10,000 day delta-time limit.

    LIB$CVT_TO_INTERNAL_TIME         LIB$SUB_TIMES
    LIB$CVT_FROM_INTERNAL_TIME       LIB$MULT_DELTA_TIME
    LIB$CVTF_TO_INTERNAL_TIME        LIB$MULTF_DELTA_TIME
    LIB$CVTF_FROM_INTERNAL_TIME      LIB$CONVERT_DATE_STRING
    LIB$CVT_VECTIM                   LIB$ADD_TIMES

  Applications that are written in DEC C and contain
  portable code that calls only ANSI time functions are not
  impacted.

  Distribution Channels

  DIGITAL is distributing the ECOs only through the
  following channels. Customers should obtain the ECOs from:

    o  DIGITAL Electronic Service Delivery Tools (such as DSNlink,
       Web Information and Support Service (WIS), and DIGITAL Dial-
       In Access (DIA))

    o  the World Wide Web at:

    http://www.service.digital.com/html/patch_main.html

    o  the following FTP address:

    ftp://ftp.service.digital.com/public/vms/

  If you need further information, please contact your
  normal DIGITAL support channel.

  DIGITAL appreciates your cooperation and patience. We
  regret any inconvenience applying this update may cause.

  (c)Digital Equipment Corporation. 1997. All rights reserved.
  ___________________
  [TM] The following are trademarks of Digital Equipment Corporation:
       OpenVMS, VAX, VMS, and the DIGITAL logo.



[ End DIGITAL Advisories ]
______________________________________________________________________________

CIAC wishes to acknowledge the contributions of DIGITAL Equipment Corporation 
for the information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

H-30: Solaris ffbconfig Buffer Overrun Vulnerability
H-31: HP-UX ppl executable Vulnerability
H-32: HP-UX ppl Core Dump Vulnerability
H-33: HP-UX ftpd/kftpd Vulnerability
H-34: Vulnerability in innd
H-35: HP-UX vgdisplay command Vulnerability
H-36: Solaris 2.x CDE sdtcm_convert Vulnerability
H-37: Solaris 2.x passwd buffer Overrun Vulnerability
H-38a: Internet Explorer 3.x Vulnerabilities 
H-39: SGI IRIX fsdump Vulnerability


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMyXoiLnzJzdsy3QZAQEb4gQAhVTThsicaUcMzwIWGUVvHW2mLP9HFSlg
SRWOvPMJ/LVfHaTsTpsFONEe7Qm2W6V5dzT4+YUQCBUzaaJYQQvG36sna17ODEhk
UNC2JWYD9f2KJ2td6kwdd/a4KzozBQj04PyQOiQtuD8W31PbR00WmTNYsEHXAw4V
4Al+AVmG3/8=
=pMRj
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH