CIAC documents FY 1994 Series E intro.txt ciac-introduction-to cdb.txt CIAC-Virus-Database-11-93 ciacreq.txt ciac-doe requirements HPACCESS.TXT how-to-download-HP-patches xtermpat.txt xterm-patch-status e-01.txt ciac-sun-sendmail-tar-audio-vulnerabilities e-03.txt ciac-unix-sendmail-vulnerabilities e-04.txt ciac-xterm-logfile-vulnerability e-05.txt ciac-sunos-solbourne-loadmodule-modload-vulnerability e-06.txt ciac-solaris-system-startup-vulnerability e-07.txt ciac-unix-sendmail-update e-08.txt ciac-restricted-distribution e-09.txt ciac-network-monitoring-attacks e-11.txt ciac-lotus-ccmail-security-upgrade e-12.txt ciac-network-monitoring-attacks-update e-13.txt ciac-patches-for-etc-utmp-vulnerability e-14.txt ciac-wuarchive-ftpd-trojan-horse e-15.txt ciac-restricted-distribution e-16.txt ciac-restricted-distribution e-17.txt ciac-ftp-daemon-vulnerabilities e-18.txt ciac-sun-automountd-patch e-19.txt ciac-nvir-a-virus-on-CD-ROM e-20.txt ciac-chinon-cd-it.zip-trojan e-21.txt ciac-restricted-distribution e-22.txt ciac-restricted-distribution e-23.txt ciac-HP-Vue-3.0 e-24.txt ciac-patches-for-ULTRIX-DECnet_ULTRIX-OSF_1 e-25.txt ciac-BSD-lpr-vulnerability-in-SGI-IRIX e-26.txt ciac-UNIX-bin-login-vulnerability e-27.txt ciac-restricted-distribution e-28.txt ciac-restricted-distribution e-29.txt ciac-IBM-AIX-bsh-queue-vulnerability e-30.txt ciac-Majordomo-vulnerabilities e-31.txt ciac-sendmail-d-oE-vulnerabilities e-32.txt ciac-KAOS4-virus e-33.txt e-34.txt ciac One_half virus (MS-DOS) _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE (1) Security vulnerability in sendmail under SunOS 4.1.x and 5.x (2) Security vulnerability in tar under SunOS 5.x (3) Potential misuse of Sun microphones October 21, 1993 1130 PDT Number E-01 __________________________________________________________________________ (1) Security vulnerability in sendmail under SunOS 4.1.x and 5.x PROBLEM: Remote users may access system files using sendmail. PLATFORM: SunOS 4.1.x and SunOS 5.x (Solaris 2.x). DAMAGE: Unauthorized access to system files. SOLUTION: Apply appropriate patch from Sun. __________________________________________________________________________ Critical Information about Security Vulnerability in sendmail The /usr/lib/sendmail utility under SunOS 4.1.x and SunOS 5.x permits unauthorized access to some system files by remote users. This access may allow compromise of the system. Note that this vulnerability is being actively exploited. CIAC strongly recommends that sites take immediate corrective action. Sun Microsystems has released patched versions of the sendmail program for all affected versions of SunOS: BSD SVR4 System Patch ID Filename Checksum Checksum ----------- --------- --------------- --------- ---------- SunOS 4.1.x 100377-07 100377-07.tar.Z 36122 586 11735 1171 SunOS 5.1 100840-03 100840-03.tar.Z 01153 194 39753 388 SunOS 5.2 101077-03 101077-03.tar.Z 49343 177 63311 353 The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x, /bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun has released on SunOS 5.x (/usr/bin/sum). Individuals with support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist. __________________________________________________________________________ (2) Security vulnerability in tar under SunOS 5.x PROBLEM: Archives created with the tar utility contain extraneous user information. PLATFORM: SunOS 5.x (Solaris 2.x). DAMAGE: User and system information may be unintentionally disclosed. SOLUTION: Apply appropriate patch from Sun. __________________________________________________________________________ Critical Information about Security Vulnerability in tar Archive files created with the /bin/tar utility under SunOS 5.x contain extraneous user information from the /etc/passwd and /etc/group files. Note that the extraneous data does not include user passwords; however, system configuration and user information may be unintentionally disclosed should the archive files be distributed. Sun Microsystems has released patched versions of the tar utility for all affected versions of SunOS. The patched tar utility produces archive files in the same format as all other versions; but any extraneous data is set to zero. Restoring an existing archive file to disk, and then creating a new file with the patched tar, will result in a clean archive file with no extraneous data. BSD SVR4 System Patch ID Filename Checksum Checksum --------- --------- --------------- --------- --------- SunOS 5.1 100975-02 100975-02.tar.Z 37034 374 13460 747 SunOS 5.2 101301-01 101301-01.tar.Z 22089 390 4703 779 The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x, /bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun has released on SunOS 5.x (/usr/bin/sum). Individuals with support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist. __________________________________________________________________________ (3) Potential misuse of Sun microphones PROBLEM: Microphones on Sun workstations may be used for eavesdropping. PLATFORM: SunOS 4.1.x and SunOS 5.x (Solaris 2.x). DAMAGE: Access to conversations held near the computer. SOLUTION: Disconnect microphone or apply software solution described below. __________________________________________________________________________ Critical Information about Misuse of Sun Microphones Sun Microsystems has released information regarding the potential for microphones attached to Sun workstations to be used to eavesdrop on conversations near the computer. Software solutions to reduce the risk are described below. Note, however, that CIAC strongly recommends microphones on systems in sensitive areas be either physically switched off or disconnected from the system. The initial permissions for the audio data device, /dev/audio, allow any user with an account on the system to listen with the microphone when it is turned on. Also, the permissions for the audio control device, /dev/audioctl, allow anyone to vary playback and record settings such as volume. Unauthorized use of the system's audio devices may be prevented by changing the permissions and ownership of /dev/audio and /dev/audioctl. On SunOS 4.x systems, the /etc/fbtab file may be used to automatically control access to the audio devices. As root, add the following lines to the end of the fbtab file: /dev/console 0600 /dev/audio /dev/console 0600 /dev/audioctl On SunOS 5.x (Solaris 2.x) systems, the file permissions must be manually changed. As root, execute the following commands, specifying the username of the individual that should have access to the microphone: # chmod 600 /dev/audio* # chown /dev/audio* ______________________________________________________________________ CIAC would like to thank Mark Graff and Sun Microsystems, Inc. for the information used in this bulletin. ______________________________________________________________________ For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ US Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Vulnerabilities in SGI IRIX Default Configuration October 25, 1993 1330 PDT Number E-02 __________________________________________________________________________ PROBLEM: The default configuration of SGI IRIX software introduces vulnerabilities. PLATFORM: SGI IRIX, all versions including 4.x and 5.x. DAMAGE: Accounts without passwords and default xhost configuration can lead to system compromise. SOLUTION: Add passwords, lock accounts, change xhost configuration per this bulletin. __________________________________________________________________________ Critical Information about SGI IRIX Default Configuration CIAC has learned that SGI IRIX systems configured with operating system defaults are vulnerable to attack. The auto-installation procedure leaves some default accounts vulnerable to compromise, some files are left world readable, and the default configuration for xhost is vulnerable. CIAC recommends that IRIX system administrators check the configuration of their systems as outlined below. OPEN ACCOUNTS Eight accounts are left open, without a password, at the end of the installation procedure. Three of these accounts--root, lp, and nuucp--are administrative accounts with system privileges. The other five accounts are demos, tutor, guest, 4Dgifts, and tour. CIAC recommends that these accounts be assigned valid passwords, deleted, or disabled to ensure account security. Give an account a password by executing the following command as root: # passwd account_name To disable ("lock") an account, use the passwd command with the -l option, as below: # passwd -l account_name To delete an account, edit the /etc/passwd account directly as SGI's utility "sysadm" will not edit these specific accounts. SGI recommends account deletion be done with care, since the execution of some system functions requires an account to be present. LOGIN.OPTIONS VULNERABILITY The file /etc/config/login.options (renamed /etc/default/login on 5.x) contains some parameters for the system's login process. By default, this file is world readable. CIAC recommends that if a system is logging rsh and ftp activity, these permissions be removed by executing the following command as root: # chmod 640 /etc/config/login.options Note: the options "SYSLOG=ALL" or "SYSLOG=FAIL", set within login.options will not log any login attempts made through the SGI-supplied graphical login process Pandora. In addition, the file where login attempts are kept, /usr/adm/SYSLOG, should also not be world readable. NIS ALTERNATE PASSWORD FILE If using NIS, an alternate password file can be created with any name and placed anywhere. This password file should be set up to contain only accounts of users that log in remotely. No administrative accounts should be contained in this alternative password file since all NIS users can easily see this file. Use of this file will make the information in /etc/passwd useless to anyone who might break into the system and try to crack passwords. To define the password file, open or create the file /etc/config/ypmaster.options, and create a line with the text: PWFILE=/path/newpasswdfile.name NOTE: this feature is available because shadow password files are incompatible with NIS. XHOST DEFAULTS The system default configuration for xhost is "xhost +", which allows any host on the same network to use X protocols to access the machine. X has well known vulnerabilities and there are automated programs that can remotely gain unauthorized access using X. CIAC recommends that you either deny all access to all hosts through X or authorize only specific known, trustworthy machines. To deny or restrict X access to selected hosts follow these three steps: a. Create or edit the file "/etc/Xn.hosts" where 'n' is the display number of the server on the local host, normally 0, as in "/etc/X0.hosts". To deny all X access to your system, the file /etc/X0.hosts will contain a single character, "-". To grant access to hosts "newhost.gov" and "secondhost.gov" and no other hosts the file /etc/X0.hosts will consist of: - +newhost.gov +secondhost.gov b. Search through all files in the directory /usr/lib/X11/xdm for occurances of the command "xhost +" or "/usr/bin/X11/xhost +". Remove or comment out all such lines. For SGI IRIS these files are by default: /usr/lib/X11/xdm/xsession /usr/lib/X11/xdm/xsession-remote /usr/lib/X11/xdm/xsession.0 c. Inform users that any xhost commands should be removed or commented out of user startup scripts, such as .cshrc, .login, .profile, etc. To add an additional level of security to the X environment, CIAC recommends the use of xauthority for host access control. To set up xauthority, edit the file /usr/lib/X11/xdm/xdm-config and replace the "off" with "on" in the following line: DisplayManager*authorize:off After all changes are made, SGI recommends that the system be rebooted to ensure that all changes take effect and all passwords be modified for all users' accounts that may have been compromised. To ensure that X has been turned off for non-registered hosts, perform the following test commands from an invalid machine: setenv DISPLAY yourhostname:0 /usr/bin/X11/xterm If a message appears which refuses the connection, then the system has been configured correctly. Much of the information in this bulletin has been extracted from the chapter on system security in the SGI IRIX administrator's guide, Chapter 8 for version 4.x and Chapter 9 for version 5.x. CIAC would like to thank Donna Yobs of SGI and Fred W. Allen of LLNL for their technical contributions to this bulletin, and to the ASSIST team for alerting us to this vulnerability. For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE UNIX sendmail Vulnerabilities November 4, 1993 2300 PST Number E-03 __________________________________________________________________________ PROBLEM: Vulnerabilities have been discovered in the UNIX sendmail utility. PLATFORM: All implementations of UNIX sendmail. DAMAGE: Local and remote users may execute commands and/or gain access to system files. SOLUTION: Apply workarounds or install new version of sendmail on ALL systems running sendmail. __________________________________________________________________________ Critical Information about UNIX sendmail Vulnerabilities This advisory supersedes the sendmail information contained in CIAC Advisory E-01. CIAC has learned of a set of serious vulnerabilities affecting the UNIX utility sendmail. These vulnerabilities affect a significant number of sendmail implementations, permitting unauthorized access to system commands and files by both local and remote users. In the absence of specific vendor information, CIAC recommends that all implementations of sendmail be considered vulnerable to attack. CIAC is working with the CERT Coordination Center and the vendor community to address this issue. At this time, there are no known patches available for any vendor implementation that fully address all known sendmail vulnerabilities. CIAC will publish information regarding vendor patches as they become available. Details of these vulnerabilities have been openly discussed in several electronic forums, including the Firewalls mailing list and the USENET newsgroup comp.security.unix. In addition, at least one automated tool designed to exploit these vulnerabilities has been widely distributed. Until vendor patches become available, CIAC strongly recommends that sites apply one of the three possible solutions described below to all systems running sendmail, including those systems behind firewalls and mail hubs. Restrict shell This workaround involves modifying the sendmail commands configuration file to restrict the sendmail program mailer facility using the sendmail restricted shell, smrsh, by Eric Allman (the original author of sendmail). The sendmail restricted shell screens all attempts to execute programs from sendmail, allowing only those specifically authorized by the system administrator. Attempts to invoke programs not in the allowed set will fail and log the attempt. Programs in the allowed set should be selected carefully. Mail utilities found in /etc/aliases and ~/.forward files should be considered for inclusion to prevent mail delivery failures (e.g. vacation, procmail, and slocal). Note that it is important that sites not include interpreters (e.g. /bin/sh, /bin/csh, /bin/perl, /bin/uudecode, and /bin/sed) in the set of allowed programs, as they may allow system compromise. The sendmail restricted shell may be obtained via anonymous FTP from ftp.uu.net in the directory /pub/security/smrsh. Consult the program documentation for installation instructions. Checksum Information Filename BSD sum System V sum -------- ------- ------------ README 30114 5 56478 10 smrsh.8 25757 2 42281 4 smrsh.c 46786 5 65517 9 Disable shell This approach also involves modifying the sendmail commands configuration. However, this approach completely disables the sendmail program mailer facility. Attempts to invoke programs through sendmail will fail. While this is a drastic solution, it may be quickly implemented to protect a site while a more long term approach is installed. To implement this approach, edit the sendmail.cf file, replacing the program mailer specification: Mprog, P=/bin/sh, F=slFDM, S=10, R=20, A=sh -c $u with: Mprog, P=/bin/false, F=, S=10, R=20, A= The configuration file should then be frozen, if necessary, and the sendmail process restarted. See the end of this advisory for more details. Install The most recent version of Eric Allman's public sendmail 8.6.4 domain sendmail has been updated to eliminate all known vulnerabilities. Sites may choose to replace their current implementation of sendmail with version 8.6.4 or later to secure their systems. Note that depending on the currently installed sendmail software, switching to sendmail 8.6.4 may potentially require significant effort for the system administrator to become familiar with the new program. Considerable modification of the sendmail configuration may also be required. The latest version of sendmail may be obtained via anonymous FTP from ftp.cs.berkeley.edu in the directory /ucb/sendmail. Checksum Information Filename BSD sum System V sum ------------------------- --------- ------------ sendmail.8.6.4.base.tar.Z 07718 428 64609 856 sendmail.8.6.4.cf.tar.Z 28004 179 42112 357 sendmail.8.6.4.misc.tar.Z 57299 102 8101 203 sendmail.8.6.4.xdoc.tar.Z 33954 251 50037 502 CIAC strongly recommends that sites monitor their systems for signs of sendmail attacks. System administrators should regularly examine the following: - All bounced mail, looking for unusual messages. - Mail log files (e.g. /var/log/syslog), looking for unusual occurrences of "|" characters. To provide this information, sendmail must be configured to bounce mail to the local postmaster and generate adequate logs. Receipt of bounced mail is enabled by placing the following line in sendmail.cf: OPpostmaster A logging level of 9 or higher should also be specified in the configuration file with a line similar to the following: OL9 Whenever any changes are made to the sendmail configuration file, it is necessary to kill all existing sendmail processes, refreeze the configuration file (on some systems), and restart the sendmail daemon. For example, under SunOS 4.1.2: # /usr/bin/ps -aux | /usr/bin/grep sendmail root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/lib/sendmail -bd -q # /bin/kill -9 130 (Kill the current sendmail process) # /usr/lib/sendmail -bz (Refreeze the sendmail configuration file) # /usr/lib/sendmail -bd -q30m (Restart the sendmail daemon) Note that some sites do not use frozen configuration files. If the file sendmail.fc does not exist in the same directory as sendmail.cf, frozen configurations are not being used. __________________________________________________________________________ CIAC wishes to thank the CERT Coordination Center and members of the FIRST community for their contributions to this advisory. In addition, CIAC would like to acknowledge the technical contributions of Eric Allman, Matt Blaze, Andy Sherman, Gene Spafford, and Tim Seaver. __________________________________________________________________________ For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN xterm Logfile Vulnerability November 11, 1993 2130 PST Number E-04 ______________________________________________________________________________ PROBLEM: The logfile facility of the xterm program contains a security vulnerability. PLATFORM: UNIX systems with X11 software and xterm installed with setuid or setgid privileges. DAMAGE: Local users may gain root access to the system. SOLUTION: Install a patched version of xterm. ______________________________________________________________________________ Critical Information about the xterm Logfile Vulnerability CIAC has learned of a vulnerability in many versions of the X11 program xterm. Local users may use the xterm logfile facility to create or modify files on the system, enabling unauthorized access including root access. This vulnerability has been shown to exist in X11 (Version 5 and earlier) in both vendor supplied binaries and those compiled from the public X11 sources. The vulnerability exists only on systems with xterm installed with setuid or setgid privileges. For example, the "s" permission bit in the following directory listing indicates the xterm binary is installed with the setuid bit set: % ls -l /opt/X11R5/bin/xterm -rwsr-xr-x 1 root staff 183152 Nov 10 13:10 /opt/X11R5/bin/xterm* Additionally, the vulnerability only exists in xterm binaries that permit logging. To determine if this feature is enabled, execute the following command: % xterm -l If a file of the form "XtermLog.axxxx" is created, logging is enabled. CIAC recommends that affected sites implement one of the solutions described below. All solutions require that a new version of xterm be installed. It is important that old versions either be removed from the system or have the setuid and setgid bits cleared. Vendor Patch Vendor patches, if available, should be installed. The CERT Coordination Center is coordinating the vendor response to this issue and will maintain a list of currently available vendor patches for xterm. The information will be available via anonymous FTP from info.cert.org (IP 192.88.209.5) in the file /pub/cert_advisories/xterm-patch-status. A current version of this file is appended at the end of this bulletin. For up-to-date patch information, please contact your vendor or CIAC. X11R5 Public Systems using the public X11 distribution and systems lacking Patch #26 vendor patches may upgrade to the X Consortium's X11R5 Patch Level 26. The X11 sources and patches are available via anonymous FTP from ftp.x.org (IP 198.112.44.100). All patches, up to and including fix-26, should be installed. By default, fix-26 disables the logfile facility in xterm. Similar functionality may be obtained through the use of utilities such as the UNIX script(1) command. ______________________________________________________________________________ CIAC wishes to thank the CERT Coordination Center and Stephen Gildea of the X Consortium for their contributions to this bulletin. ______________________________________________________________________________ For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ CERT Coordination Center xterm Vendor Status November 11, 1993 This file is a supplement to the CERT Advisory CA-93:17 of November 11, 1993, and will be updated as additional information becomes available. The following is vendor-supplied information. The CERT Coordination Center will not formally review, evaluate, or endorse this information. For more up-to-date information, contact your vendor. It is important to note that the vendor of your xterm may not be the same as the vendor of your platform. You should take care to correctly identify the vendor whose xterm you are using, so you can take the appropriate action. Convex Fixed in CXwindows V3.1. Fixed in CXwindows V3.0 with TAC patch V3.0.131 applied. The Convex Technical Assistance Center is available for additional information at 800-952-0379. Cray Fixed. Contact Cray for version/patch numbers. DEC/OSF Attached is the information on the remedial images to address the xterm issue for ULTRIX V4.3 (VAX & RISC) and OSF/1 V1.2. The solutions have been included in ULTRIX V4.4 (VAX & RISC) and OSF/1 V1.3. Customers may call their normal Digital Multivendor Customer Services Support Channel to obtain this kit. ---------------------------------------------------------- *ULTRIX,OSF/1] CSCPAT_4034 xterm Security Fix ECO Summary COPYRIGHT (c) 1988, 1993 by Digital Equipment Corporation. ALL RIGHTS RESERVED. COMPONENT: xterm OP/SYS: ULTRIX VAX and RISC, OSF/1 SOURCE: Digital Customer Support Center ECO INFORMATION: CSCPAT Kit: CSCPAT_4034 V1.1 CSCPAT Kit Size: 2152 blocks Engineering Cross Reference: SSRT93-E-0230, SSRT93-E-0231, SSRT93-E-232 Kit Applies To: ULTRIX V4.3, OSF/1 V1.2 System Reboot Required: NO ---------------------------------------------------------- SCO The current releases listed below are not vulnerable to this problem. No xterm logging or scoterm logging is provided: SCO Open Desktop Lite, Release 3.0 SCO Open Desktop, Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 Contact SCO for any further information. Sequent Fixed. Contact Sequent for version/patch numbers. Sun Sun's version of xterm has not been setuid root since at least as far back as SunOS 4.1.1, and probably further. An xterm that does not run setuid or setgid is not vulnerable to the xterm logging problem. CAUTION: A Sun patch was issued on December 6, 1992 to give system administrators the option of running xterm setuid root. Installing this patch will introduce the xterm logging vulnerability. So check your xterm. If either the setuid or setgid privilege bit is set on the xterm program, the vulnerability can be exploited. Contact Sun for further information. X.org (Publicly distributed version of X.) You can patch X11R5 by applying all patches up to and including fix-26. See the associated CERT Advisory (CA-93:17) for further information. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN SunOS/Solbourne loadmodule and modload Vulnerability December 15, 1993 1200 PST Number E-05 ______________________________________________________________________________ PROBLEM: Security vulnerability in loadmodule and modload. PLATFORM: OpenWindows 3.0 under SunOS 4.1.x on sun4 and Solbourne systems. DAMAGE: Local users may gain root level access to the system. SOLUTION: Apply patches to SunOS systems or implement workaround on Solbourne machines. ______________________________________________________________________________ Critical Information about the loadmodule and modload Vulnerability CIAC has received information from Sun Microsystems and Solbourne regarding a security vulnerability in the /usr/etc/modload and $OPENWINHOME/bin/loadmodule utilities that allows local users to execute commands as root. This vulnerability affects systems with OpenWindows 3.0 installed under SunOS 4.1.x on sun4 and Solbourne architectures. It does not affect Solaris 2.x systems, sun3 architectures, or other versions of OpenWindows. Sun Microsystems has released patched versions of the loadmodule and modload utilities: /bin/sum Utility Patch ID Filename Checksum ---------- --------- --------------- -------- loadmodule 100448-02 100448-02.tar.Z 19410 5 modload 101200-02 101200-02.tar.Z 41677 28 Individuals with Sun support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist. Solbourne systems do not make use of the loadmodule utility. On these systems, the vulnerability may be removed by turning off the file's setuid bit by executing the following command as root: chmod 0755 /usr/openwin/bin/loadmodule ______________________________________________________________________________ CIAC wishes to thank Sun Microsystems and Solbourne for their response to this problem. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Solaris System Startup Vulnerability December 17, 1993 1500 PST Number E-06 ______________________________________________________________________________ PROBLEM: Solaris system startup vulnerability. PLATFORM: Solaris 2.x and Solaris x86 systems. DAMAGE: Anyone with physical access to a workstation with eeprom(1m) security enabled may gain root level privilege without supplying the eeprom or root password. SOLUTION: Change system scripts as described or restrict physical access. ______________________________________________________________________________ Critical Information about the Solaris System Startup Vulnerability CIAC has received information from Sun Microsystems regarding a security vulnerability in the Solaris system 2.x and x86 startups. This vulnerability allows a person with physical access to a workstation with eeprom(1m) security enabled to force a startup failure and subsequently gain root privilege without supplying the eeprom or root password. Changing the system scripts as described below or restricting physical access to the workstations will eliminate this vulnerability. Note that without eeprom security enabled, a workstation is vulnerable to any unauthorized individual who has physical access. Without the script changes, if fsck(8) fails during boot, the system will run a privileged shell on the workstation. Since an attacker can force the failure, CIAC recommends application of the changes described below. If this is not possible, then restrict physical workstation access to only those users allowed root privilege. The changes will require the user to enter the root password before the system runs the privileged shell. To make the changes, edit both /sbin/rcS and /sbin/mountall. Change every occurrence of /sbin/sh < /dev/console to /sbin/sulogin < /dev/console The Sun distribution of /sbin/rcS contains an occurrence of the target string at line 152; the distribution of /sbin/mountall contains one at line 66 and one at line 250. An attacker with physical access to a workstation without eeprom security enabled can easily compromise the system by booting it in single user mode. CIAC thus recommends enabling eeprom security for all workstations without strict physical access controls. ______________________________________________________________________________ CIAC wishes to thank Sun Microsystems for first bringing the vulnerability to our attention, and both Sun Microsystems and the CERT Coordination Center for portions of the information in this bulletin. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN UNIX sendmail Vulnerabilities Update January 7, 1994 0900 PST Number E-07 ______________________________________________________________________________ PROBLEM: Vulnerabilities in the UNIX sendmail utility. PLATFORM: All implementations of UNIX sendmail. DAMAGE: Local and remote users may execute commands and/or gain access to system files. SOLUTION: Apply workarounds or install patched version of sendmail on ALL systems running sendmail. ______________________________________________________________________________ Critical Information about UNIX sendmail Vulnerabilities This advisory updates the sendmail information contained in CIAC Advisory E-03. CIAC has learned of several vendor security patches addressing the vulnerabilities in the UNIX utility sendmail described in CIAC Advisory E-03. These vulnerabilities include the ability of local and remote users to execute commands and write to system files on systems running sendmail, including those systems behind firewalls. CIAC Advisory E-03 described a set of workarounds to be used in the absence of vendor patches. These may still be safely used even after vendor patches have been installed. The CERT Coordination Center is maintaining a list of vendor information on available security patches for sendmail. It is available via anonymous FTP from info.cert.org (IP 192.88.209.5) in /pub/cert_advisories/CA-93:16a.README. A brief summary is provided below, and the current version of this file is appended at the end of this bulletin. Vendor Patch Status ----------------------------- -------------- sendmail 8.6.4 Available IDA sendmail Available BSDI Available Data General Corporation Available Digital Equipment Corporation Available Hewlett-Packard Company Available IBM Available NeXT, Inc. Available soon The Santa Cruz Operation Available soon Sequent Computer Systems Available Solbourne Available Sony Corporation Available Sun Microsystems, Inc. Available ______________________________________________________________________________ CIAC wishes to thank the CERT Coordination Center and the vendor community for their response to this problem. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ______________________________________________________________________________ CA-93:16a.README Rev. January 7, 1994 This file is a supplement to the CERT Advisory CA-93:16a of January 7, 1994, and will be updated as additional information becomes available. The following is vendor-supplied information. Please notice that some entries provide pointers to vendor advisories. For more up-to-date information, contact your vendor. ------------- Eric Allman, 8.6.4 Version 8.6.4 is available for anonymous FTP from ftp.cs.berkeley.edu in the "ucb/sendmail" directory. Standard Unix Sum sendmail.8.6.4.base.tar.Z: 07718 428 System V Sum 64609 856 sendmail.8.6.4.base.tar.Z MD5 Checksum MD5 (sendmail.8.6.4.base.tar.Z) = 59727f2f99b0e47a74d804f7ff654621 ------------- Paul Pomes, IDA: A new release is available for anonymous FTP from vixen.cso.uiuc.edu as "pub/sendmail-5.67b+IDA-1.5.tar.gz". Standard Unix Sum sendmail-5.67b+IDA-1.5.tar.gz: 17272 1341 System V Sum 30425 2682 sendmail-5.67b+IDA-1.5.tar.gz MD5 Checksum MD5 (sendmail-5.67b+IDA-1.5.tar.gz) = a9b8e17fd6d3e52739d2195cead94300 ------------- BSDI BSDI can supply either an easy-to-install port of the smrsh patch from CERT or a port of sendmail-8.6.4 (contact BSDI Customer Support for information in obtaining either of these solutions). In future releases, BSDI will ship the newer sendmail that is not affected by these problems. Releases affected by this advisory: BSD/386 V1.0. BSDI Contact Information: BSDI Customer Support Berkeley Software Design, Inc. 7759 Delmonico Drive Colorado Springs, CO 80919 Toll Free: +1 800 ITS BSD8 (+1 800 486 2738) Phone: +1 719 260 8114 Fax: +1 719 598 4238 Email: support@bsdi.com ------------- Data General Corporation Patches are available from dg-rtp.rtp.dg.com (128.222.1.2) in the directory "deliver/sendmail": Rev Patch Number Sys V Checksum ------------ ------------------ -------- 5.4.2 tcpip_5.4.2.p14 39298 512 MD5 (tcpip_5.4.2.p14) = c80428e3b791d4e40ebe703ba5bd249c 5.4R2.01 tcpip_5.4R2.01.p12 65430 512 MD5 (tcpip_5.4R2.01.p12) = 9c84cfdb4d79ee22224eeb713a414996 5.4R2.10 tcpip_5.4R2.10.p05 42625 512 MD5 (tcpip_5.4R2.10.p05) = 2d74586ff22e649354cc6a02f390a4be These patches are loadable via the "syadm" utility and installation instructions are included in the patch notes. Trusted versions of DG/UX will use the same patches as their base version of DG/UX. Customers with any questions about these patches should contact their local SEs or Sales Representatives. ------------- Digital Equipment Corporation Systems affected: ULTRIX Versions 4.3 (VAX), ULTRIX V4.3 & V4.3A (RISC), DEC OSF/1 V1.2 & V1.3, using sendmail. The following patches are available from your normal Digital support channel: ULTRIX V4.3 (VAX), V4.3 (RISC) or V4.3a (RISC): CSCPAT #: CSCPAT_4044 OSF/1 V1.2 and V1.3: CSCPAT #: CSCPAT_4045 *These fixes will be included in future releases of ULTRIX and DEC OSF/1 Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of ULTRIX V4.3 or DEC OSF/1 V1.2, then apply the Security kit to prevent this potential vulnerability. The full text of Digital's advisory can be found in /pub/vendors/dec/advisories/sendmail on info.cert.org. ------------- Hewlett-Packard Company For HP/UX, the following patches are available: PHNE_3369 (series 300/400, HP-UX 8.x), or PHNE_3370 (series 300/400, HP-UX 9.x), or PHNE_3371 (series 700/800, HP-UX 8.x), or PHNE_3372 (series 700/800, HP-UX 9.x), or modify the sendmail configuration file (releases of HP-UX prior to 8.0) These patches may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP SupportLine. To obtain HP security patches, you must first register with the HP SupportLine. The registration instructions are available via anonymous FTP at info.cert.org in the file "pub/vendors/hp/supportline_and_patch_retrieval". The full text of Hewlett-Packard's advisory can be found in /pub/vendors/hp/advisories/sendmail on info.cert.org. ------------- IBM Patches for these problems can be ordered as APAR# ix40304 and APAR# ix41354. Ix40304 is available now and ix41354 will be sent as soon as it is available. ------------- NeXT, Inc. NeXT expects to have patches available soon. ------------- The Santa Cruz Operation Support level Supplement (SLS) net379A, will soon be available for the following platforms: SCO TCP/IP Release 1.2.0 for SCO UNIX or SCO XENIX SCO TCP/IP Release 1.2.1 for SCO UNIX SCO Open Desktop Release 2.0, 3.0 SCO Open Desktop Lite Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 This SLS is currently orderable from SCO Support for all customers who have one of the above products registered. It will be available in the near future. Systems using MMDF as their mail system do not need this SLS. ------------- Sequent Computer Systems Versions 3.0.17 and greater of Dynix are vulnerable as are versions 2.2 and 2.3 of the TCP package for PTX. Sequent customers should call the Sequent Hotline at (800) 854-9969 and ask for the Sendmail Maintenance Release Tape. Alternatively, ptx customers can upgrade to PTX/TCP/IP version 2.2.3 or 2.3.1 as appropriate. ------------- Solbourne Patch p93122301 is available from Solboune to fix the sendmail problems. This patch is equivalent to Sun patch 100377-08. Customers may retrieve it via anonymous FTP from solbourne.solbourne.com in the pub/support/OS4.1B directory: Filename BSD SVR4 Checksum Checksum --------------- --------- --------- p93122301.tar.Z 63749 211 53951 421 MD5 (p93122301.tar.Z) = f7300f3ecfbbbfaa11a6695f42f14615 It is also available by sending email to solis@solbourne.com and specifying "get patches/4.1b p93122301" in the body of the mail message. Earlier versions (4.1A.*) are no longer supported. The 4.1B patch may well work on 4.1A.* systems but this has not been tested. If you have any questions please call the SOURCE at 1-800-447-2861 or send email to support@solbourne.com. The full text of Solbourne's advisory can be found in /pub/vendors/solbourne/advisories/sendmail on info.cert.org. --------------- Sony Corporation These vulnerabilities have been fixed in NEWS-OS 6.0.1. A patch is available for NEWS-OS 4.x. Customers should contact their dealers for any additional information. --------------- Sun Microsystems, Inc. Sun has made patches for sendmail available as described in their SUN MICROSYSTEMS SECURITY BULLETIN: #00125, 12/23/93. These patches can be found in the /systems/sun/sun-dist directory on ftp.uu.net: System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- --------- SunOS 4.1.x 100377-08 100377-08.tar.Z 05320 755 58761 1510 Solaris 2.1 100840-06 100840-06.tar.Z 59489 195 61100 390 Solaris 2.2 101077-06 101077-06.tar.Z 63001 179 28185 358 Solaris 2.3 101371-03 101371-03.tar.Z 27539 189 51272 377 MD5 checksums are: MD5 (100377-08.tar.Z) = 8e8a14c0a46b6c707d283cacd85da4f1 MD5 (100840-06.tar.Z) = 7d8d2c7ec983a58b4c6a608bf1ff53ec MD5 (101077-06.tar.Z) = 78e165dec0b8260ca6a5d5d9bdc366b8 MD5 (101371-03.tar.Z) = 687d0f3287197dee35941b9163812b56 A patch for x86 based systems will be forthcoming as patch 101352-02. 4.1 sites installing these patches may require sites to modify their configuration files slightly. Full details are given in the Sun advisory. The full text of Sun Microsystems's advisory can be found in /pub/vendors/sun/advisories/sendmail on info.cert.org. ------------- Return-Path: ciac-bulletin@cheetah.llnl.gov Delivery-Date: Thu, 03 Feb 1994 20:12:27 -0800 Return-Path: ciac-bulletin@cheetah.llnl.gov Return-Path: Received: from cheetah.llnl.gov by eek. (5.0/SMI-SVR4) id AA15179; Thu, 3 Feb 1994 20:12:26 +0800 Received: from cheetah.llnl.gov (localhost.llnl.gov [127.0.0.1]) by cheetah.llnl.gov (8.6.4/8.6.4) with SMTP id UAA17283 for ; Thu, 3 Feb 1994 20:13:00 -0800 _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE Network Monitoring Attacks February 3, 1994 2130 PST Number E-09 ______________________________________________________________________________ PROBLEM: Systematic compromise and exploitation of networked computers to capture network transactions. PLATFORM: Sun 4.x and Solbourne systems. DAMAGE: Unauthorized access and use of resources; exposure of username, password, host-name combinations, as well as other sensitive information. SOLUTION: Detection, prevention, and recovery steps described below. ______________________________________________________________________________ Critical information about the Network Monitoring Attacks CIAC and other response teams have observed many compromised systems surreptitiously monitoring network traffic, obtaining username, password, host-name combinations (and potentially other sensitive information) as users connect to remote systems using telnet, rlogin, and ftp. This is for both local and wide area network connections. The intruders may (and presumably do) use this information to compromise new hosts and expand the scope of the attacks. Once system administrators discover a compromised host, they must presume monitoring of all network transactions from or to any host "visible" on the network for the duration of the compromise, and that intruders potentially possess any of the information so exposed. The attacks proceed as follows. The intruders gain unauthorized, privileged access to a host that supports a network interface capable of monitoring the network in "promiscuous mode," reading every packet on the network whether addressed to the host or not. They accomplish this by exploiting unpatched vulnerabilities or learning a username, password, host-name combination from the monitoring log of another compromised host. The intruders then install a network monitoring tool that captures and records the initial portion of all network traffic for ftp, telnet, and rlogin sessions. They typically also install "Trojan" programs for login, ps, and telnetd to support their unauthorized access and other clandestine activities. System administrators must begin by determining if intruders have compromised their systems. The CERT Coordination Center has released a tool to detect network interface devices in promiscuous mode. Instructions for obtaining and using the tool appears later in this bulletin--the tool is available via anonymous ftp. If a site discovers that intruders have compromised their systems, the site must determine the extent of the attack and perform recovery as described below. System administrators must also prevent future attacks as described below. CIAC advises system administrators to follow the steps described below. The following guidelines have been extracted (with minor modifications) from the CERT Coordination Center's Advisory CA-94:01, and full credit is given to them. [Beginning of CERT extract.] A. Detection The network monitoring tool can be run under a variety of process names and log to a variety of filenames. Thus, the best method for detecting the tool is to look for 1) Trojan horse programs commonly used in conjunction with this attack, 2) any suspect processes running on the system, and 3) the unauthorized use of /dev/nit. 1) Trojan horse programs: The intruders have been found to replace one or more of the following programs with a Trojan horse version in conjunction with this attack: /usr/etc/in.telnetd and /bin/login - Used to provide back-door access for the intruders to retrieve information /bin/ps - Used to disguise the network monitoring process Because the intruders install Trojan horse variations of standard UNIX commands, CERT recommends not using other commands such as the standard UNIX sum(1) or cmp(1) commands to locate the Trojan horse programs on the system until these programs can be restored from distribution media, run from read-only media (such as a mounted CD-ROM), or verified using cryptographic checksum information. In addition to the possibility of having the checksum programs replaced by the intruders, the Trojan horse programs mentioned above may have been engineered to produce the same standard checksum and timestamp as the legitimate version. Because of this, the standard UNIX sum(1) command and the timestamps associated with the programs are not sufficient to determine whether the programs have been replaced. CERT recommends that you use both the /usr/5bin/sum and /bin/sum commands to compare against the distribution media and assure that the programs have not been replaced. The use of cmp(1), MD5, Tripwire (only if the baseline checksums were created on a distribution system), and other cryptographic checksum tools are also sufficient to detect these Trojan horse programs, provided these programs were not available for modification by the intruder. If the distribution is available on CD-ROM or other read-only device, it may be possible to compare against these volumes or run programs off these media. 2) Suspect processes: Although the name of the network monitoring tool can vary from attack to attack, it is possible to detect a suspect process running as root using ps(1) or other process-listing commands. Until the ps(1) command has been verified against distribution media, it should not be relied upon--a Trojan horse version is being used by the intruders to hide the monitoring process. Some process names that have been observed are sendmail, es, and in.netd. The arguments to the process also provide an indication of where the log file is located. If the "-F" flag is set on the process, the filename following indicates the location of the log file used for the collection of authentication information for later retrieval by the intruders. If the network monitoring tool is currently running on your system, it is possible to detect this by checking for unauthorized use of the /dev/nit interface. CERT has created a minimal tool for this purpose. The source code for this tool is available via anonymous FTP on info.cert.org in the /pub/tools/cpm directory or on ftp.uu.net in the /pub/security/cpm directory as cpm.1.0.tar.Z. The checksum information is: Filename Standard UNIX Sum System V Sum -------------- ----------------- ------------ cpm.1.0.tar.Z: 11097 6 24453 12 MD5 Checksum MD5 (cpm.1.0.tar.Z) = e29d43f3a86e647f7ff2aa453329a155 This archive contains a readme file, also included at the end of this extract, containing instructions on installing and using this detection tool. B. Prevention There are two actions that are effective in preventing this attack. A long-term solution requires eliminating transmission of clear-text passwords on the network. For this specific attack, however, a short-term workaround exists. Both of these are described below. 1) Long-term prevention: CERT recognizes that the only effective long-term solution to prevent these attacks is by not transmitting reusable clear-text passwords on the network. CERT has collected some information on relevant technologies. This information is included as Appendix B in this advisory. Note: These solutions will not protect against transient or remote access transmission of clear-text passwords through the network. Until everyone connected to your network is using the above technologies, your policy should allow only authorized users and programs access to promiscuous network interfaces. The tool described in Section III.A.3 above may be helpful in verifying this restricted access. 2) Short-term workaround: Regardless of whether the network monitoring software is detected on your system, CERT recommends that ALL SITES take action to prevent unauthorized network monitoring on their systems. You can do this either by removing the interface, if it is not used on the system or by attempting to prevent the misuse of this interface. For systems other than Sun and Solbourne, contact your vendor to find out if promiscuous mode network access is supported and, if so, what is the recommended method to disable or monitor this feature. For SunOS 4.x and Solbourne systems, the promiscuous interface to the network can be eliminated by removing the /dev/nit capability from the kernel. The procedure for doing so is outlined below (see your system manuals for more details). Once the procedure is complete, you may remove the device file /dev/nit since it is no longer functional. Procedure for removing /dev/nit from the kernel: 1. Become root on the system. 2. Apply "method 1" as outlined in the System and Network Administration manual, in the section, "Sun System Administration Procedures," Chapter 9, "Reconfiguring the System Kernel." Excerpts from the method are reproduced below: # cd /usr/kvm/sys/sun[3,3x,4,4c]/conf # cp CONFIG_FILE SYS_NAME [Note that at this step, you should replace the CONFIG_FILE with your system specific configuration file if one exists.] # chmod +w SYS_NAME # vi SYS_NAME # # The following are for streams NIT support. NIT is used by # etherfind, traffic, rarpd, and ndbootd. As a rule of thumb, # NIT is almost always needed on a server and almost never # needed on a diskless client. # pseudo-device snit # streams NIT pseudo-device pf # packet filter pseudo-device nbuf # NIT buffering module [Comment out the preceding three lines; save and exit the editor before proceeding.] # config SYS_NAME # cd ../SYS_NAME # make # mv /vmunix /vmunix.old # cp vmunix /vmunix # /etc/halt > b [This step will reboot the system with the new kernel.] [NOTE that even after the new kernel is installed, you need to take care to ensure that the previous vmunix.old , or other kernel, is not used to reboot the system.] C. Scope and recovery If you detect the network monitoring software at your site, CERT recommends following three steps to successfully determine the scope of the problem and to recover from this attack. 1. Restore the system that was subjected to the network monitoring software. The systems on which the network monitoring and/or Trojan horse programs are found have been compromised at the root level; your system configuration may have been altered. See Appendix A of this advisory for help with recovery. 2. Consider changing router, server, and privileged account passwords due to the wide-spread nature of these attacks. Since this threat involves monitoring remote connections, take care to change these passwords using some mechanism other than remote telnet, rlogin, or FTP access. 3. Urge users to change passwords on local and remote accounts. Users who access accounts using telnet, rlogin, or FTP either to or from systems within the compromised domain should change their passwords after the intruder's network monitor has been disabled. 4. Notify remote sites connected from or through the local domain of the network compromise. Encourage the remote sites to check their systems for unauthorized activity. Be aware that if your site routes network traffic between external domains, both of these domains may have been compromised by the network monitoring software. --------------------------------------------------------------------------- cpm 1.0 README FILE cpm - check for network interfaces in promiscuous mode. Copyright (c) Carnegie Mellon University 1994 Thursday Feb 3 1994 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 This program is free software; you can distribute it and/or modify it as long as you retain the Carnegie Mellon copyright statement. It can be obtained via anonymous FTP from info.cert.org:pub/tools/cpm.tar.Z. This program is distributed WITHOUT ANY WARRANTY; without the IMPLIED WARRANTY of merchantability or fitness for a particular purpose. This package contains: README MANIFEST cpm.1 cpm.c To create cpm under SunOS, type: % cc -Bstatic -o cpm cpm.c On machines that support dynamic loading, such as Sun's, CERT recommends that programs be statically linked so that this feature is disabled. CERT recommends that after you install cpm in your favorite directory, you take measures to ensure the integrity of the program by noting the size and checksums of the source code and resulting binary. The following is an example of the output of cpm and its exit status. Running cpm on a machine where both the le0 and le2 interfaces are in promiscuous mode, under csh(1): % cpm le0 le2 % echo $status 2 % Running cpm on a machine where no interfaces are in promiscuous mode, under csh(1): % cpm % echo $status 0 % [End of CERT extract.] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of the CERT Coordination Center for their timely and thorough advisory, their detection tool, and their diligence and support throughout this ongoing incident. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Lotus cc:Mail Security Upgrade Available March 7, 1994 900 PST Number E-11 ______________________________________________________________________________ PROBLEM: Passwords are vulnerable on local hard drives PLATFORM: Lotus cc:Mail Windows 2.0 and 2.01 DAMAGE: Accounts could be compromised if another person is allowed access to a cc:Mail user's personal computer SOLUTION: Retrieve and install cc:Mail 2.02 for Windows, then have all users change their passwords. ______________________________________________________________________________ Critical Information about Lotus CCMAIL Security Upgrade CIAC has received information from Lotus regarding a vulnerability in cc:Mail for Windows. Under certain circumstances, the user's password can be viewed on their local hard drive. This vulnerability exists only in cc:Mail Windows 2.0 and 2.01. To correct the problem, a software upgrade, cc:Mail for Windows 2.02, has been made available. This upgrade is contained in the file WINFIX.ZIP. WINFIX.ZIP can be downloaded from three sources: anonymous ftp, CompuServe, or the Lotus cc:Mail BBS. The file is available via anonymous ftp from ftp.ccmail.com in the /pub/windows directory. On the anonymous ftp server, WINFIX.ZIP is dated Feb 19 00:53 and is 279803 bytes long. In CompuServe, perform the following commands: a. Enter the Lotus forum by typing GO LOTUSC from any CompuServe prompt. b. Enter Section 10 when prompted for which section. c. From within Section 10, select "Download" and download the file WINFIX.ZIP. The Lotus cc:Mail BBS is available to everyone via modem. The telephone number is (415) 691-0401. Your modem setting should be: 8 data bits, No Parity, 1 stop bit. Once connected, go to the "File Area" by typing "F". Select the download option and download the file WINFIX.ZIP. On the BBS, WINFIX.ZIP is 279803 bytes long and is dated 2/18/94 at 2:02a. After unzipping WINFIX.ZIP, the following files are available: ccmail.exe 628656 bytes readme.now 1062 bytes Your next step is to install this upgrade. Change to the directory (which is likely to be m:\ccmail) that contains the old version of ccmail.exe. Rename the old copy of ccmail.exe to ccmail.old, and then copy the new ccmail.exe to the directory. If cc:Mail for Windows has been installed on a network, the system administrator only needs to change the network copy of ccmail.exe. If cc:Mail for Windows has been installed locally, ccmail.exe must be installed in the proper directory of every workstation. After installation of ccmail.exe, all users should change their password. ______________________________________________________________________________ CIAC would like to thank Lally Thomas and Gary Schuppert of CDSI for bringing this problem to our attention. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ______________________________________________________________________________ _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ ADVISORY NOTICE Network Monitoring Attacks Update March 18, 1994 1800 PST Number E-12 ______________________________________________________________________________ PROBLEM: Continued network monitoring attacks. PLATFORM: All computers supporting logins over the Internet. DAMAGE: Unauthorized access and use of resources; exposure of username, password, host-name combinations, as well as other sensitive information. SOLUTION: Detection and prevention steps described below. ______________________________________________________________________________ Critical Information about the Network Monitoring Attacks This Advisory supersedes any other version of Bulletin E-12 dated prior to March 18, 1994. This Advisory updates information contained in CIAC Advisory E-09. The number of Internet sites compromised by the ongoing series of network monitoring (sniffing) attacks continues to increase. The number of accounts compromised world-wide is now estimated to exceed 100,000. This series of attacks represents the most serious Internet threat in its history. IMPORTANT: THESE NETWORK MONITORS DO NOT SPECIFICALLY TARGET INFORMATION FROM UNIX SYSTEMS; ALL SYSTEMS SUPPORTING NETWORK LOGINS ARE POTENTIALLY VULNERABLE. IT IS IMPERATIVE THAT SITES ACT TO SECURE THEIR SYSTEMS. Attack Description ================== The attacks are based on network monitoring software, known as a "sniffer", installed surreptitiously by intruders. The sniffer records the initial 128 bytes of each login, telnet, and FTP session seen on the local network segment, compromising ALL traffic to or from any machine on the segment as well as traffic passing through the segment being monitored. The captured data includes the name of the destination host, the username, and the password used. This information is written to a file and is later used by the intruders to gain access to other machines. Note: To date, these attacks have only involved sniffers on Unix systems running SunOS 4.x. However, nearly all networked computers have the capability of monitoring the network. In most cases, the intruders initially gain access to systems using one of the following techniques: - Retrieve the password file via TFTP on improperly configured systems. - Retrieve the password file from systems running insecure versions of NIS. - Gain access to the local file systems via NFS mount points exported without restrictions. - Use a login name and password captured by a sniffer running on another system. Once on a system, the intruders gain root privilege by exploiting known vulnerabilities, including rdist, Sun Sparc integer division, and world writeable utmp files; or by making use of a captured root password. They then install the sniffer software, logging the captured session information to a hidden file. In addition, the intruders generally install Trojan replacements for one or more of the following critical system files in order to disguise their presence on the system: - /bin/login - /usr/etc/in.telnetd - /usr/kvm/ps - /usr/ucb/netstat Detection ========= The following techniques may be used to detect the presence of a sniffer on a system running SunOS 4.x: 1. The integrity of key system files may be verified using the database of MD5 checksums contained in Appendix B of this Advisory. The use of MD5 checksums is essential, as many of the Trojan binaries currently being used have been engineered to generate the same "/bin/sum" checksum as the original binary. The MD5 signature algorithm by RSA Data Security, Inc. is cryptographically strong and is not believed to be susceptible to such an attack. In addition to the checksum database, CIAC is providing a program to automate the verification of system files. This program is included in Appendix A. The program, the checksum database, source for md5, and a man page are also available via anonymous FTP from irbis.llnl.gov (IP 128.115.19.60) in the directory /pub/util/crypto. Filename MD5 Checksum -------- -------------------------------- md5check.1.0.tar 113d5d66e73c95967801b512d3dd692d md5_sun.v1 780a0f1f3717819c59135716e5f6a1ce Note that the MD5 checksum database is not complete. Some patch revisions and OS releases were unavailable for testing. If a checksum DOES NOT match, consider these possible reasons: a. The file may be legitimate, but not included in this database. To check this possibility, compare the file against the original distribution media. b. You may have made local modifications to the file. To check this possibility, compare the file to a known good version. c. The file may be a Trojan replacement installed by an intruder. We encourage you to make a copy of the file, replace it with a known good version, and check for additional signs of compromise. Contact CIAC for further assistance. 2. The sniffer software places the network interface in promiscuous mode to allow examination of each packet on the network segment. This mode can be detected with the CPM utility described in Appendix C. 3. Scan your file system for any unusual directories or files. Look for unusual names like ".. " (dot dot space space) or " " (space). A useful technique for locating such files is to examine the file system for files that have recently changed. For example, the command find / -ctime -7 -print will locate all files that have changed in the last 7 days. 4. Examine the process table with a known good version of ps, checking for long running processes with unusually high amounts of CPU time and/or unusual names. Prevention ========== 1. Verify that all applicable security patches have been installed. These patches will limit the amount of damage that is possible, even if an intruder has captured a password for the system. Appendix D lists all SunOS security patches released as of March 18, 1994. 2. Install a change detection tool such as Security Profile Inspector (SPI) or Tripwire to detect future changes to system binaries. For the latest information about the availability of SPI contact Tony Bartoletti, SPI Project Leader, 510-422-3881 or azb@llnl.gov. A mailserver exists for information about Tripwire availability. Send E-mail to "tripwire-request@cs.purdue.edu" with a message body consisting solely of the word "help", and the server will respond with instructions on how to get source, patches and join the tripwire mailing list. 3. The only long term solution to the problem of network password sniffing is the use of one-time passwords. These passwords change with each use, and are of no value to an intruder. Several implementations exist, including both hardware and software solutions. Contact information is provided in Appendix E. At a minimum, users should use different passwords for each account and each system, remote systems in particular. Passwords must be changed frequently, especially on systems accessed over networks. -------------------------------------------------------------------- Appendix A: "md5check" The following program is a "nawk" script that can be run against the list of checksums "md5_sun.v1" in Appendix B: nawk -f md5check md5_sun.v1 The program, the checksum database, source for md5, and a man page are also available via anonymous FTP from irbis.llnl.gov (IP 128.115.19.60) in the directory /pub/util/crypto. Filename MD5 Checksum ---------------- -------------------------------- md5check.1.0.tar 113d5d66e73c95967801b512d3dd692d md5_sun.v1 780a0f1f3717819c59135716e5f6a1ce ------- Cut Here ------- # "md5check" version 1 (3/17/94) BEGIN { FS = "[ \t]*:[ \t]*"; } # Print notices from the configuration file /^##/ { print substr ($0, 3); next; } # Only handle MD5 checksums currently /^md5/ { source = sprintf("%-7s %-8s %-6s %s", $2, $3, $5, $4); file = $6; sum = hex_lower($7); if (md5[file] == "") { print "Checking", file; testcmd = "test -r " file; if ( system(testcmd) != 0 ) { print " Could not open", file; md5[file] = "x"; next; } else { md5cmd = "md5 " file md5cmd | getline md5[file]; close (md5cmd); # Strip off any leading text and set to lowercase sub(".*[ \t]", "", md5[file]); md5[file] = hex_lower(md5[file]); } } if (md5[file] == "x" || file in matched) { # Could not open or already matched next; } if (md5[file] == sum) { # We have a match - remember which one matched[file] = source; num_match++; if (file in not_matched) { num_no_match--; delete not_matched[file]; } } else { if (! (file in not_matched)) { num_no_match++; not_matched[file] = 1; } } } END { printf "\n%d files DID NOT MATCH a known checksum\n", num_no_match; printf "%d files did match a known checksum\n", num_match; print "\nThe following files DID NOT MATCH a known checksum"; for (filename in not_matched) { printf "\t%s\n", filename; } print "\nThe following files did match a known checksum"; for (filename in matched) { printf "\t%s\n\t\t%s\n", filename, matched[filename]; } } function hex_lower(s) { gsub("A","a",s); gsub("B","b",s); gsub("C","c",s); gsub("D","d",s); gsub("E","e",s); gsub("F","f",s); return s } ------- Cut Here ------- -------------------------------------------------------------------- Appendix B: "md5_sun.v1" ## Checksum Table for Selected SunOS Binary Files (v1: 3/17/94) ## ## PLEASE NOTE: The entries included in this table do not represent complete ## coverage of all released versions of these files. ## In particular, checksum data for outdated patch releases is ## limited. ## ## Failure to match a checksum for a given file does not ## necessarily indicate the presence of a Trojan binary. ## Failure indicates that the file's checksum did not match any ## contained in this table. The file's authenticity should be ## verified against distribution media or local modifications. ## ## Success at matching a file's checksum indicates that the ## corresponding file is free from tampering. ## # (MD5 is the RSA Data Security, Inc. Message Digest Algorithm) # # format of data # # XSUMTYPE:OSNAME:OSVERSION:SOURCE:ARCH:FILE:XSUM #/bin/login md5:SunOS:4.1:100201-06:sun3:/bin/login:00d95a04ecce2193b9c6e16516d37855 md5:SunOS:4.1:100201-06:sun4:/bin/login:e746fed42be0433a53cce082acfee23c md5:SunOS:4.1:100630-01:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c md5:SunOS:4.1:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.1:Original Dist:sun3:/bin/login:073d378264f25245c154be8a12f208e9 md5:SunOS:4.1.1:Original Dist:sun4:/bin/login:92611eb1ef1f221c1e9c76db8da44a99 md5:SunOS:4.1.1:100201-06:sun3:/bin/login:00d95a04ecce2193b9c6e16516d37855 md5:SunOS:4.1.1:100201-06:sun4:/bin/login:e746fed42be0433a53cce082acfee23c md5:SunOS:4.1.1:100630-01:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c md5:SunOS:4.1.1:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.1:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6 md5:SunOS:4.1.1:100633-01:sun4:/bin/login:9634cda7a353d0043a22ad2b0eebaab2 md5:SunOS:4.1.2:Original Dist:sun4:/bin/login:637503c0e2b46791820609d87629db91 md5:SunOS:4.1.2:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.2:100631-01:sun3:/bin/login:65d1e270fbb13984f5e0036b9e4a1011 md5:SunOS:4.1.2:100631-01:sun4:/bin/login:976a0431dbd23ec1535c1679e215095b md5:SunOS:4.1.2:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6 md5:SunOS:4.1.2:100633-01:sun4:/bin/login:9634cda7a353d0043a22ad2b0eebaab2 md5:SunOS:4.1.3:100630-02:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c md5:SunOS:4.1.3:100630-02:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.3:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6 md5:SunOS:4.1.3:Original Dist:sun4:/bin/login:e88e84d228d05e8f54a0d57d62d0710d md5:SunOS:4.1.3c:Original Dist:sun4:/bin/login:e88e84d228d05e8f54a0d57d62d0710d md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/login:4e437a85e05f886ff5082ac58108d882 #/usr/kvm/ps md5:SunOS:4.1.1:Original Dist:sun3x:/usr/kvm/ps:ac96820499c2da78d65700e230f66df2 md5:SunOS:4.1.1:Original Dist:sun3:/usr/kvm/ps:b4633eed82815a233d2ca8d8df8d655e md5:SunOS:4.1.1:Original Dist:sun4:/usr/kvm/ps:390ef406ba27b1d591ba6f281986369b md5:SunOS:4.1.1:Original Dist:sun4c:/usr/kvm/ps:cb58a8259ff580389b115b7861793b48 md5:SunOS:4.1.2:Original Dist:sun4:/usr/kvm/ps:efca4ca10a088e557c6c69695dadcfa6 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/kvm/ps:9d489c87d709a540aced718a04e38e11 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/kvm/ps:e9e364f3936a5b16d7e2fb812d11e475 md5:SunOS:4.1.2:100981-02:sun4:/usr/kvm/ps:86b8b5eb7212c94c9c570cd20c9af2ae md5:SunOS:4.1.2:100981-02:sun4c:/usr/kvm/ps:4871287498c0ab7b17d97848ebe34d15 md5:SunOS:4.1.2:100981-02:sun4m:/usr/kvm/ps:97cc063bafa6aaf032cb1b67b444c5a8 md5:SunOS:4.1.3:Original Dist:sun4:/usr/kvm/ps:226ab466429f5d4de4f6a108bae1c518 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/kvm/ps:83b369e5d8c34db4d5d6725140d0b216 md5:SunOS:4.1.3:100981-02:sun4:/usr/kvm/ps:a4809a70e66b415bae8a165dc4ffb185 md5:SunOS:4.1.3:100981-02:sun4c:/usr/kvm/ps:cf10e206de67755e801e4c9d96c239a9 md5:SunOS:4.1.3:100981-02:sun4m:/usr/kvm/ps:d6237550748855bee17ce96465cd1331 md5:SunOS:4.1.3_u1:Original Dist:sun4m:/usr/kvm/ps:92c3b1495ab80446ddb6979c890cee58 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/kvm/ps:b14b75017dfe75ea1b89d147c6b49cb7 md5:SunOS:4.1.3_u1:Original Dist:sun4c:/usr/kvm/ps:e24eab973f1b1cfd6bf5b54310a2207f md5:SunOS:4.1.3_u1:101442-01:sun4:/usr/kvm/ps:174731efb18020dacde9f205ad04a4bf #/usr/etc/in.telnetd md5:SunOS:4.0.3:100125-05:sun3:/usr/etc/in.telnetd:dce91901f9fd15f7f6f6c94fb7824428 md5:SunOS:4.0.3:100125-05:sun4:/usr/etc/in.telnetd:2e67031ad7984c22cfacc8a0b4c3d6ee md5:SunOS:4.0.3c:100125-05:sun4c:/usr/etc/in.telnetd:943574a9befb9fac3fce2fc111f68d51 md5:SunOS:4.1:100125-05:sun3:/usr/etc/in.telnetd:2544753907d24a699c9cdfddcab0d2e3 md5:SunOS:4.1:100125-05:sun3x:/usr/etc/in.telnetd:3af506b9b02b6a299f5e081c3abfce1f md5:SunOS:4.1:100125-05:sun4:/usr/etc/in.telnetd:5448303462518cca8390a84b5f312abe md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.telnetd:333ffc49f21e675f3099772661549b7d md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.telnetd:7706ba7270a28f3470ccbe965f8fc7a1 md5:SunOS:4.1.1:100125-05:sun3:/usr/etc/in.telnetd:c4dca8a653f60feaed63a25786aee2ed md5:SunOS:4.1.1:100125-05:sun3x:/usr/etc/in.telnetd:6c409bd315711aae29b8285ffc4bb90c md5:SunOS:4.1.1:100125-05:sun4:/usr/etc/in.telnetd:29f24e09ffebc36fb14f9fee4bf2d6fc md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.telnetd:333ffc49f21e675f3099772661549b7d md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.telnetd:913095f91bbf06e98635f964951e0e2d md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.telnetd:b94ac90e4fe63f1c7a0199a27a7c4d80 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.telnetd:b94ac90e4fe63f1c7a0199a27a7c4d80 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.telnetd:831c59628b1197c612f19289a786eaeb #/usr/etc/ifconfig md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/ifconfig:0da82be29c7173759316f51417fb420a md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/ifconfig:47d6e495207cc2b7037bd94a12cf565b md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/ifconfig:de44e217c94fa4f4c6fdfbcae419cb8b md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/ifconfig:de44e217c94fa4f4c6fdfbcae419cb8b md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/ifconfig:22d9340368aec82ebdd63518613bc6ab #/usr/lib/libc.a md5:SunOS:4.1.1:100267-09:sun3:/usr/5lib/libc.a:af8a721ca332754cdff2a1f1b74b8e8f md5:SunOS:4.1.1:100267-09:sun3:/usr/5lib/libc_p.a:1b930986afb11494b4e1e0fd4f9540b0 md5:SunOS:4.1.1:100267-09:sun3:/usr/lib/libc.a:6b0ff2e11f3042d453ee502787ac29d7 md5:SunOS:4.1.1:100267-09:sun3:/usr/lib/libc_p.a:ad9bd3c42db06fb0c45674eaafc5c4f8 md5:SunOS:4.1.1:100267-09:sun4:/usr/5lib/libc.a:8c396b0695abb59fea66bc6615d9f101 md5:SunOS:4.1.1:100267-09:sun4:/usr/5lib/libc_p.a:d98a993e3f6c308f3679690dd4f5e8d7 md5:SunOS:4.1.1:100267-09:sun4:/usr/lib/libc.a:da7c2504a1cb5073d7e9bb7de580db32 md5:SunOS:4.1.1:100267-09:sun4:/usr/lib/libc_p.a:9879d72df71d9956f62f058ddf70d0f8 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc.a:4daced1b11335f613bf7a5792bfeff77 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc_p.a:bd2037193776678e48324f523064b95b md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc.a:ae4bcb481e7267c1def082ed6acf4bd9 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc_p.a:696c03eb30c696b712f38907d3c2ee45 md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc.a:68686e4ed99b5dcf98ac4e3350ff6645 md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc.a:cbba2b6e294f0087a0b9116290946d46 md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc.a:89b9040707c28810554dfaca6993e7d0 md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc.a:15d385b850be70a30077e66b67dc5f09 md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc.a:e7ab3d2658611114833f25a4279db158 md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc.a:f95fabcdbaaf34ac3da6174e635724e3 md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc.a:c6669804e4def2e1e49ad5628c52ee75 md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc.a:ab06bfd723df7802d25291576736ce23 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc.a:5ef2ccf958dc6734c3e412127884c559 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc.a:6f5d5c343b262c03a3f976d2830f4d06 md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc_p.a:21766ed7fdb431bb0435e48ea0764d42 md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc_p.a:709d9a093b637e64234a03f1c48583e7 md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc_p.a:3e3fcdfeb1636c708f1a2fec14c13b9f md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc_p.a:18f6043209f019ec58e50ab4f4771d40 md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc_p.a:c0b13f61038a198e6be3c09e137dee0e md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc_p.a:a40b2af6cde4734289f06d8325c8cf2e md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc_p.a:bb06ddd972dd5549a3d6cc38a9537893 md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc_p.a:72c8bee2000b2562225077784ea61bac md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc_p.a:8ccee0cc285a298c713b8bace38da815 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc_p.a:157a7dc7a8fc77f1a5a06a85d3bab16c #/usr/kvm/pstat md5:SunOS:4.1.1:Original Dist:sun3x:/usr/kvm/pstat:a131828d02092ab56e98ac8d63b1125d md5:SunOS:4.1.1:Original Dist:sun4:/usr/kvm/pstat:6de82bb539b54c2bd0be79dfc7712507 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/kvm/pstat:5e6058397f8e86df7456e36ad54f9b1e md5:SunOS:4.1.2:Original Dist:sun4c:/usr/kvm/pstat:a1cfc4f23be423aede09e23bcbf6268a md5:SunOS:4.1.2:Original Dist:sun4m:/usr/kvm/pstat:c2abc2313450cfd72ccd93448fef967b md5:SunOS:4.1.3:Original Dist:sun4:/usr/kvm/pstat:0076043c06cd24ae927128f02da9b935 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/kvm/pstat:225d4542b70f15af39c96a4d3b48a631 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/kvm/pstat:e3a519a93a8b6a02fd6c64a6b3db476d md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/kvm/pstat:2a1cbf06988208179adf132349c3a403 md5:SunOS:4.1.3_u1:Original Dist:sun4m:/usr/kvm/pstat:2f3af3afbfa5942575bbcb02b13ebac1 md5:SunOS:4.1.3_u1:Original Dist:sun4c:/usr/kvm/pstat:d15776947e0d60fc7d5ae755f65e779b #/usr/etc/in.ftpd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.ftpd:7ff869b0d0eeec61b08a81a085759681 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.ftpd:7a17e92251d08c56d001a1f5654fcb35 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.ftpd:8b1bfb5ba15d2898fffa373b1005e7ff md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.ftpd:79a29ae3f1deb02efb743d9cd39f6f2f md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.ftpd:79a29ae3f1deb02efb743d9cd39f6f2f md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.ftpd:3e8f757252dd562ad80ae79e78d06fb7 #/usr/etc/in.rexecd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.rexecd:4d9811877f622348dd454172fbb40a66 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.rexecd:6d9f39193ac39bc9680a4fb44fdfb50f md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.rexecd:37316f4d63faa445ea448ec7c670f94f md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.rexecd:37316f4d63faa445ea448ec7c670f94f md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.rexecd:be66f45bb60f31aaa23377f23c66caca #/usr/etc/in.rshd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.rshd:17f91e72bbf70d5cf3e75a3068d5c461 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.rshd:a4eb9385df064b9a751ede87fd0804a2 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.rshd:e45ab7d2dc4c3e7346292f85259c0432 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.rshd:686c2bb25752e6bec5090e2732a46207 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.rshd:686c2bb25752e6bec5090e2732a46207 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.rshd:e5ca89c51427d917690fbcc1395507b4 #/usr/etc/in.tftpd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.tftpd:ccec1773e5945a0b8397a74ec07112df md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.tftpd:e6b495aec9b8a24f5e58ebc19fd1eec7 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.tftpd:4b924bda12c61674771c84caa0fa1e80 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.tftpd:bfaf4492223126181ca9333220cbcf02 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.tftpd:bfaf4492223126181ca9333220cbcf02 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.tftpd:0ff3883f2b99f06d4f897347c58a79d9 #/usr/etc/inetd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/inetd:0764c23ac95b4ea5a8683c8761337485 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/inetd:e6054cbb343d21791c6457e78822d5f1 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/inetd:c3a923cbf5023b48ffdef3d043190a81 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/inetd:c3a923cbf5023b48ffdef3d043190a81 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/inetd:722d3e46a2f8e52ffadd7450fbbd1438 #/usr/bin/newgrp md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/newgrp:e3d6e9d43345372f5aa0d5c96570b155 md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/newgrp:d3749b2a6e99f14feede9430d1feee46 md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/newgrp:875e7cf58cec91c6fb44ec6e5d89ef0f md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/newgrp:7c0aad251ccb8de9c050d53c823f334f md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/newgrp:7c0aad251ccb8de9c050d53c823f334f md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/newgrp:04edbbb4d06bf056c4959d3b85560fe6 #/usr/bin/passwd md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/passwd:11499df2dfc4f75c5466e09b64fe1097 md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/passwd:d4e3ee198d6e3934bc2356ce495e77c7 md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/passwd:2dcec1f0e106354a85058f4c2c66e2bd md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/passwd:6fdb875b621de4dbffab6f6782ec2ba3 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/passwd:6fdb875b621de4dbffab6f6782ec2ba3 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/passwd:97f3231b48d6e29b829357b72043aadc #/usr/bin/su md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/su:829e4e39edc3a8d299f5525c866dc324 md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/su:94b0bc99dcb9dcdbc3e8ece7e127a906 md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/su:23fe0a40ec522c5add89cd6ab2731170 md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/su:0d2f5665c9befdf2f7aeafa4d77266bb md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/su:0d2f5665c9befdf2f7aeafa4d77266bb md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/su:c49812d55df4712194f832f099d40aa7 #Shared Libraries md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc.so.2.6:1d66abbac68785d6f8fa8ff53200845e md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc.so.1.6:d4dc2514248834d95ee6b5c77a7eda86 md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc.so.1.15:26c5c2e8b147f3f6d96bdff369853cad md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc.so.0.15:2262f263e711bff2bd4d9d6f87ea5edd md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc.so.2.7:b1e624d4293907511e4ee9e8e77e74dd md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc.so.1.7:76c095597088ee5bc82a2c1ce0a419ce md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc.so.2.8:d3c8366dca51488864cc8d80c106f190 md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc.so.1.8:aabfb3300f2d872cdc6d9fb10514e246 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc.so.2.8:af3584319d80525c2ca8e8ea8920d131 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc.so.1.8:91a8dde1c328e474ec08557c211a4dcb md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc.so.2.9:722852b7e5df15de70e3c1a1f96c04d9 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc.so.1.9:2d5bc65422472f7d4119712ccf795bf3 -------------------------------------------------------------------- Appendix C: "cpm" The CPM 1.0 README File cpm - check for promiscuous mode in network interfaces. Copyright (c) Carnegie Mellon University 1994 Thursday Feb 3 1994 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 This program is free software; you can distribute it and/or modify it as long as you retain the Carnegie Mellon copyright statement. It can be obtained via anonymous FTP from info.cert.org:pub/tools/cpm.tar.Z. This program is distributed WITHOUT ANY WARRANTY and without an IMPLIED WARRANTY of merchantability or fitness for a particular purpose. This package contains: README MANIFEST cpm.1 cpm.c To create cpm under SunOS, type: % cc -Bstatic -o cpm cpm.c On machines that support dynamic loading, such as Sun's, CERT recommends that programs be statically linked so that this feature is disabled. CERT recommends that after you install cpm in your favorite directory, you take measures to ensure the integrity of the program by noting the size and checksums of the source code and resulting binary. The following is an example of the output of cpm and its exit status. Running cpm on a machine where both the le0 and le2 interfaces are in promiscuous mode, under csh(1): % cpm le0 le2 % echo $status 2 % Running cpm on a machine where no interfaces are in promiscuous mode, under csh(1): % cpm % echo $status 0 % ------------------------------------------------------------- Appendix D: "SunOS security patches" Solaris and SunOS Security Patch Information For information about rdist see CIAC Bulletin C-04. For information about integer division under SunOS see CIAC Bulletin B-41. Previous CIAC notices are available on the Internet via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has compiled a list of all security related patches currently available from Sun Microsystems. The patches have been grouped by SunOS version and are detailed below. CIAC recommends the installation of any applicable patches that either are not currently present on a system or are present in the form of an older version of the patch. SunOS security patches are available through both your Sun Answer Center and anonymous FTP. In the U.S., ftp to ftp.uu.net (IP address 192.48.96.9) and retrieve the patches from the directory /systems/sun/sun-dist. In Europe, ftp to ftp.eu.net (IP address 192.16.202.2) and retrieve the patches from the /sun/fixes directory. The patches are contained in compressed tarfiles with filenames based on the ID number of the patch (e.g. patch 100085-03 is contained in the file 100085-03.tar.Z), and must be retrieved using FTP's binary transfer mode. After obtaining the patches, compute the checksum of each compressed tarfile and compare with the values indicated below. For example, the command "/usr/bin/sum 100085-03.tar.Z" should return "44177 740". Please note that Sun Microsystems occasionally updates patch files, resulting in a changed checksum. If you should find a checksum that differs from those listed below, please contact Sun Microsystems or CIAC for verification before using the patch. The patches may be extracted from the compressed tarfiles using the commands uncompress and tar. For example, to extract patch 100085-03 from the compressed tarfile 100085-03.tar.Z, execute the commands "uncompress 100085-03.tar.Z" and "tar -xvf 100085-03.tar". For specific instructions regarding the installation of a particular patch, consult the README file accompanying each patch. As multiple patches may affect the same files, it is recommended that patches be installed chronologically by revision date, with the exception of patches for which an explicit order is specified. ======================= SunOS 5.3 (Solaris 2.3) ======================= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 101371-03 23-Dec-93 51272 377 sendmail vulnerabilities ======================= SunOS 5.2 (Solaris 2.2) ======================= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 101090-01 28-Jun-93 44985 54 expreserve can overwrite any file 101301-01 21-Oct-93 4703 779 tar archives may contain extraneous info 101077-06 23-Dec-93 28185 358 sendmail vulnerabilities ======================= SunOS 5.1 (Solaris 2.1) ======================= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100833-02 12-Jan-93 24412 309 C2 auditing missing in some programs 100840-01 12-Jan-93 25050 220 sendmail bypasses mailhost 100884-01 12-Feb-93 63299 5220 Security fixes for sun4m machines 101089-01 28-Jun-93 4501 54 expreserve can overwrite any file 100975-02 21-Oct-93 13460 747 tar archives may contain extraneous info 100840-06 23-Dec-93 61100 390 sendmail vulnerabilities ======================= SunOS 5.0 (Solaris 2.0) is no longer supported (upgrade is essential for ======================= security) =========== SunOS 4.1.3 =========== Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100296-04 18-Jun-92 15271 40 File systems exported incorrectly 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100564-05 11-Nov-92 00115 824 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100623-03 11-Dec-92 56063 141 NFS file handles can be guessed 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100891-01 19-Feb-93 33195 3075 Netgroup and xlock vulnerabilities 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities =========== SunOS 4.1.2 =========== Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100630-01 18-May-92 28074 39 Environment variables vulnerability 100633-01 22-May-92 33264 20 Environment variables with Sun's ARM 100296-04 18-Jun-92 15271 40 File systems exported incorrectly 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100564-05 11-Nov-92 00115 824 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100623-03 11-Dec-92 56063 141 NFS file handles can be guessed 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities =========== SunOS 4.1.1 =========== Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100424-01 12-Nov-91 63070 50 NFS file handles can be guessed 100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100630-01 18-May-92 28074 39 Environment variables vulnerability 100633-01 22-May-92 33264 20 Environment variables with Sun's ARM 100296-04 18-Jun-92 42492 40 File systems exported incorrectly 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100201-06 5-Nov-92 13145 164 C2 jumbo patch 100267-09 6-Nov-92 55338 5891 Netgroup membership check fails 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities ========= SunOS 4.1 ========= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100101-02 7-Aug-90 42872 34 ptrace security vulnerability 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100630-01 18-May-92 28074 39 Environment variables vulnerability 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100201-06 5-Nov-92 13145 164 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100121-09 24-Feb-93 57589 360 NFS jumbo patch 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities ====================== SunOS 4.0.3c, 4.0.3, 4,0.2i, 4.0.2, and 4.0.1 are no longer supported ====================== (upgrade is essential for security) ---------------------------------------------------------- Appendix E: One-time Passwords The following information was compiled by the CERT Coordination Center. Given today's networked environments, CIAC recommends that sites concerned about the security and integrity of their systems and networks consider moving away from standard, reusable passwords. CIAC has seen many incidents involving Trojan network programs (e.g., telnet and rlogin) and network packet sniffing programs. These programs capture clear-text hostname, account name, password triplets. Intruders can use the captured information for subsequent access to those hosts and accounts. This is possible because 1) the password is used over and over (hence the term "reusable"), and 2) the password passes across the network in clear text. Several authentication techniques have been developed that address this problem. Among these techniques are challenge-response technologies that provide passwords that are only used once (commonly called one-time passwords). This document provides a list of sources for products that provide this capability. The decision to use a product is the responsibility of each organization, and each organization should perform its own evaluation and selection. I. Public Domain packages S/KEY(TM) The S/KEY package is publicly available (no fee) via anonymous FTP from: thumper.bellcore.com /pub/skey directory There are four subdirectories: skey UNIX source code for S/KEY. Includes the change needed to login, and stand-alone commands (such as "key"), that computes the one-time password for the user, given the secret password and the S/KEY command. dos DOS or DOS/WINDOWS S/KEY programs. Includes DOS version of "key" and "termkey" which is a TSR program. mac One-time password calculation utility for the Mac. docs Documentation. II. Commercial Products Secure Net Key (SNK) (Do-it-yourself project) Digital Pathways, Inc. 201 Ravendale Dr. Mountainview, Ca. 94043-5216 USA Phone: 415-964-0707 Fax: 415-961-7487 Products: handheld authentication calculators (SNK004) serial line auth interruptors (guardian) Note: Secure Net Key (SNK) is des-based, and therefore restricted from US export. Secure ID (complete turnkey systems) Security Dynamics One Alewife Center Cambridge, MA 02140-2312 USA Phone: 617-547-7820 Fax: 617-354-8836 Products: SecureID changing number authentication card ACE server software SecureID is time-synchronized using a 'proprietary' number generation algorithm WatchWord and WatchWord II Racal-Guardata 480 Spring Park Place Herndon, VA 22070 703-471-0892 1-800-521-6261 ext 217 Products: Watchword authentication calculator Encrypting modems Alpha-numeric keypad, digital signature capability SafeWord Enigma Logic, Inc. 2151 Salvio #301 Concord, CA 94520 510-827-5707 Fax: 510-827-2593 Products: DES Silver card authentication calculator SafeWord Multisync card authentication calculator Available for UNIX, VMS, MVS, MS-DOS, Tandem, Stratus, as well as other OS versions. Supports one-time passwords and super smartcards from several vendors. ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT Coordination Center for their timely and thorough advisory, detection tool, diligence and support throughout this ongoing incident. Our thanks also to Mark Graff, Sun Microsystems; Tony Bartoletti, SPI Project Leader; and members of FIRST for their assistance. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has two self-subscribing mailing lists for its two types of electronic publications: 1. Advisories (highest priority, time critical information) or Bulletins (important computer security information) and 2. Notes (computer security articles of general interest). Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for (service) and valid information for the other items in parentheses: subscribe (service) (Full_Name) (Phone_number) ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE Sun Announces Patches for /etc/utmp Vulnerability March 21, 1994 1200 PST Number E-13 ______________________________________________________________________________ PROBLEM: Vulnerability in SunOS /etc/utmp. PLATFORM: SunOS 4.1.x systems (but not SunOS 4.1.3_U1 or Solaris 2.x). DAMAGE: Manipulation of /etc/utmp can result in unauthorized root access. SOLUTION: Retrieve and install applicable patches. ______________________________________________________________________________ ______________________________________________________________________________ VULNERABILITY ASSESSMENT: CIAC considers this vulnerability serious and advises all system administrators to install these security patches immediately. This vulnerability is being actively exploited on the Internet. ______________________________________________________________________________ Critical Information about Sun Patches CIAC has received information from Sun Microsystems regarding the availability of six patches which will fix the /etc/utmp vulnerability. The following text is from the Sun Microsystems Security Bulletin #00126: SunOS 4.1.x systems have been found to be vulnerable to an attack on the /etc/utmp file. The manipulation of this file, which on SunOS 4.1.x systems is world-writable, can result in unauthorized root access for the attacker. We are releasing today patches to several utilities which close that security hole, identified as bug 1140162. If the new patches are installed, no other changes--such as making the /etc/utmp file not world-writable--are necessary to close the security hole. We recommend that all of the patches be installed. Solaris 2.x systems, including Solaris x86 systems, are not susceptible to this attack. SunOS 4.1.3_U1 (Solaris 1.1.1) systems are also not susceptible. The patches were integrated into that system before it was released. The table below contains patch numbers and checksums for the six patches. Program Patch ID BSD SVR4 MD5 Digital Signature Checksum Checksum ------- --------- --------- --------- -------------------------------- dump 100593-03 52095 242 41650 484 CDBA530226E8735FAE2BD9BCBFA47DD0 in.comsat 100272-07 26553 39 64651 78 912FF4A0CC8D16A10EECBD7BE102D45C in.talkd 101480-01 47917 44 32598 88 5C3DFD6F90F739100CFA4AA4C97F01DF shutdown 101481-01 46562 80 56079 159 BFC257EC795D05646FFA733D1C03855B syslogd 100909-02 61539 108 38239 216 B5F70772384A3E58678C9C1F52D81190 write 101482-01 61148 41 48636 81 F93276529AA9FC25B35679EBF00B2D6F The filename for each patch consists of the Patch ID followed by ".tar.Z". For example, the filename for the dump patch is 100593-03.tar.Z. The checksums shown in the table are from the BSD-based checksum program distributed with the system software (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version checksum program distributed with Solaris 2.x (/usr/bin/sum). MD5 software can be retrieved via anonymous FTP from irbis.llnl.gov in the file /pub/util/crypto/md5.tar (MD5 checksum: B6B90CC7C56353FC643DF25B6F730D21). Individuals with Sun support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP address 192.48.96.9) in the directory /systems/sun/sun-dist. ______________________________________________________________________________ CIAC would like to thank Mark Graff of Sun Microsystems for the information contained in this advisory. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ CIAC has two self-subscribing mailing lists for its two types of electronic publications: 1. Advisories (highest priority, time critical information) or Bulletins (important computer security information) and 2. Notes (computer security articles of general interest). Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for (service) and valid information for the other items in parentheses: subscribe (service) (Full_Name) (Phone_number) You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. Currently, to subscribe to both you must send two separate requests. To subscribe an address which is a distribution list, first subscribe the person responsible for your distribution list. You will receive an acknowledgment, containing address and initial PIN. Change the address to be the distribution list address by sending a second E-mail request. As the body of this message, send the following request, substituting valid information for items in parenthesis: set (service) address (PIN) (distribution_list_address) ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ______________________________________________________________________________ _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Advisory Notice wuarchive ftpd Trojan Horse April 6, 1994 1640 PST Number E-14 ______________________________________________________________________________ PROBLEM: Some copies of wuarchive FTP daemon (ftpd) source have been modified and contain a Trojan horse. PLATFORM: UNIX machines running wuarchive ftpd version 2.2 or earlier. DAMAGE: Root access may be obtained. SOLUTION: Disable the wuarchive ftpd, then retrieve and install wuarchive ftpd version 2.3 ASSESSMENT OF VULNERABILITY: Intruders have used this Trojan horse to obtain root access to computers on the Internet. ______________________________________________________________________________ Critical Information about wuarchive ftpd Trojan Horse CIAC has received information that some copies of of the wuarchive FTP daemon (ftpd) versions 2.2 and 2.1f have been modified at the source code level to contain a Trojan horse. This Trojan allows any user, local or remote, to become root on the affected UNIX system. CIAC strongly recommends that all sites running these or older versions of the wuarchive ftpd retrieve and install version 2.3. It is possible that versions previous to 2.2 and 2.1f contain the Trojan as well. If the new version cannot be installed in a timely manner, all FTP service should be disabled, since this Trojan affects all systems that are running the wuarchive ftpd, whether or not the system provides anonymous ftp service. Sites can obtain version 2.3 via anonymous FTP from ftp.uu.net, in the file /networking/ftp.wuarchive-ftpd/wu-ftpd-2.3.tar.Z. The BSD Checksum for this file is 24416 181, the SVR4 Checksum for this file is 30488 361, and the MD5 Digital Signature is e58adc5ce0b6eae34f3f2389e9dc9197. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ CIAC has two self-subscribing mailing lists for its two types of electronic publications: 1. Advisories (highest priority, time critical information) or Bulletins (important computer security information) and 2. Notes (computer security articles of general interest). Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for (service) and valid information for the other items in parentheses: subscribe (service) (Full_Name) (Phone_number) You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. Currently, to subscribe to both you must send two separate requests. To subscribe an address which is a distribution list, first subscribe the person responsible for your distribution list. You will receive an acknowledgment, containing address and initial PIN. Change the address to the distribution list by sending a second E-mail request. As the body of this message, send the following request, substituting valid information for items in parenthesis: set (service) address (PIN) (distribution_list_address) ______________________________________________________________________________ CIAC wishes to acknowledge and thank the contribution of the CERT Coordination Center for their timely advisory on this vulnerability. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ______________________________________________________________________________ _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN FTP Daemon Vulnerabilities April 14, 1994 1130 PDT Number E-17 ______________________________________________________________________________ PROBLEM: Vulnerabilities in several implementations of the FTP daemon. PLATFORM: Unix systems with the following implementations of the FTP daemon: DECWRL ftpd versions before 5.93, wuarchive ftpd versions 2.0-2.3, and BSDI ftpd version 1.1. prior to patch 5. DAMAGE: Anyone (remote or local) can gain root access on a host running a vulnerable daemon. SOLUTION: Upgrade to a secure version of the FTP daemon. ______________________________________________________________________________ VULNERABILITY Details of these vulnerabilities are being actively discussed ASSESSMENT: on several Internet mailing lists. CIAC urges affected sites to upgrade immediately. ______________________________________________________________________________ Critical Information about FTP Daemon Vulnerabilities CIAC has received information concerning the existence of two vulnerabilities in FTP daemons derived from the DECWRL ftpd source code. The following FTP daemons are known to be vulnerable: - DECWRL ftpd versions before 5.93 - wuarchive ftpd versions 2.0-2.3 - BSDI ftpd version 1.1 prior to patch 5 The first vulnerability involves the SITE EXEC command feature of these FTP daemons. It only affects those daemons in which the SITE EXEC functions have been explicitly activated; they are not enabled by default. The vulnerability allows any user, remote or local, to execute commands as root on the system running the FTP daemon. The second vulnerability is the result of a race condition in the daemon. It allows the creation of setuid root files on the FTP server, permitting unauthorized access to the system. There is no known workaround to remove both vulnerabilities; therefore, CIAC strongly advises affected sites to upgrade to one of the versions of the daemon listed below. If an upgrade cannot be completed in a timely manner, FTP service should be disabled by commenting out the ftp configuration line in /etc/inetd.conf and restarting inetd. Disabling only anonymous FTP does not remove the vulnerabilities. Upgrade Information =================== Version 2.4 of wuarchive ftpd is available via anonymous FTP from wuarchive.wustl.edu in the directory /packages/wuarchive-ftpd. A patch to upgrade from version 2.3 to 2.4 is also available: BSD SVR4 File Checksum Checksum MD5 Digital Signature ----------------- --------- --------- -------------------------------- wu-ftpd-2.4.tar.Z 38213 181 20337 362 cdcb237b71082fa23706429134d8c32e patch_2.3-2.4.Z 09291 8 51092 16 5558a04d9da7cdb1113b158aff89be8f Version 5.93 of DECWRL ftpd is available via anonymous FTP from gatekeeper.dec.com in the directory /pub/misc/vixie: BSD SVR4 File Checksum Checksum MD5 Digital Signature ----------------- --------- --------- -------------------------------- ftpd.tar.gz 38443 60 1710 119 ae624eb607b4ee90e318b857e6573500 For BSDI systems, patch 005 should be applied to version 1.1 of the BSD/386 software. The patch file is available via anonymous FTP from ftp.bsdi.com in the directory /bsdi/patches-1.1: BSD SVR4 File Checksum Checksum MD5 Digital Signature ----------------- --------- --------- -------------------------------- BU110-005 35337 272 54935 543 1f454d4d9d3e1397d1eff0432bd383cf ______________________________________________________________________________ CIAC wishes to thank the CERT Coordination Center for their response to this problem. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has two self-subscribing mailing lists for its two types of electronic publications: 1. Advisories (highest priority, time critical information) or Bulletins (important computer security information) and 2. Notes (computer security articles of general interest). Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and valid information for the other items in parentheses: subscribe [list-name] Full_Name Phone_number ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN Sun Announces Patches for automountd Vulnerability May 5, 1994 1200 PDT Number E-18 ______________________________________________________________________________ PROBLEM: Vulnerability in Solaris 2.3 "automountd". PLATFORM: Sun: Solaris 2.3 only. No other Sun OSs are affected. DAMAGE: The vulnerability allows a user with an unprivileged account to get root access on a Solaris 2.3 system. SOLUTION: Retrieve and install the indicated patch. ______________________________________________________________________________ VULNERABILITY As of the date of this bulletin, Sun has had no reports of ASSESSMENT: this hole being exploited, but the hole is serious, and CIAC strongly recommends that this patch be installed. ______________________________________________________________________________ Critical Information about Sun Patches CIAC has received information from Sun Microsystems regarding the availability of Sun patch 101329-15 which will fix the automountd vulnerability. The following text is from the Sun Microsystems Security Bulletin #00127a, which supersedes bulletin #00127 issued on 5/4/94. Patch 101329-15 fixes a bug in the Solaris 2.3 version of automountd which allows a user with an unprivileged account on a 2.3 system to gain root access. No reports of this vulnerability being exploited have yet come to the attention of this office. We nevertheless recommend that all affected customers close this very serious security hole. The automountd fix is bundled into the Solaris 2.3 jumbo NIS+ patch. The first version of the patch to contain the security fix was 101329-10; but we recommend the installation of the latest version (currently 101329-15). This bug is not found in any other SunOS version, including Solaris x86. The fix has been integrated into the upcoming Solaris 2.4 release. NOTE: The original version of this bulletin, issued yesterday, referred to version -13 of the patch as the latest. Shortly after the bulletin was issued, however, version -15 (skipping -14) was released, superseding the earlier version on SunSolve. For that reason--and also to correct a last-minute typographical error--we are issuing this revised bulletin. We apologize for the error and regret any inconvenience. To assist those who have already installed version -13 in deciding whether to install -15 as well, we provide here a summary of the bugs first fixed in the newer version. None specifically relate to security. 1163847 automountd doesn't work with Apollo pathnames which start with // 1153274 machine panics with recursive mutex_enter while using automounter 1156518 Cannot mount mvs/nfs mounts using autofs under Solaris 2.2 & 2.3. The following table contains the checksums for the NIS+ patch (#101329-15). ______________________________________________________________________________ File Name BSD Checksum SVR4 Checksum MD5 Digital Signature 101329-15.tar.Z 55492 843 46189 1685 19AA042484727A5DE9CB21199858071A ______________________________________________________________________________ The checksums shown in the table are from the BSD-based checksum program distributed with the system software (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from the SVR4 version checksum program distributed with Solaris 2.x (/usr/bin/sum). MD5 software can be retrieved via anonymous FTP from irbis.llnl.gov in the file /pub/util/crypto/md5.tar (MD5 checksum of md5.tar: B6B90CC7C56353FC643DF25B6F730D21). Individuals with Sun support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP address 192.48.96.9) in the directory /systems/sun/sun-dist. ______________________________________________________________________________ CIAC would like to thank Mark Graff of Sun Microsystems for the information contained in this advisory. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has two self-subscribing mailing lists for its two types of electronic publications: 1. Advisories (highest priority, time critical information) or Bulletins (important computer security information) and 2. Notes (computer security articles of general interest). Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send E-mail to: ciac-listproc@llnl.gov with the following request as the E- mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and valid information for the other items in parentheses: subscribe [list-name] Full_Name Phone_number ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ ADVISORY NOTICE nVir A Virus Found on CD-ROM May 5, 1994 1500 PDT Number E-19 ______________________________________________________________________________ PROBLEM: The Macintosh nVir A virus has been found in the "README." file on the Journal of Vacuum Science & Technology CD-ROM Vol.12 1Q94. PLATFORM: Macintosh, all versions of the operating system. This virus has no effect on the MS-DOS files also on the disk. DAMAGE: The virus can easily infect your computer. SOLUTION: Check with publisher, do not execute "README." file. ______________________________________________________________________________ VULNERABILITY This CD-ROM is included as part of the American Vacuum Society's ASSESSMENT: (AVS) journal distribution, and is distributed to members of the AVS. The virus is not overtly damaging, but does damage the system and applications during infection. ______________________________________________________________________________ Critical Information about the CD-ROM distribution, and the nVir A Virus CIAC has investigated a report of a virus in the CD-ROM distribution of a technical journal. The Journal of Vacuum Science & Technology A&B (Second Series Volume 12, 1994), which apparently was inadvertently infected with the nVir A virus before production of the CD-ROM. All known copies of this CD-ROM distribution are infected with this Macintosh virus. The CD-ROM can be identified by the following titles printed on the disk: A title in large bold type: "JVST A&B Vol. 12 1Q94" A subtitle in small type: "JVST-A Vol 12(1) and 12(2) JVST-B, Vol 12(1)" The infected file is "README." in the root directory of the CD-ROM, which is a DOCMaker Stand-Alone document reader application. This file is the one referred to in the instruction manual to run for viewing or printing the user manual, however doing so will infect the system file of your Macintosh. This disk can also be read via a PC using DOS or Windows, but those systems will be unaffected, because the nVir A virus is specific to the Macintosh operating system. The nVir A virus is a virus that at first only replicates, but after a certain amount of executions it has a small chance of saying "Don't Panic" if MacinTalk is installed, or having the computer beep if MacinTalk is not installed. It is not an intentionally destructive virus, but does damage the system and applications during the infection process. Infected systems occasionally crash, and printing is often delayed or damaged. CIAC recommends that if you have received this CD-ROM, you immediately mark it as containing a Macintosh computer virus, and do not run the "README." file in the root directory. If you are using this disk on a PC system, you do not need to worry as the PC files on this disk are not infected. If you have already run this infected file, get a copy of an anti-virus program such as Disinfectant, and scan your hard disk for infected files. Replace all the infected files that you can, and repair those that you cannot replace. If your hard disk has been infected, you must scan every floppy disk that has been in your system since the infection occurred. Even though the CD-ROM contains an infected file, the file can only infect your system if it is executed. The other files on the disk can still be installed and used without causing an infection. To install the Adobe Acrobat document reader on your Macintosh, run the Installer program in the JVST_94:install:mac:reader folder. To install the search utility, run the JVST_INSTALL;1 program in the JVST_94:install:mac:wordkeep directory. You can also view the README.DOC file, which contains the instructions for using the PC and Windows versions of the reader, using a word processor. Only the "README." file must be avoided. If you must access the data in the infected "README." file, carefully copy the file to a floppy disk and repair it using an anti-virus utility such as Disinfectant, and then scan it again to insure it has been repaired. If the repaired file is no longer infected, you may then run it to view the document. Again, do not run the copy of the "README." file that is on the CD-ROM, as it is still infected, and cannot be repaired due to the write-only nature of the CD-ROM. The publisher has sent a letter to all known recipients of this CD-ROM distribution explaining this problem. ______________________________________________________________________________ CIAC wishes to thank Judy Lim, Rick Stulen and Art Pontau of Sandia National Labs for first bringing this to our attention and for supplying us with a copy of the CD-ROM. CIAC also wishes to thank the ASSIST team for helping us to contact the publishers of this journal. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has two self-subscribing mailing lists for its two types of electronic publications: 1. Advisories (highest priority, time critical information) or Bulletins (important computer security information) and 2. Notes (computer security articles of general interest). Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send E-mail to: ciac-listproc@llnl.gov with the following request as the E- mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and valid information for the other items in parentheses: subscribe [list-name] Full_Name Phone_number ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN Trojan Attack on Chinon CD-ROM Drives May 6, 1994 1200 PDT Number E-20 ______________________________________________________________________________ PROBLEM: A Trojan-horse program, CD-IT.ZIP, masquerading as an improved driver for Chinon CD-ROM drives, corrupts system files and the hard disk. PLATFORM: All MS-DOS and PC-DOS machines. DAMAGE: Once in memory, the program destroys system files, requiring a format of the infected drive to correct. SOLUTION: Do not execute the program in CD-IT.ZIP. ______________________________________________________________________________ VULNERABILITY The program is not dangerous if not run, but can cause ASSESSMENT: serious damage to a hard drive if it is. As of this date, we don't know of any anti-virus software that recognizes it. ______________________________________________________________________________ Critical Information about the CD-IT.ZIP Trojan CIAC has received information from Chinon America regarding a Trojan-horse program masquerading as an improved driver for Chinon CD-ROM drives. The following text is the press release from Chinon America: TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan Horse" computer virus is on the Internet and is labeled with the name of the fourth largest manufacturer of compact disc read-only memory (CD-ROM) drives. Chinon America, Incorporated, the company whose name has been improperly used on the rogue program, is warning IBM and compatible personal computer (PC) users to beware of the program known as "CD-IT.ZIP." A Chinon CD-ROM drive user brought the program to the company's attention after downloading it from a Baltimore, Maryland Fidonet server. One of the clues that the virus, masquerading as a utility program, wasn't on the up-and-up was that it purports "to enable read/write to your CD-ROM drive," a physically impossible task. CD-IT is listed as authored by Joseph S. Shiner, couriered by HDA, and copyrighted by Chinon Products. Chinon America told Newsbytes it has no division by that name. Other clues were obscenities in the documentation as well as a line indicating that HDA stands for Haven't Decided a Name Yet. David Cole, director of research and development for Chinon, told Newsbytes that the company knows of no one who has actually been infected by the program. Cole said the virus isn't particularly clever or dynamic, but none of the virus software the company tried was able to eradicate the rogue program. Chinon officials declined to comment on what antivirus software programs were used. If CD-IT is actually run, it causes the computer to lock up, forcing a reboot, and then stays in memory, corrupting critical system files on the hard disk. Nothing but a high-level reformat of the hard disk drive will eradicate the virus at this point, a move that sacrifices all data on the drive. It will also corrupt any network volumes available. "We felt that it was our responsibility as a member of the computing community to alert Internet users of this dangerous virus that is being distributed with our name on it. Even though we have nothing to do with the virus is it particularly disturbing for us to think that many of our loyal customers could be duped into believing that the software is ours," Cole explained. Chinon is encouraging anyone who might have information that could lead to the arrest and prosecution of the parties responsible for CD-IT to call the company at 310-533-0274.. In addition, the company has notified the major distributors of virus protection software, such as Symantec and McAfee Associates, so they may update their programs to detect and eradicate CD-IT. (Linda Rohrbough/19940429/Press Contact: Rolland Going, The Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825; Public Contact: Chinon, CD-IT Information, 310-533-0274) CIAC recommends that if you find a copy of the file CD-IT.ZIP, that you do not install it on your computer. If you have already installed and run the file, shut down your machine immediately. Check with your anti-virus vendor to see if they have a scanner/repair utility available. If not, boot from a clean, locked floppy. If you can still access your hard disk, backup any important files that were not included in your last backup, reformat the drive and restore it from your last backup. CIAC is currently obtaining a copy of this Trojan from Chinon, and will make any new information about this Trojan available in a future copy of CIAC Notes. ______________________________________________________________________________ CIAC would like to thank Chinon America for the information contained in this advisory and Brian Lev of NASIRC for forwarding it to us. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has two self-subscribing mailing lists for its two types of electronic publications: 1. Advisories (highest priority, time critical information) or Bulletins (important computer security information) and 2. Notes (computer security articles of general interest). Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send E-mail to: ciac-listproc@llnl.gov with the following request as the E- mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and valid information for the other items in parentheses: subscribe [list-name] Full_Name Phone_number ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ Information Bulletin Vulnerability in HP-UX systems with HP Vue 3.0 May 18, 1994 1615 PDT Number E-23b ______________________________________________________________________________ PROBLEM: A Vulnerability exists in HP-UX systems with HP Vue 3.0. PLATFORM: HP 9000 series 300/400/700/800 at HP-UX revision 9.x, with HP Vue 3.0. DAMAGE: Local users can raise their privileges to superuser (root) level. SOLUTION: Apply appropriate patch for your system. ______________________________________________________________________________ VULNERABILITY CIAC recommends that all systems which have HP Vue 3.0 on their ASSESSMENT: systems, whether in use or not, should install this patch. ______________________________________________________________________________ Critical Information about vulnerability in HP-UX systems with HP Vue 3.0 CIAC has received information regarding a vulnerability in HP9000 computers at revision 9.x which contain HP Vue 3.0. This vulnerability can allow a local user to obtain root access. CIAC recommends that if you have Vue 3.0 on your system you apply the following patch appropriate to your system. For an HP 9000 series 300/400 computer, apply patch PHSS_4055; for an HP 9000 series 700/800 computer, apply patch PHSS_4066. Patches can be obtained in one of three methods: 1. Obtain the patch via E-mail from the HP SupportLine Mail Service. Send the words, without quotes, "send PHSS_4055" (or "send PHSS_4066") in the TEXT PORTION of a message addressed to support@support.mayfield.hp.com (no subject line is required). The patch will be E-mailed back to you. 2. Download the patch from support.mayfield.hp.com. To do this, follow the instructions in the document located on irbis.llnl.gov: ~/pub/ciac/ciacdoc/e-fy94/HPACCESS.TXT-how-to-download-HP-patches. 3. Contact your local HP Response Center. They will provide you with the patch. The complete instructions for applying the patch are in the file PHSS_40xx.text, supplied with the patch release. Checksums for the patch are included with the release. After installing the patch, examine /tmp/update.log for any relevant WARNING's or ERROR's. To accomplish this, from the shell prompt type "tail -60 /tmp/update.log | more" and page through the screens via the space bar, looking for WARNING or ERROR messages. ATTENTION: This bulletin contains updated information received from Hewlett-Packard after the electronic version was distributed. Patch PHSS_4066 supersedes PHSS_4038, and directions to download the patch have been included. ______________________________________________________________________________ CIAC would like to thank the CERT-NL for first alerting us to the existance of this vulnerability and for technical information about this vulnerability, and John Morris of Hewlett-Packard for patch information and availability. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, an unmoderated forum for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g.: subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN Security Patch Kits for ULTRIX, DECnet-ULTRIX and OSF/1 May 18, 1994 1530 PDT Number E-24 ______________________________________________________________________________ PROBLEM: Digital Equipment Corporation has identified vulnerabilities in ULTRIX v4.3 and v4.4, DECnet-ULTRIX v4.2, and OSF/1 v1.2 through v2.0. PLATFORM: Digital's VAX and RISC based workstations. DAMAGE: Users may obtain unauthorized access or privilege. SOLUTION: Upgrade software; install patches available from DEC. ______________________________________________________________________________ VULNERABILITY Similar vulnerabilities have been exploited on systems ASSESSMENT: connected to the Internet. Digital recommends sites upgrade older versions and/or install the appropriate fix immediately. ______________________________________________________________________________ Critical Information about Vulnerabilities in ULTRIX, DECnet-ULTRIX and OSF/1 CIAC has been advised by the Software Security Response Team (SSRT) of Digital Equipment Corporation of security patches for their ULTRIX, DECnet-ULTRIX and OSF/1 products. SSRT requests that their advisory be reprinted without change [only minor corrections were necessary-ed]. ============================ Begin SSRT Advisory ============================= SOURCE: Digital Equipment Corporation - ( DSIN / DSNlink FLASH MAIL ) Software Security Response Team 17.MAY.94 PRODUCT: ULTRIX Versions 4.3, 4.3A, V4.4 DECnet-ULTRIX Version 4.2 DEC OSF/1 Versions 1.2, 1.3, 1.3A, 2.0 ADVISORY INFORMATION: SUBJECT: Security Enhanced Kit for DECNET-ULTRIX V4.2, ULTRIX V4.3 (VAX/RISC), ULTRIX V4.3A (RISC), ULTRIX V4.4 (VAX/RISC), ULTRIX Worksystem Software and DEC OSF/1 V1.2 - V2.0 IMPACT: Potential security vulnerabilities exist where, under certain circumstances, user access or privilege may be expanded. SOLUTION: ULTRIX: Upgrade/Install ULTRIX to a minimum of V4.4 and install the Security Enhanced Kit DEC OSF/1: Upgrade/Install to a minimum of V1.2 and install the Security Enhanced Kit ________________________________________________________________________________ These kits are available from Digital Equipment Corporation by contacting your normal Digital support channel or by request via DSNlink for electronic transfer. ________________________________________________________________________________ IMPACT: Digital has discovered the existence of potential software security vulnerabilities in the ULTRIX V4.3, V4.3a, V4.4 and DEC OSF/1 V1.2, V1.3, V2.0 Operating Systems, and in DECnet-ULTRIX V4.2. These potential vulnerabilities were discovered as a result of evaluating recent reports of potential security vulnerabilities which were distributed on the INTERNET and as a result of Digital's continued engineering efforts. The solutions to these vulnerabilities have been included in the next release of ULTRIX and DEC OSF/1. The kits have been created to correct potential software security vulnerabilities which, under certain circumstances may expand user access or privilege. Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of ULTRIX V4.4 and DEC OSF/1 V2.0 then apply the Security Enhanced Kit. - Please refer to the applicable Release Note information prior to upgrading your installation. ________________________________________________________________________________ KIT PART NUMBERS and DESCRIPTIONS CSC PATCH # CSCPAT_4060 V1.0 ULTRIX V4.3 thru V4.4 (Includes DECnet-ULTRIX V4.2) CSCPAT_4061 V1.0 DEC OSF/1 V1.2 thru V2.0 _______________________________________________________________ These kits will not install on versions previous to ULTRIX V4.3 or DEC OSF/1 V1.2. _______________________________________________________________ ________________________________________________________________________________ The ULTRIX Security Enhanced kit replaces the following images: /usr/etc/comsat ULTRIX V4.3, V4.3a, V4.4 /usr/ucb/lpr " " /usr/bin/mail " " /usr/lib/sendmail " " *sendmail - is a previously distributed solution. /usr/etc/telnetd ULTRIX V4.3, V4.3a only ______________________________________ for DECnet-ULTRIX V4.2 installations: /usr/etc/dlogind /usr/etc/telnetd.gw ________________________________________________________________________________ The DEC OSF/1 Security Enhanced kit replaces the following images: /usr/sbin/comsat DEC OSF/1 V1.2, V1.3 V2.0 /usr/bin/binmail /usr/bin/lpr " " /usr/sbin/sendmail DEC OSF/1 V1.2, V1.3 only *sendmail - is a previously distributed solution. /usr/bin/rdist " " /usr/shlib/libsecurity.so DEC OSF/1 V2.0 only ________________________________________________________________________________ Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ________________________________________________________________________________ NOTE: For non-contract/non-warranty customers contact your local Digital support channels for information regarding these kits. ============================ End SSRT Advisory ============================= CIAC wishes to thank Richard Boren of Digital Equipment Corporation's SSRT for providing the advisory used in this bulletin. DEC's SSRT can be contacted directly at 1-800-354-9000. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN BSD lpr Vulnerability in SGI IRIX May 19, 1994 1600 PDT Number E-25a ______________________________________________________________________________ Corrections to E-25 untar command. IRIX 4.0 lpr.latest.Z Sum_Checksum. ______________________________________________________________________________ PROBLEM: The optional print subsystem BSD lpr can be used to create or overwrite any file on the system. PLATFORM: SGI workstations running the following operating system versions: IRIX 5.0, 5.0.1, 5.1.x, 5.2, and any 4.0.5. DAMAGE: Any user with lpr(1) access may gain root privilege. SOLUTION: Install new lpr spooler system available from SGI. ______________________________________________________________________________ VULNERABILITY Notices of this vulnerability along with a script to exploit ASSESSMENT: it have been widely distributed on the Internet. CIAC and SGI recommend sites install the appropriate fix immediately. ______________________________________________________________________________ Critical Information about BSD lpr Vulnerabilities in SGI IRIX CIAC has learned of a vulnerability in the BSD lpr spooling system. This optionally installed subsystem for all SGI platforms allows interoperability with other BSD lpr systems, such as SunOS, DEC Ultrix, and Novell. Many SGI systems replace the standard AT&T System V lp and lpsched print spooler with the optional BSD subsystem (eoe2.sw.bsdlpr). This vulnerability affects all SGI workstations running IRIX 5.0, 5.0.1, 5.1.x, 5.2 and 4.0.5 (all versions). A command flag allows users to create symbolic links in the lpd spool directory. After a number of invocations, lpr will reuse the filename in the spool directory, following the previously established link. By allowing the creation or overwriting of any file the link points to, any user with lpr(1) access can obtain root privilege. SGI has produced corrected versions of the lpr software which may be obtained from your SGI service/support provider or via anonymous FTP from ftp.sgi.com (192.48.153.1). Transfer in BINARY mode, as follows: for IRIX 5.*.* systems: ~ftp/sgi/IRIX5.0/lpr/lpr.latest.Z for IRIX 4.0.5 systems: ~ftp/sgi/IRIX4.0/lpr/lpr.latest.Z Decompress and untar these files using "zcat lpr.latest.Z | tar -xvf -" and | checksum these files using "sum -r lpr*" and md5 to yield the following: IRIX 5.*.* bytes sum_checksum md5_checksum lpr.latest.Z 22331 61762 44 3a215a1f9b336cc4f76ca3e7a6b9bdcc lpr.new 41120 22489 81 6f55d6a7620ca5c4188230a3b4dd50be lpr.new.install 1575 63777 4 be021e98c346a3d49c27f00e43ca87ef IRIX 4.0.5 bytes sum_checksum md5_checksum lpr.latest.Z 87469 03015 171 d40c8c84e219045e56297cd36e6a77d5 | lpr.new 171016 21563 335 641f6ca953c8163d9085f99114df5289 lpr.new.install 1575 63777 4 be021e98c346a3d49c27f00e43ca87ef Note: md5 checksum utility is available via anonymous FTP from CIAC's server irbis.llnl.gov (soon to be renamed ciac.llnl.gov) as md5.tar in directory /pub/util/crypto. ______________________________________________________________________________ CIAC thanks Miguel J. Sanchez and Jay McCauley of Silicon Graphics Inc. and David S. Brown of Lawrence Livermore National Laboratory for the information provided in this bulletin. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber"; E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ ADVISORY NOTICE UNIX /bin/login Vulnerability May 23, 1994 0700 PDT Number E-26 ______________________________________________________________________________ PROBLEM: A vulnerability exists in /bin/login on some UNIX platforms. PLATFORMS: IBM AIX 3 systems, Linux, possibly other UNIX systems. DAMAGE: Local and remote users can obtain unauthorized access to any account, including root. SOLUTION: Apply patches or workarounds described below. ______________________________________________________________________________ VULNERABILITY This vulnerability has been widely discussed in detail on ASSESSMENT: Internet mailing lists and newsgroups and a simple one line exploitation script is being distributed. CIAC strongly advises that this vulnerability be patched IMMEDIATELY. ______________________________________________________________________________ Critical Information about the UNIX /bin/login Vulnerability CIAC has learned of a vulnerability in the UNIX /bin/login program. This vulnerability potentially affects all IBM AIX 3 systems, Linux systems, and perhaps other UNIX platforms as well. Information available at the time of this advisory's publication indicates that only IBM AIX 3 and Linux systems are at risk. IBM AIX information Current information indicates that the IBM AIX vulnerability applies only to remote access. IBM is currently developing an official fix. Until the official fix is available from IBM, CIAC recommends immediate application of the workaround or installation of the emergency fix described here. Workaround: The recommended workaround is to disable the rlogin daemon by performing the following three steps: 1. As root, edit /etc/inetd.conf and comment out the line 'login ... rlogin' 2. Run 'inetimp' 3. Run 'refresh -s inetd' Emergency Fix: IBM's emergency fix for the different levels of AIX 3 affected by this vulnerability is available via anonymous FTP from software.watson.ibm.com in the file /pub/rlogin/rlogin.tar.Z. Installation instructions are included in the README file which is included in rlogin.tar.Z. Checksum information for rlogin.tar.Z is included in the chart below. BSD: 25285 317 SystemV: 13021 633 MD5: 803ee38c2e3b8c8c575e2ff5e921034c Official Fix: IBM is working on an official fix; it can be ordered as APAR IX44254. To order an APAR from IBM in the U.S., call 1-800-237-5511 and ask IBM to ship it as soon as it is available. According to IBM, this fix will be available in approximately two weeks. APARs may be obtained outside the U.S. by contacting your local IBM representative. Linux information Current information indicates that the Linux vulnerability applies to both remote and local access. Remote access fix: A patch that addresses the remote access problem has been made available via anonymous FTP from sunsite.unc.edu in the directory /pub/Linux/system/Network/sunacm/URGENT. This patch is found in the file security.tgz, with the associated file README.security. Note that security.tgz includes other security fixes in addition to the /bin/login patch. Checksum information for both of these files is included below. README.security: security.tgz: BSD: 09575 1 BSD: 32878 257 SystemV: 20945 1 SystemV: 40797 513 MD5: 41d14d7b8725c7a1015adeb49601619b MD5: dd4585cf4da1b52d25d619bf45f55b75 Local access fix: To address the local access problem, CIAC encourages installation of a version of /bin/login that does not allow the -f option in the form "-f". The recommended version should only allow this option in the form "-f ", with a space to indicate two arguments. At the time of this bulletin's publication, CIAC does not know which versions of login.c are vulnerable. As CIAC and other FIRST teams receive additional information, the CA-94:09.README file will be updated. Again, we encourage you to check this README file regularly for updates. If you find a version of Linux which contains the login access vulnerability, please contact CIAC. Other vendor information The CERT Coordination Center (CERT/cc) has provided CIAC with the file CA-94:09.README, which lists the vendors who have responded to inquiries involving this vulnerability and the status of their investigations into this problem. This file is included with this advisory as an appendix. As additional information is received relating to this advisory, the CERT/cc will place it, along with any clarifications, in the README file available via anonymous FTP from info.cert.org. CIAC encourages you to check the README file regularly for updates that relate to your UNIX operating system. Note: md5 checksum utility is available via anonymous FTP from CIAC's server irbis.llnl.gov (soon to be renamed ciac.llnl.gov) as md5.tar in directory /pub/util/crypto. ______________________________________________________________________________ CIAC thanks the CERT Coordination Center for the information provided in this advisory. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ----------------------------------------------------------------------------- Appendix CA-94:09.README This file is a supplement to the CERT Advisory CA-94:09.bin.login.vulnerability of May 23, 1994, and will be updated as additional information becomes available. We have received feedback from these vendors, who indicated that their products are not vulnerable: Amdahl Apple BSD BSDI Harris HP Motorola NeXT Pyramid SCO SGI Solbourne Sony Sun CERT has verified that the following vendor products are not vulnerable: Free BSD We have received feedback from these vendors, who have made patches available to address the /bin/login vulnerability: IBM workaround: see Section III. Solution for IBM AIX vulnerability A. Workaround of CERT advisory CA-94:09 emergency patch: software.watson.ibm.com:/pub/rlogin/rlogin.tar.Z Official patch: APAR IX44254 Linux patch: sunsite.unc.edu:/pub/Linux/system/Network/sunacm/URGENT/* _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN IBM AIX bsh Queue Vulnerability June 3, 1994 1500 PDT Number E-29a ______________________________________________________________________________ PROBLEM: Vulnerability in bsh batch queue allows unauthorized access. PLATFORMS: IBM AIX 3.2 and earlier. DAMAGE: Remote users may gain access to a privileged account. SOLUTION: Disable the bsh queue; obtain and install fix from IBM. ______________________________________________________________________________ VULNERABILITY This vulnerability is being discussed on public mailing lists ASSESSMENT: and can be exploited remotely. CIAC recommends that sites disable the bsh queue immediately. ______________________________________________________________________________ Critical Information about the IBM AIX bsh Queue Vulnerability CIAC has learned of a vulnerability in the bsh batch queue of IBM AIX systems running AIX version 3.2 and earlier. If network printing is enabled, the bsh queue will permit users on remote systems to execute commands at an elevated privilege. CIAC recommends that the bsh queue be disabled immediately as described below. Administrators should then obtain and install the appropriate fixes from IBM. Few applications make use of the bsh queue, and IBM has agreed to disable the queue by default in future AIX releases. CIAC recommends that the bsh queue be left disabled unless its functionality is explicitly required. Disabling bsh ------------- To disable the bsh queue, perform one of the following procedures: A. As root, from the command line, enter: chqueue -qbsh -a"up = FALSE" B. From SMIT enter: - Spooler - Manage Local Printer Subsystem - Local Printer Queues - Change/Show Characteristics of a Queue select bsh - Activate the Queue select no Emergency Fix ------------- IBM has made available an emergency fix for this vulnerability via anonymous FTP from software.watson.ibm.com in the directory /pub/aix. The fix is contained in the compressed tar file bshfixN.tar.Z, where N is the current version of the fix. Installation instructions are provided in a README file in the tar package. Please note: Due to the volatile nature of emergency fixes, IBM may temporarily remove them from the FTP server while revisions are made. If you are unable to retrieve the fix from the FTP server, please try again at a later time. Official Fix ------------ The official fix for this problem will be available soon from IBM and can be ordered as APAR IX44381. To order an APAR from IBM in the U.S. call 1-800-237-5511 and ask for shipment as soon as it becomes available. To obtain APARS outside the U.S., contact a local IBM representative. ______________________________________________________________________________ CIAC thanks IBM and the CERT Coordination Center for the information provided in this advisory. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53). CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. CIAC's mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending. E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN Majordomo distribution list administrator vulnerabilities June 15, 1994 1400 PDT Number E-30 ______________________________________________________________________________ PROBLEM: Two vulnerabilities in Majordomo distribution list administrator. PLATFORMS: All unix systems using Majordomo versions 1.91 and earlier. DAMAGE: Remote users may gain access to the Majordomo account. SOLUTION: Upgrade to Majordomo 1.92 or apply quick fix described below. ______________________________________________________________________________ VULNERABILITY This vulnerability is being discussed on public mailing lists ASSESSMENT: and is currently being exploited. CIAC recommends that sites determine if they are using Majordomo for their distribution lists, and, if so, follow the steps described below. ______________________________________________________________________________ Critical Information about the Majordomo distribution list administrator vulnerabilities CIAC has learned of two vulnerabilities in the Majordomo distribution list administrator software. These allow intruders to gain remote access to the Majordomo account and execute arbitrary commands. Exploitation does not require a valid username/password combination and bypasses firewalls and TCP wrappers. This vulnerability affects all versions of Majordomo up to and including version 1.91. It does not affect users of Majordomo (i.e., subscribers), nor hosts using other distribution list managers. CIAC recommends that sites determine if they are running Majordomo. If so, upgrade to version 1.92. If the associated mailer is sendmail and upgrading immediately is not possible, then, as an interim solution, follow the instructions for the quick fix in 2 below. 1. Upgrading to Majordomo 1.92 Obtain Majordomo 1.92 via anonymous ftp in the indicated directory on any one of the following servers: ftp.pgh.net:/pub/majordomo/majordomo-1.92.tar.Z ftp.cs.umb.edu:/pub/rouilj/majordomo-1.92.tar.Z FTP.GreatCircle.COM:/pub/majordomo/majordomo-1.92.tar.Z Follow the installation instructions in the included main README file. Note that the compressed file should have the following checksum and signature. BSD SVR4 File Checksum Checksum MD5 Digital Signature ____________________ _________ _________ ________________________________ majordomo-1.92.tar.Z 55701 223 23408 446 17d9bb9fd4872ab09d01bfeb643b5ebb If your copy computes differently, contact the ftp site or CIAC before proceeding. 2. Quick fix for versions 1.91 and earlier that use the sendmail mailer (this fix is not supported for other mailers). For version 1.91, perform the first step only. For version 1.90 and earlier, perform both steps. Versions 1.91 and earlier: Disable new-list by either renaming or removing it from the aliases file. Versions 1.90 and earlier: Find all occurrences of strings of any the following forms: "|/usr/lib/sendmail -f $to" #majordomo.pl "|/usr/lib/sendmail -f $reply_to" #request-answer "|/usr/lib/sendmail -f $reply_to $list-approval" # new-list "|/usr/lib/sendmail -f \$to" #majordomo.cf Change all occurrences of that string to "|/usr/lib/sendmail -f -t" You should find these strings in the request-answer, majordomo.pl, and your local majordomo.cf files. ______________________________________________________________________________ CIAC acknowledges the CERT Coordination Center and John Rouillard of the University of Massachusetts at Boston for providing the information for this bulletin. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. CIAC's mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Sendmail -d and Sendmail -oE Vulnerabilities July 14, 1994 1600 PST Number E-31 ______________________________________________________________________________ PROBLEM: Vulnerabilities in the UNIX sendmail utility. PLATFORM: UNIX; many vendor implementations of sendmail. DAMAGE: Root access may be obtained. SOLUTION: Retrieve and install your vendor's new implementation of sendmail. ______________________________________________________________________________ ______________________________________________________________________________ ASSESSMENT OF VULNERABILITY: A script to exploit the -d vulnerability is currently being utilized to compromise many systems. The -oE vulnerability is fairly simple to exploit. Both can only be exploited by local users, and cannot be utilized remotely to compromise a machine. Both are well known in the intruder community. ______________________________________________________________________________ Critical Information about Sendmail Vulnerabilities CIAC has received updated information regarding two vulnerabilities in the sendmail program when using the -d and -oE options. These bugs cannot be exploited remotely. The first vulnerability involves the sendmail debug option "-d" command line flag. For certain input values an error occurs that allows a local user to become root. The second vulnerability involves the sendmail error message header "-oE" option. This vulnerability allows any local interactive user to read any file on the system. Both vulnerabilities are present in many vendors' implementations of sendmail, and the CERT Coordination Center is maintaining a list of which versions of sendmail do and do not have this problem. The current version of the list is attached to this bulletin. Future versions of this file can be obtained from the CERT Coordination Center. Use anonymous FTP to connect to info.cert.org, and download the file, /pub/cert_advisories/CA-94:12.README. A summary of sendmail vendors and their current patch status is supplied below: Not vulnerable: Amdahl, Convex OS11.0, Eric Allman sendmail 8.6.8 and 8.6.9. Patches available: Apple, Berkeley Software Design, Convex 10.x, Data General, Digital Equipment, Hewlett Packard, IBM, Open Software Foundation, Sun. Patch in progress: Santa Cruz Operation ______________________________________________________________________________ CIAC thanks the CERT Coordination Center for the information provided in this bulletin. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53). CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. CIAC's mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ______________________________________________________________________________ CA-94:12.README See CA-94:12.README for updated information; this file supersedes CA-93:16a.README. Below is information we have received from vendors who have patches available or upcoming for the vulnerabilities described in this advisory, as well as vendors who have confirmed that their products are not vulnerable. If your vendor's name is not in one of these lists, contact the vendor directly for information on whether their version of sendmail is vulnerable and, if so, the status of patches to address the vulnerabilities. --------------------------------------- Eric Allman Sendmail versions 8.6.8 and 8.6.9 are not vulnerable. The problem with -d was fixed in sendmail 8.6.7, and -oE was fixed in sendmail 8.6.8. Even if you are running 8.6.8, you may want to upgrade to 8.6.9 for the additional features. Version 8.6.9 is available by anonymous FTP from ftp.cs.berkeley.edu in the directory ucb/sendmail. MD5 (sendmail.8.6.9.base.tar.Z) = 9bffb19116e7fdbb6ec56ccf9344895b MD5 (sendmail.8.6.9.cf.tar.Z) = 37ecb776ec61f596d01fbb46bae6e72f MD5 (sendmail.8.6.9.misc.tar.Z) = e083dbd609bdaf4b46c52f2546b3d1e5 MD5 (sendmail.8.6.9.xdoc.tar.Z) = 0df46586fbe767bf7060068331de7186 --------------------------------------- Amdahl All versions of UTS 2.1 use smail rather than sendmail and are not vulnerable to these problems. --------------------------------------- Apple Computer, Inc. A patch to version 3.1 of A/UX for these vulnerabilities is available by anonymous FTP from ftp.support.apple.com or aux.support.apple.com; in each case, a compressed, replacement version (8.6.4.1) of sendmail is in pub/aux.patches. Filename sendmail.Z BSD checksum 02992 182 SysV checksum 10129 364 MD5 checksum df4ca82f624ee8f4404c5e979e7e3d24 Uncompress this file using compress(1) and replace the previous version (8.6.4) in /usr/lib; be sure to kill the running sendmail and restart. Earlier versions of A/UX are not supported by this patch. Users of previous versions are encouraged by Apple to update their system to A/UX 3.1 or compile and install the version of sendmail available from ftp.cs.berkeley.edu. Customers should contact their reseller for any additional information. --------------------------------------- Berkeley Software Design (BSDI) Patches to sendmail for these problems in BSD/386 V1.1 are available from BSDI customer support: BSDI Customer Support Berkeley Software Design, Inc. 7759 Delmonico Drive Colorado Springs, CO 80919 Toll Free: +1 800 ITS BSD8 (+1 800 486 2738) Phone: +1 719 260 8114 Fax: +1 719 598 4238 Email: support@bsdi.com --------------------------------------- Convex ConvexOS 11.0 (the most recent production OS) does not contain the vulnerabilities. Convex customers running ConvexOS 10.x should install the CONVEX TAC PATCH 10.3.129, which is the full ConvexOS 11.0 mail system back ported to ConvexOS 10.x. The 10.3.129 README file is reproduced below: The following patch information is provided by a member of the CONVEX TAC. There is no express or implied warranty. The maintenance of this patch is the responsibility of the installer. The existence of this patch does not guarantee that the patch or its functionality will be available in the next release of the product. PATCH PRODUCT NAME: ConvexOS Mail System PATCH FOR VERSION NUMBER: 10.3 PATCH MODULE NAME: /usr/lib/sendmail NEW VERSION NUMBER OF PRODUCT: 10.3.129 RELATED BUG REPORTS: X-33414, X-33531 PATCH INSTALLATION: Pre-installation precautions: if from tape: %tpmount %installsw -i NOTE: If installing from tape, you must use a no-rewind tape device, such as /dev/rmt20 or /dev/rdat0n, /dev/eb0nr, or /dev/rtc0n. if from script: % ./Script.sh The Convex Technical Assistance Center is available for additional information at 800-952-0379. --------------------------------------- Data General Corporation DG/UX systems are not at risk from the -oE problem. Patches will be made available for all supported releases of DG/UX for the -d problem and it will be fixed in future releases of DG/UX starting with DG/UX 5.4 Release 3.10. Affected sites should call their Customer Support Center for information regarding this patch. --------------------------------------- Digital Equipment Corporation [The following information was excerpted from DEC SECURITY ADVISORY #0505. Please contact DEC for a complete copy of that advisory.] Products Affected: ULTRIX Versions 4.3, 4.3A, V4.4 DECnet-ULTRIX Version 4.2 DEC OSF/1 Versions 1.2, 1.3, 1.3A, 2.0 SOLUTION: ULTRIX: Upgrade/Install ULTRIX to an minimum of V4.4 and install the Security Enhanced Kit DEC OSF/1: Upgrade/Install to a minimum of V1.2 and install the Security Enhanced Kit Please refer to the applicable Release Note information prior to upgrading your installation. These kits are available from Digital Equipment Corporation by contacting your normal Digital support channel or by request via DSNlink for electronic transfer. KIT PART NUMBERS and DESCRIPTIONS CSCPAT_4060 V1.0 ULTRIX V4.3 thru V4.4 (Includes DECnet-ULTRIX V4.2) CSCPAT_4061 V1.0 DEC OSF/1 V1.2 thru V2.0 _______________________________________________________________ These kits will not install on versions previous to ULTRIX V4.3 or DEC OSF/1 V1.2. _______________________________________________________________ Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. NOTE: For non-contract/non-warranty customers contact your local Digital support channels for information regarding these kits. --------------------------------------- Hewlett-Packard HP/UX does not support the -oE option. To fix the -d problem, obtain patch PHNE_4533 from Hewlett-Packard. This patch may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP SupportLine. To obtain HP security patches, you must first register with the HP SupportLine. The registration instructions are available by anonymous FTP from info.cert.org in the file "pub/vendors/hp/supportline_and_patch_retrieval". --------------------------------------- IBM A patch for the -d vulnerability can be ordered from IBM as APAR IX44020 (PTF U431041). AIX is not vulnerable to the -oE problem. To order APARs from IBM in the U.S., call 1-800-237-5511 and ask that it be shipped to you as soon as it is available. To obtain APARs outside of the U.S., contact your local IBM representative. --------------------------------------- Open Software Foundation (OSF) For OSF/1 R1.3: CR11057 describes how to fix the -d option problem in the sources. OSF/1 is not vulnerable to the -oE problem. --------------------------------------- The Santa Cruz Operation, Inc. (SCO) SCO systems are not affected by the -oE problem and a patch for the -d problem on the following platforms will soon be available: SCO TCP/IP Release 1.2.0 for SCO XENIX SCO TCP/IP Release 1.2.1 for SCO UNIX SCO Open Desktop Release 3.0 SCO Open Desktop Lite Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 For more information contact SCO at: Electronic mail: support@sco.COM The Americas, Pacific Rim, Asia, and Latin America: 6am-5pm Pacific Daylight Time (PDT) --------------------------------------------------- 1-408-425-4726 (voice) 1-408-427-5443 (fax) Europe, Middle East, Africa: 9am-5:30pm British Daylight Time (BST) +44 (0)923 816344 (voice) +44 (0)923 817781 (fax) --------------------------------------- Sun Microsystems, Inc. A. Patch list Sun has produced patches against these vulnerabilities for the versions of SunOS shown below. 4.1.1 100377-15 4.1.2 100377-15 4.1.3 100377-15 4.1.3_U1 101665-02 5.1_x86 101352-03 (Solaris x86) 5.1 100834-11 (Solaris 2.1) 5.2 100999-59 (Solaris 2.2) 5.3 101318-41 (Solaris 2.3) B. Patch notes 1. The last security-related patch for 4.1.x sendmail was distributed as 100377-08 (announced 23 December 1993). Revisions -09 through -14 were not related to security. 2. The 4.1.1 patch includes a version built for the sun3 architecture. 3. The 4.1.3 version of the patch is also applicable to 4.1.3C systems. 4. The patch listed for 4.1.3_U1 (Solaris 1.1.1) applies to both the A and B versions. This is currently true for all U1 patches. 5. One of the listed patches (100834-11, for SunOS 5.1) is actually a jumbo kernel patch into which sendmail was bundled. The other two SunOS 5.x patches, and all of the 4.1.x patches, contain only sendmail fixes. (Sun bundled all 5.x sendmails into jumbo kernel patches earlier this year, but later unbundled the 5.3 and 5.2 patches in response to customer complaints. The 5.1 sendmail will be unbundled as well later this summer. 6. Sun releases new patch versions frequently. For this reason, when requesting patches you should ask for the specified "or later" version, e.g., "version 11 or later of patch 100834". Patches can be obtained from local Sun Answer Centers and Sunsolve. U.S. users can contact Sun a 800-USA-4SUN. Sun can also be reached by e-mail at security-alert@sun.com. --------------------------------------- CA-94:12.README Issue Date: July 14, 1994 Revision Date: July 15, 1994 This file supersedes CA-93:16a.README. This file is a supplement to the CERT Advisory CA-94:12.sendmail.vulnerabilities July 14, 1994, and will be updated as additional information becomes available. Below is information we have received from vendors who have patches available or upcoming for the vulnerabilities described in this advisory, as well as vendors who have confirmed that their products are not vulnerable. If your vendor's name is not in these lists, contact the vendor directly for information on whether their version of sendmail is vulnerable and, if so, the status of patches to address the vulnerabilities. Vendor or Source Status ---------------- ------------ Eric Allman Versions 8.6.8 and 8.6.9 are available and not vulnerable Amdahl Not vulnerable Apple Patch available BSD Not vulnerable BSDI Patch available Convex OS 11.0 not vulnerable; patch available for 10.x Data General Patch available Digital Equipment Patch available Hewlett Packard Patch available IBM Patch available IDA Version sendmail-5.67b + IDA 1.5 is not vulnerable Open Software Foundation Patch available Santa Cruz Operation Patch in progress Sun Patch available Note: Some sites may find it feasible to install Eric Allman's sendmail 8.6.9, which is freely available. However, depending upon the currently installed sendmail program, switching to a different sendmail may require significant effort. The site administrator may need to become familiar with the new program, and the site's sendmail configuration file may require considerable modification in order to provide existing functionality. In some cases, the configuration file of the site's sendmail may be incompatible with that of sendmail 8.6.9. --------------------------------------- Eric Allman Sendmail versions 8.6.8 and 8.6.9 are not vulnerable. The problem with -d was fixed in sendmail 8.6.7, and -oE was fixed in sendmail 8.6.8. Even if you are running 8.6.8, you may want to upgrade to 8.6.9 for the additional features. Version 8.6.9 is available by anonymous FTP from ftp.cs.berkeley.edu in the directory ucb/sendmail. MD5 (sendmail.8.6.9.base.tar.Z) = 9bffb19116e7fdbb6ec56ccf9344895b MD5 (sendmail.8.6.9.cf.tar.Z) = 37ecb776ec61f596d01fbb46bae6e72f MD5 (sendmail.8.6.9.misc.tar.Z) = e083dbd609bdaf4b46c52f2546b3d1e5 MD5 (sendmail.8.6.9.xdoc.tar.Z) = 0df46586fbe767bf7060068331de7186 Note: CA-94:12.sendmail.vulnerabilities references Eric Allman's sendmail 8.6.9 as being in the "public domain". This is incorrect. In fact it is freely available, but is copyrighted and redistribution restrictions. --------------------------------------- Amdahl All versions of UTS 2.1 use smail rather than sendmail and are not vulnerable to these problems. --------------------------------------- Apple Computer, Inc. A patch to version 3.1 of A/UX for these vulnerabilities is available by anonymous FTP from ftp.support.apple.com or aux.support.apple.com; in each case, a compressed, replacement version (8.6.4.1) of sendmail is in pub/aux.patches. Filename sendmail.Z BSD checksum 02992 182 SysV checksum 10129 364 MD5 checksum df4ca82f624ee8f4404c5e979e7e3d24 Uncompress this file using compress(1) and replace the previous version (8.6.4) in /usr/lib; be sure to kill the running sendmail and restart. Earlier versions of A/UX are not supported by this patch. Users of previous versions are encouraged by Apple to update their system to A/UX 3.1 or compile and install the version of sendmail available from ftp.cs.berkeley.edu. Customers should contact their reseller for any additional information. --------------------------------------- Berkeley Software Distribution (BSD) 4.4BSD-Lite uses sendmail version 8.6.9 and thus is not vulnerable. --------------------------------------- Berkeley Software Design (BSDI) Patches to sendmail for these problems in BSD/386 V1.1 are available from BSDI customer support: BSDI Customer Support Berkeley Software Design, Inc. 7759 Delmonico Drive Colorado Springs, CO 80919 Toll Free: +1 800 ITS BSD8 (+1 800 486 2738) Phone: +1 719 260 8114 Fax: +1 719 598 4238 Email: support@bsdi.com --------------------------------------- Convex ConvexOS 11.0 (the most recent production OS) does not contain the vulnerabilities. Convex customers running ConvexOS 10.x should install the CONVEX TAC PATCH 10.3.129, which is the full ConvexOS 11.0 mail system back ported to ConvexOS 10.x. The 10.3.129 README file is reproduced below: The following patch information is provided by a member of the CONVEX TAC. There is no express or implied warranty. The maintenance of this patch is the responsibility of the installer. The existence of this patch does not guarantee that the patch or its functionality will be available in the next release of the product. PATCH PRODUCT NAME: ConvexOS Mail System PATCH FOR VERSION NUMBER: 10.3 PATCH MODULE NAME: /usr/lib/sendmail NEW VERSION NUMBER OF PRODUCT: 10.3.129 RELATED BUG REPORTS: X-33414, X-33531 PATCH INSTALLATION: Pre-installation precautions: if from tape: %tpmount %installsw -i NOTE: If installing from tape, you must use a no-rewind tape device, such as /dev/rmt20 or /dev/rdat0n, /dev/eb0nr, or /dev/rtc0n. if from script: % ./Script.sh The Convex Technical Assistance Center is available for additional information at 800-952-0379. --------------------------------------- Data General Corporation DG/UX systems are not at risk from the -oE problem. Patches will be made available for all supported releases of DG/UX for the -d problem and it will be fixed in future releases of DG/UX starting with DG/UX 5.4 Release 3.10. Affected sites should call their Customer Support Center for information regarding this patch. --------------------------------------- Digital Equipment Corporation [The following information was excerpted from DEC SECURITY ADVISORY #0505. Please contact DEC for a complete copy of that advisory.] Products Affected: ULTRIX Versions 4.3, 4.3A, V4.4 DECnet-ULTRIX Version 4.2 DEC OSF/1 Versions 1.2, 1.3, 1.3A, 2.0 SOLUTION: ULTRIX: Upgrade/Install ULTRIX to an minimum of V4.4 and install the Security Enhanced Kit DEC OSF/1: Upgrade/Install to a minimum of V1.2 and install the Security Enhanced Kit Please refer to the applicable Release Note information prior to upgrading your installation. These kits are available from Digital Equipment Corporation by contacting your normal Digital support channel or by request via DSNlink for electronic transfer. KIT PART NUMBERS and DESCRIPTIONS CSCPAT_4060 V1.0 ULTRIX V4.3 thru V4.4 (Includes DECnet-ULTRIX V4.2) CSCPAT_4061 V1.0 DEC OSF/1 V1.2 thru V2.0 _______________________________________________________________ These kits will not install on versions previous to ULTRIX V4.3 or DEC OSF/1 V1.2. _______________________________________________________________ Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. NOTE: For non-contract/non-warranty customers contact your local Digital support channels for information regarding these kits. --------------------------------------- Hewlett-Packard HP/UX does not support the -oE option. To fix the -d problem, obtain patch PHNE_4533 from Hewlett-Packard. This patch may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP SupportLine. To obtain HP security patches, you must first register with the HP SupportLine. The registration instructions are available by anonymous FTP from info.cert.org in the file "pub/vendors/hp/supportline_and_patch_retrieval". --------------------------------------- IBM A patch for the -d vulnerability can be ordered from IBM as APAR IX44020 (PTF U431041). AIX is not vulnerable to the -oE problem. To order APARs from IBM in the U.S., call 1-800-237-5511 and ask that it be shipped to you as soon as it is available. To obtain APARs outside of the U.S., contact your local IBM representative. --------------------------------------- Paul Pomes, IDA: The current version "sendmail-5.67b+IDA 1.5" is not vulnerable. This release is available for anonymous FTP from vixen.cso.uiuc.edu as "pub/sendmail-5.67b+IDA-1.5.tar.gz". MD5 Checksum MD5 (sendmail-5.67b+IDA-1.5.tar.gz) = a9b8e17fd6d3e52739d2195cead94300 --------------------------------------- Open Software Foundation (OSF) For OSF/1 R1.3: CR11057 describes how to fix the -d option problem in the sources. OSF/1 is not vulnerable to the -oE problem. --------------------------------------- The Santa Cruz Operation, Inc. (SCO) SCO systems are not affected by the -oE problem and a patch for the -d problem on the following platforms will soon be available: SCO TCP/IP Release 1.2.0 for SCO XENIX SCO TCP/IP Release 1.2.1 for SCO UNIX SCO Open Desktop Release 3.0 SCO Open Desktop Lite Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 For more information contact SCO at: Electronic mail: support@sco.COM The Americas, Pacific Rim, Asia, and Latin America: 6am-5pm Pacific Daylight Time (PDT) --------------------------------------------------- 1-408-425-4726 (voice) 1-408-427-5443 (fax) Europe, Middle East, Africa: 9am-5:30pm British Daylight Time (BST) +44 (0)923 816344 (voice) +44 (0)923 817781 (fax) --------------------------------------- Sun Microsystems, Inc. At this point in time most of these patches are not available via anonymous FTP. Please contact Sun for information on how to obtain these patches. A. Patch list Sun has produced patches against these vulnerabilities for the versions of SunOS shown below. 4.1.1 100377-15 4.1.2 100377-15 4.1.3 100377-15 4.1.3_U1 101665-02 5.1_x86 101352-03 (Solaris x86) 5.1 100834-11 (Solaris 2.1) 5.2 101842-01 (Solaris 2.2) 5.3 101739-01 (Solaris 2.3) B. Patch notes 1. The last security-related patch for 4.1.x sendmail was distributed as 100377-08 (announced 23 December 1993). Revisions -09 through -14 were not related to security. 2. The 4.1.1 patch includes a version built for the sun3 architecture. 3. The 4.1.3 version of the patch is also applicable to 4.1.3C systems. 4. The patch listed for 4.1.3_U1 (Solaris 1.1.1) applies to both the A and B versions. This is currently true for all U1 patches. 5. One of the listed patches (100834-11, for SunOS 5.1) is actually a jumbo kernel patch into which sendmail was bundled. The other two SunOS 5.x patches, and all of the 4.1.x patches, contain only sendmail fixes. (Sun bundled all 5.x sendmails into jumbo kernel patches earlier this year, but later unbundled the 5.3 and 5.2 patches in response to customer complaints. The 5.1 sendmail will be unbundled as well later this summer. 6. Sun releases new patch versions frequently. For this reason, when requesting patches you should ask for the specified "or later" version, e.g., "version 11 or later of patch 100834". Patches can be obtained from local Sun Answer Centers and Sunsolve. U.S. users can contact Sun a 800-USA-4SUN. Sun can also be reached by e-mail at security-alert@sun.com. --------------------------------------- _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN KAOS4 Virus August 2, 1994 1600 PST Number E-32a _____________________________________________________________________________ PROBLEM: A new computer virus is preventing systems from booting. PLATFORM: All MS-DOS, PC-DOS, Windows systems. DAMAGE: May damage executable files and make systems unbootable. SOLUTION: Update your Anti-Virus program to detect/remove the virus. _____________________________________________________________________________ VULNERABILITY The KAOS4 virus is becoming widespread after being posted to ASSESSMENT: a USNET newsgroup. The virus has been seen at multiple locations within the DOE community. The virus does not appear to be intentionally damaging, but does render systems unbootable until the system files can be replaced. Most current virus scanners must be revised to detect it. _____________________________________________________________________________ This is a minor revision of E-32, the correction is in the next to last paragraph of the appendix. Critical Information about the KAOS4 Virus CIAC has received information that a new computer virus named KAOS4 was posted to a USENET newsgroup, which resulted in its wide distribution. Our research indicates the virus is not intentionally damaging, but it does tend to make systems unbootable until the virus is removed. Most virus scanners do not detect this virus without being updated, however most file change detectors should detect it now. The most common symptom of an infection from this virus is that infected machines become unbootable. Unfortunately, that is a common symptom of many other problems, including hardware problems. If a machine has become unbootable from its hard disk, but can boot from a floppy, compare the size of COMMAND.COM with the original copy. If it has changed, suspect a virus. If you examine COMMAND.COM with a disk editor and find the text KAOS4 in the last sector, you know you have the KAOS4 virus. The KAOS4 virus is a variant of the Vienna virus that has been extended to infect .EXE files as well as .COM files. The virus is direct acting (it runs once whenever an infected program is run) and randomly infects one .COM and one .EXE file every time it is run. It attacks COMMAND.COM first and then attacks other files. During our testing, it seemed to prefer the \DOS and the \NU (Norton Utilities) directories, but that may be coincidental. The virus adds 697 bytes to the length of both .COM and .EXE files, but the modification date of the files does not change. The following text is in the clear in the last sector of an infected program file. KAOS4 / Kohntark It is not detected by DDI's DataPhysician Plus version 4.0D or McAfee's SCAN version 116. A virus signature file is available from DDI named KAOS4.PRG that works with version 4.0C of DataPhysician Plus, giving it the capability to detect this virus. __________________ NOTE: DO NOT use this file with version 4.0D of DataPhysician Plus; use it with version 4.0C instead. There is a problem with version 4.0D that prevents the user installed virus signature file from working correctly. __________________ There are two ways to install the KAOS4.PRG file into the VirHUNT program in DataPhysician Plus: you can load it on the command line or you can install it with a program menu command. To start VirHUNT, and load the signature file on the command line, type the following at the DOS prompt: VIRHUNT USC:\DDI\KAOS4.PRG This assumes that the KAOS4.PRG file is in the DDI directory on the C drive. If the file is stored somewhere else, change the path to point to the appropriate location. The file will be loaded into VirHUNT and VirHUNT can be used to scan any attached disks for the virus. To load the file in a running version of VirHUNT, select the Options menu and the E: User specified search/remove command. In the dialog box that is displayed, type KAOS4.PRG. Include a path with the file name if the file is not in the default directory. You may now scan files like normal and if the KAOS4 virus is detected, it is reported as an "Unknown Virus". The signature file also contains sufficient information to remove the virus from an infected program, but programs should be replaced whenever possible. The file KAOS4.PRG is available on the CIAC file servers. You can use anonymous FTP to ciac.llnl.gov (128.115.19.53) and find the file in the /pub/ciac/sectools/pcvirus directory. It can also be obtained from the CIAC BBS in the File Transfer:Downloads: PC Virus section. A special version of McAfee's SCAN program named SCN-KAOS.ZIP is available that only removes the KAOS4 virus. It is available on the McAfee BBS (408- 988-4004), Compuserve, or via anonymous FTP to mcafee.com. A new version of the Norton Anti-Virus, Virus Definitions file is available to make NAV 3.0 detect and remove KAOS4. The file is 30a09b.zip and is available on the Symantec BBS (503-484-6669), and Compuserve. _____________________________________________________________________________ CIAC wishes to thank Bill Kenny of DDI for so quickly getting us a signature file for this new virus. _____________________________________________________________________________ APPENDIX: PROTECTING A PC AGAINST NEW VIRUSES ============================================= Note: The following sections use the DataPhysician Plus package to illustrate how to apply the virus detection strategies. This package is used in these examples because the DOE has a site license for it, making it relevant to the CIAC constituency. There are many other packages available with similar capabilities. With new viruses appearing almost weekly, it seems almost impossible to keep an up-to-date scanner available on every vulnerable machine. In the time it takes to distribute a new scanner, several new viruses are already in the wild. So how do you protect a machine against new viruses? First, not all machines need to be protected. If a machine never shares floppy disks with anyone and never downloads an executable file (documents are OK) over a network, that machine is highly unlikely to ever encounter a new virus. While that machine should be scanned occasionally, the risk of virus infection does not warrant more extensive checking. For the rest of us that do exchange files and executables, most current anti- virus programs have ways to protect against a new virus. Actually, there are two capabilities in most anti-virus programs to protect against new viruses: TSR (Terminate and Stay Resident) suspicious activity detectors and program change detectors. A. Suspicious Activity Detectors --------------------------------- A suspicious activity detector is a small TSR program that is loaded into memory at boot time and then watches over a system for virus type activities. Suspicious activities include such things as writing to the boot blocks of a disk, changing or creating an executable file, or going memory resident. When such an activity occurs, the suspicious activity detector pauses the activity and displays a dialog box giving you the option of continuing the activity or halting it. Since some suspicious activity is normal, you must decide whether to stop or continue it. For example, copying an executable file creates a new executable file which sets off the alarm. Since this is a normal activity, you would allow it to continue. If, on the other hand, when you start up your word processor and the suspicious activity detector detects an attempt to change the executable for your spreadsheet program, you should prevent the activity from occurring, as this is not a normal activity for a word processor. In the DataPhysician Plus package, available to all DOE sites, the suspicious activity detector is the VirALERT program. VirALERT is loaded as a device driver in your CONFIG.SYS file. Normally, the DataPhysician Plus installer program takes care of installing VirALERT for you. VirALERT has several options that set the type of suspicious activity to watch for. Each of the options is explained in the installer program. While you might think that you should set the options to detect all suspicious activity, that might not be a good idea. If the suspicious activity detector alarms all the time, you will probably start ignoring it and won't notice when a truely suspicious activity indicates a virus is present. A reasonable setup from the CONFIG.SYS file is the following. DEVICE=C:\DDI\VIRALERT.SYS TV Z=RESSCAN.COM, WIN-RS.COM With this setup, VirALERT checks for any attempts to write an executable file, (T) watches for other TSR programs attempting to install themselves, (V) warns you when it is off, and (Z=...) ignores the TSR programs in RESSCAN.COM and WIN-RS.COM. In general, the installer does all this setup for you. If you are performing an activity that sets off the suspicious activity detector, such as copying a directory full of executable files, you don't want to have to sit there pressing C (Continue) every time the dialog pops up. In this case, you can disable VirALERT by pressing I (Inactivate) to turn VirALERT off for the duration of this command. VirALERT automatically turns back on again when the command completes. You can also toggle VirALERT off by pressing Alt-V to see the VirALERT dialog, press the space bar until OFF appears and press Esc to continue. You must repeat this sequence to turn VirALERT back on again. B. Program Change Detectors ---------------------------- A program change detector creates and stores a signature for some or all the executable files on your disk. Later, using the stored signatures, the program change detector can tell if any executable file has changed. In addition, most program change detectors store those parts of a program that are most often changed by a virus and can usually restore the program using those stored parts, even for a program infected with a new, unknown virus. Unlike a virus scanner that can be used after an infection has occurred, a program change detector requires some forethought. A program change detector must have a baseline program signature file in order to tell that a change has occurred. Thus, you must have run the scanner before an infection occurred to create that signature file. The VirHUNT program in the DataPhysician Plus package contains both a virus scanner and a program scanner. The virus scanner searches for known viruses in your executable files, and the program scanner is the program change detector. The program scanner must be run once with the create new signature file option set to store the program signatures. It is then run later to scan for changes in the protected programs. The installer program does this initial scan for you if you request it. As with virus scanners, a problem with a signature scanner is that it takes a lot of time to scan a hard disk. If the scanner is set up in the AUTOEXEC.BAT file to run every time a machine is booted, it extends the amount of time it takes to boot a machine. A large hard disk can take several minutes to scan, significantly trying a user's patience. Scanning the whole hard disk for viruses or for program changes every time you boot is probably unreasonable for all but the front door and open machines in your organization. A front door machine is one reserved by an organization specifically for scanning disks coming into an organization. Open machines are those made available for anyone to use and, because of their uncontrolled nature, are very susceptible to viruses. A better strategy is to scan the whole hard disk at times convenient to the user (at night, at lunch, etc) and to only scan a few particularly sensitive files at boot time. By always scanning those files most likely to be infected by a new virus, you should catch most new infections before they have gone very far. In most cases, the root directory of the C drive and the DOS directory are the most likely places for a new infection to occur. Of course, you should always scan any floppies brought into your area, including those in shrink wrapped containers and any new executable files copied onto your hard disk. To use the program signature scanner in an efficient manner, you need to make two program signature scans: one of the whole hard disk and one of the directories you are going to scan at every boot. Before creating the program signature file, you must insure that your disk is free from virus infections, otherwise the scanner will include the virus as part of the signature for a program. Assuming your disk is well scanned and as clean of infections as you can make it, perform the following steps to create the initial program signature file. 1. Start VirHUNT. 2. Execute the command: Options, F: Signature Mode, A: Set signature options, G: Create new signatures, and press Esc to return to the main menu. 3. Execute the command: Options, A: Directory to scan. 4. Type ALL in the dialog box and press Return. 5. Open the Options menu and check that the command: D: Scan subdirectories is set to Yes. 6. Open the Options menu and check that the command: B: Scan is set to Files, memory and boot. 7. Execute the command: Scan and sit back while all the files are scanned and a signature file is created named VIRHUNT.SIG. 8. When this process completes, you may want to save a copy of this signature file on a floppy disk. You now need a second signature file for only those files you want to scan at every boot up. With all the options set as in the steps above, perform the following steps. 1. Execute the command: Options, A: Directory to scan. 2. In the dialog box, type the directories you want to scan at every boot time and press return. For example, C:\ C:\DOS scans the root directory on the C drive and the DOS directory. 3. Execute the command: Options, D: Scan subdirectories, which should toggle the option to No. 4. Execute the command: Options, F: Signature Mode, A: Set signature options, G: Create new signatures, B: Set signature filename,. 5. In the dialog box that appears, type a file name for the program signature file such as VIRHUNT2.SIG, press return and then Esc to return to the main menu. 6. Execute the Scan command and sit back while this small group of files is scanned and a second program signature file is created. To actually do a signature scan, assuming nothing is set (default,) perform the following steps. 1. Start VirHUNT. 2. Execute the command: Options, F: Signature Mode, A: Set signature options, B: Scan, find New files 3. While still in the signature mode, execute the command: B: Set signature filename. 4. In the dialog box that appears, type VIRHUNT2.SIG, press return and then Esc to return to the main menu. To scan all the files on the disk, instead of just the ones in C:\ and C:\DOS, use VIRHUNT.SIG as the filename instead of VIRHUNT2.SIG. 5. Execute the command: Options, A: Directory to scan. 6. In the dialog box, type C:\ C:\DOS. To scan the whole drive, change this to ALL. 7. Open the Options menu and check that the command: D: Scan subdirectories is set to No. To scan the whole disk, set this to Yes. 8. Open the Options menu and check that the command: B: Scan is set to Files, memory and boot. 9. Execute the command: Options, E: User specified search/remove. 10. In the dialog box that appears, type KAOS4.PRG and press return. This loads the virus signature file for the KAOS4 virus. 11. Execute the command: Scan and sit back while all the files are scanned. The program first does a virus scan for all the files in C:\ and C:\DOS directories and then does a program signature scan for all the files in the VIRHUNT2.SIG signature file. It checks the C:\ and C:\DOS directories and lists any new executable files found there. If the new files are legitimate and you want to not alarm every time you run a scan, you must create a new signature file for those directories as you did above. To do the same run of VirHUNT every time the machine is booted, place the following command in the AUTOEXEC.BAT file. C:\DDI\VIRHUNT.EXE C:\ C:\DOS USC:\DDI\KAOS4.PRG SCN SFC:\DDI\VIRHUNT2.SIG LIC:\DDI\SCAN.OUT SISN QU This command assumes that the files VIRHUNT.EXE, KAOS4.PRG, and VIRHUNT2.SIG are all in the C:\DDI directory. Started with this command VirHUNT scans the C:\ and C:\DOS directories. The US option loads the KAOS4.PRG virus signature file. The SCN option sets scan subdirectories to No. The SISN does a program signature scan and reports new files found. The QU option makes the program quit after it finishes a successful scan. The SF option sets the file name of the program signature file to use and the LI option sets the file to use to store the results of the scan. C. Dealing With Stealth Viruses -------------------------------- Stealth viruses are a special problem for virus scanners and program change detectors. A "good" stealth virus can hide its presence on a disk by diverting low level disk read requests to different sectors so that when a scanner examines a file, the file appears OK. In fact, it is infected with a virus. However, a stealth virus can not do its stealthy things if it is not in memory. To defeat a stealth virus, boot the system using a clean, locked floppy. You can then use your scanner programs to find and remove any virus. If there is any chance that your scanner program on the hard disk is infected (it will usually tell you if it is) have another copy of the scanner on the clean, locked floppy to do your scanning with. If the scanner on your hard disk indicates that it was infected, be sure to shut down completely and reboot to get the virus out of memory. Unfortunately, some virus infected hard drives cannot be mounted by a system without the virus in memory. Monkey is of this type. Because they move the partition table to a different place on the disk, the virus must be in memory in order to access the partition data so that the drive can be mounted. Luckily, most virus scanners know how to locate and remove these viruses. Note that KAOS4 is not a stealth virus. _____________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53) formerly irbis.llnl.gov. CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. CIAC's mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ ADVISORY NOTICE Vulnerabilities in the SGI IRIX Help System August 11, 1994 1700 PST Number E-33 _____________________________________________________________________________ PROBLEM: Vulnerabilities in the SGI Help system allows unauthorized access to a root shell. PLATFORM: SGI IRIX 5.x. DAMAGE: Unauthorized users can access a root shell without logging in. SOLUTION: Retrieve and install the patches, or apply the workarounds described below. _____________________________________________________________________________ VULNERABILITY These vulnerabilities have been widely discussed on many ASSESSMENT: public forums on the Internet. Attack scripts have been created and distributed. Vulnerabilities can only be exploited by currently logged in users or by direct access to the console. Although no attacks using these methods have been confirmed as of the date of this bulletin, attacks using these vulnerabilities are inevitable. CIAC recommends that all patches be installed. _____________________________________________________________________________ Critical Information about the Help System vulnerabilities CIAC has received information from Silicon Graphics, Inc. (SGI) concerning vulnerabilities in the IRIX 5.x operating system that allow root access to unauthorized users. The vulnerabilities exist within the Help subsystem. They have been referred to on the Internet by various names including clogin, printer manager, and SGI Help. When exploited, a currently logged in user can create an active root shell, or a person with physical access to the console can get an active root shell without logging in. SGI has issued patch65 to fix these vulnerabilities. This problem will be corrected in a future release of IRIX. The patch will only fix the vulnerabilities in IRIX 5.2; no patch is scheduled for IRIX 5.1. SGI recommends that all IRIX 5.1 users upgrade to IRIX 5.2. A workaround solution exists and is effective on all versions of IRIX 5.x. CIAC and SGI recommend that all IRIX 5.2 users implement the workaround immediately until the IRIX 5.2 patch is obtained. INSTALLATION OF THE WORKAROUND To install the workaround, perform the following command as root: # versions remove sgihelp.sw.eoe This workaround will neutralize this avenue of attack; however it also renders the Help subsystem inactive. This will affect other installed software that use the SGI Help subsystem. Certain help functions from within applications will return non-fatal error messages about the missing subsystem. INSTALLATION OF THE PATCH (IRIX 5.2 only) 1. Determine which patch(es) you need. To install the patch for the help vulnerabilities, you need to use the latest SGI inst program named patch34. To see if you already have patch34 installed on your system, issue the following command: # versions patch\* If the appropriate SGI inst program is loaded, the output will appear as displayed below. Another patch, patchSG0000000, is functionally equivalent to patch34; therefore if it is present you do not need to install patch34. I =\ Installed, R = Removed Name Date Description I patchSG0000034 08/10/94 Patch SG0000034 I patchSG0000034.eoe1_sw 08/10/94 IRIX Execution Environment Software I patchSG0000034.eoe1_sw.unix 08/10/94 IRIX Execution Environment If neither patchSG0000034 nor patchSG0000000 is loaded, you must retrieve and load both patch34 and patch65. Otherwise, you need only retrieve and install patch65. 2. Retrieve the patch(es). The patches can be retrieved in one of two methods: CD and anonymous ftp. SGI has made a CD available which contains the patches. To receive this CD, contact your nearest SGI service provider and ask for a copy of it. The patches can be retrieved via anonymous ftp from ftp.sgi.com in the directory ~ftp/security. CIAC is also making these patches available from ciac.llnl.gov in the directory pub/ciac/patches/sgi. A third location of these patches is first.org in the directory pub/software/sgi. Patch34 is quite large, users are encouraged to download the patches from the closest ftp site. SGI is keeping a list of alternate ftp sites in the file ftp.sgi.com:~ftp/security/ALTERNATE.SITES. Checksums for the patches are provided below. Patch Standard System V MD5 Unix Unix Checksum patch34.tar.Z 11066 15627 1674 31253 2859d0debff715c5beaccd02b6bebded patch65.tar 63059 1220 15843 2440 af8c120f86daab9df74998b31927e397 3. Uninstall the workaround if it was applied to your system. If you have applied the workaround and then wish to install the patch, the system needs to be returned to its initial state prior to installation of the patch. The original Help software can be found on the original software distribution CD labeled as IRIX 5.2. To return the system to its initial state, perform the following command as root IMMEDIATELY PRIOR TO INSTALLATION OF THE PATCH: # inst -f /CDROM/dist/sgihelp.sw.eoe Inst> install sgihelp.sw.eoe Inst> go 4. Install the patch(es). First install patch34, after verifying the checksum. Uncompress and untar the files. Inst the patch as you would any other SGI software, using the software installation guide for additional information. Next, install patch65 after verifying the checksum, then performing an untar of the files. Inst the patch as you would any other SGI software. _____________________________________________________________________________ CIAC wishes to thank Silicon Graphics, Inc. for the information contained in this bulletin, and Max Hailperin of Gustavus Adolphus College for his investigation of these vulnerabilities. _____________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53) formerly irbis.llnl.gov. CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. CIAC's mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN One_half Virus (MS-DOS) September 13, 1994 1600 PDT Number E-34 _____________________________________________________________________________ PROBLEM: A previously unknown computer virus is damaging systems. PLATFORM: All MS-DOS, PC-DOS, Windows systems, all versions. DAMAGE: Damages files, encrypts hard drive. SOLUTION: Update your Anti-Virus program to detect/remove the virus. _____________________________________________________________________________ VULNERABILITY While it is not epidemic, the virus has been seen at an East ASSESSMENT: coast site and it isn't detected by the current versions of most virus scanners (revised versions are upcoming.) The virus is intentionally damaging and all files on an infected machine are at risk. Warning: Removing the virus may make some files inaccessible (see below.) _____________________________________________________________________________ Critical Information about the One_half Virus CIAC has received information about a new computer virus named One_half. The virus, first discovered in April 1994 and previously seen only in Europe, has been found at an East coast site in the United States. The virus is intentionally damaging and all files on an infected machine are at risk. Removal of the virus without first saving critical files could render those files unrecoverable (more below.) Symptoms -------- Symptoms of the infection include problems connecting to a file server, changes in file sizes, an inability to start Windows, an inability to boot a system and damaged files. If a suspicious activity detector, such as DDI's VirAlert program, is installed, it intercepts an attempt to write to the master boot record of a hard drive when an infected file is run. If the master boot record is already infected, VirAlert warns that system interrupt 21 is pointing to a non-existent block of memory when the system is booted. Virus Morphology ---------------- When an infected file is run, the virus attacks the master boot record of the hard drive. It copies the original master boot record to a sector that is eight back from the end of the first track and modifies the master boot record to run the virus code. The remainder of the virus code is found in the last seven sectors of the first track on the hard disk. The following strings are in clear text in the virus code. Dis is one half. Press any key to continue ... Did you leave the room ? The virus also contains the names of several prominent antivirus products; SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV The virus is multipartite, infecting .COM and .EXE files as well as the master boot record. The virus adds 3544 bytes to .COM and .EXE files. The virus is polymorphic and changes its appearance with every infection by inserting different do-nothing instructions between the actual commands in the virus code. The virus is a stealth virus and actively hides the infection in the first track. With the virus in memory, any examination of the first track on the hard drive will see only the normal master boot record in the first sector and empty sectors for the rest of the track. The virus is intentionally damaging. Every time an infected machine boots, the virus encrypts two cylinders of the DOS partition of the hard drive starting with the highest numbered cylinder and progressing to lower numbered ones. The virus then hides the fact that it is encrypting the hard drive by decrypting any of the encrypted sectors whenever they are accessed by the system. Only with the virus out of memory do you see the encrypted sectors. Detection and Removal --------------------- ========================================================================== WARNING: Because of the encryption the virus does, be sure you copy any important files to a floppy disk or tape before removing the virus. The CHK_HALF program described below does not decrypt any encrypted cylinders, so when the virus is removed, the encryption key is lost with it and any files in the encrypted cylinders are lost. =========================================================================== DDI has made a detection/removal utility available named CHK_HALF. This program must be run from a machine that was booted with a KNOWN, CLEAN, LOCKED floppy to insure that the virus is not in memory. When CHK_HALF is run, it scans the current drive and master boot record and removes any virus infections it finds. The utility does not scan memory first and will not work correctly with the virus in memory, so be sure the system was booted with a clean, locked floppy. The utility also does not decrypt any encrypted cylinders, so be sure to copy any important files before removing the virus. 1. Save on a floppy disk or tape any irreplaceable files before attempting to scan or clean a system. If the files are in one of the encrypted sectors, the virus must be in memory for them to be retrieved. If any of these files are executables, be sure to scan them before putting them back on a cleaned machine. 2. Boot your system with a clean locked floppy to insure the virus is not in memory. 3. Run the CHK_HALF.EXE program to scan and remove the virus. Delete any files that CHK_HALF was not able to clean. 4. Run a disk maintenance utility such as that included in Norton Utilities or PC Tools to locate and repair damaged directory structures and files caused by encryption of the cylinders and by the bug in the virus. 5 Replace any damaged or missing files on the system. The file CHK_HALF.ZIP is available on the CIAC file servers. Use anonymous FTP to connect to ciac.llnl.gov (128.115.19.53) and find the file in the /pub/ciac/sectools/pcvirus directory. The CRC-32 checksum from pkzip for the file is: e02bf70a, and its expanded file length is 14,024 bytes. Version 4.0E of the Department of Energy's site licensed antiviral product, Data Physician Plus!, will be available the week of Sept. 12, 1994 and will detect and remove this virus. Other antivirus software which detect this virus include Dr. Solomon's Antivirus Toolkit version 6.65 (currently available), Norton's AntiVirus October 1 monthly update, and McAfee Scan version 2.11, which is scheduled for shipping in mid-September, F-PROT version 2.14a, scheduled for the end of September. _____________________________________________________________________________ CIAC wishes to thank Bill Kenny of DDI for spending his Labor day weekend laboring to write a detection/removal package for this virus so we would have it on Tuesday morning. _____________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53) formerly irbis.llnl.gov. CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. CIAC's mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. CA-93:16a.README Rev. January 7, 1994 This file is a supplement to the CERT Advisory CA-93:16a of January 7, 1994, and will be updated as additional information becomes available. The following is vendor-supplied information. Please notice that some entries provide pointers to vendor advisories. For more up-to-date information, contact your vendor. ------------- Eric Allman, 8.6.4 Version 8.6.4 is available for anonymous FTP from ftp.cs.berkeley.edu in the "ucb/sendmail" directory. Standard Unix Sum sendmail.8.6.4.base.tar.Z: 07718 428 System V Sum 64609 856 sendmail.8.6.4.base.tar.Z MD5 Checksum MD5 (sendmail.8.6.4.base.tar.Z) = 59727f2f99b0e47a74d804f7ff654621 ------------- Paul Pomes, IDA: A new release is available for anonymous FTP from vixen.cso.uiuc.edu as "pub/sendmail-5.67b+IDA-1.5.tar.gz". Standard Unix Sum sendmail-5.67b+IDA-1.5.tar.gz: 17272 1341 System V Sum 30425 2682 sendmail-5.67b+IDA-1.5.tar.gz MD5 Checksum MD5 (sendmail-5.67b+IDA-1.5.tar.gz) = a9b8e17fd6d3e52739d2195cead94300 ------------- BSDI BSDI can supply either an easy-to-install port of the smrsh patch from CERT or a port of sendmail-8.6.4 (contact BSDI Customer Support for information in obtaining either of these solutions). In future releases, BSDI will ship the newer sendmail that is not affected by these problems. Releases affected by this advisory: BSD/386 V1.0. BSDI Contact Information: BSDI Customer Support Berkeley Software Design, Inc. 7759 Delmonico Drive Colorado Springs, CO 80919 Toll Free: +1 800 ITS BSD8 (+1 800 486 2738) Phone: +1 719 260 8114 Fax: +1 719 598 4238 Email: support@bsdi.com ------------- Data General Corporation Patches are available from dg-rtp.rtp.dg.com (128.222.1.2) in the directory "deliver/sendmail": Rev Patch Number Sys V Checksum ------------ ------------------ -------- 5.4.2 tcpip_5.4.2.p14 39298 512 MD5 (tcpip_5.4.2.p14) = c80428e3b791d4e40ebe703ba5bd249c 5.4R2.01 tcpip_5.4R2.01.p12 65430 512 MD5 (tcpip_5.4R2.01.p12) = 9c84cfdb4d79ee22224eeb713a414996 5.4R2.10 tcpip_5.4R2.10.p05 42625 512 MD5 (tcpip_5.4R2.10.p05) = 2d74586ff22e649354cc6a02f390a4be These patches are loadable via the "syadm" utility and installation instructions are included in the patch notes. Trusted versions of DG/UX will use the same patches as their base version of DG/UX. Customers with any questions about these patches should contact their local SEs or Sales Representatives. ------------- Digital Equipment Corporation Systems affected: ULTRIX Versions 4.3 (VAX), ULTRIX V4.3 & V4.3A (RISC), DEC OSF/1 V1.2 & V1.3, using sendmail. The following patches are available from your normal Digital support channel: ULTRIX V4.3 (VAX), V4.3 (RISC) or V4.3a (RISC): CSCPAT #: CSCPAT_4044 OSF/1 V1.2 and V1.3: CSCPAT #: CSCPAT_4045 *These fixes will be included in future releases of ULTRIX and DEC OSF/1 Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of ULTRIX V4.3 or DEC OSF/1 V1.2, then apply the Security kit to prevent this potential vulnerability. The full text of Digital's advisory can be found in /pub/vendors/dec/advisories/sendmail on info.cert.org. ------------- Hewlett-Packard Company For HP/UX, the following patches are available: PHNE_3369 (series 300/400, HP-UX 8.x), or PHNE_3370 (series 300/400, HP-UX 9.x), or PHNE_3371 (series 700/800, HP-UX 8.x), or PHNE_3372 (series 700/800, HP-UX 9.x), or modify the sendmail configuration file (releases of HP-UX prior to 8.0) These patches may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP SupportLine. To obtain HP security patches, you must first register with the HP SupportLine. The registration instructions are available via anonymous FTP at info.cert.org in the file "pub/vendors/hp/supportline_and_patch_retrieval". The full text of Hewlett-Packard's advisory can be found in /pub/vendors/hp/advisories/sendmail on info.cert.org. ------------- IBM Patches for these problems can be ordered as APAR# ix40304 and APAR# ix41354. Ix40304 is available now and ix41354 will be sent as soon as it is available. ------------- NeXT, Inc. NeXT expects to have patches available soon. ------------- The Santa Cruz Operation Support level Supplement (SLS) net379A, will soon be available for the following platforms: SCO TCP/IP Release 1.2.0 for SCO UNIX or SCO XENIX SCO TCP/IP Release 1.2.1 for SCO UNIX SCO Open Desktop Release 2.0, 3.0 SCO Open Desktop Lite Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 This SLS is currently orderable from SCO Support for all customers who have one of the above products registered. It will be available in the near future. Systems using MMDF as their mail system do not need this SLS. ------------- Sequent Computer Systems Versions 3.0.17 and greater of Dynix are vulnerable as are versions 2.2 and 2.3 of the TCP package for PTX. Sequent customers should call the Sequent Hotline at (800) 854-9969 and ask for the Sendmail Maintenance Release Tape. Alternatively, ptx customers can upgrade to PTX/TCP/IP version 2.2.3 or 2.3.1 as appropriate. ------------- Solbourne Patch p93122301 is available from Solboune to fix the sendmail problems. This patch is equivalent to Sun patch 100377-08. Customers may retrieve it via anonymous FTP from solbourne.solbourne.com in the pub/support/OS4.1B directory: Filename BSD SVR4 Checksum Checksum --------------- --------- --------- p93122301.tar.Z 63749 211 53951 421 MD5 (p93122301.tar.Z) = f7300f3ecfbbbfaa11a6695f42f14615 It is also available by sending email to solis@solbourne.com and specifying "get patches/4.1b p93122301" in the body of the mail message. Earlier versions (4.1A.*) are no longer supported. The 4.1B patch may well work on 4.1A.* systems but this has not been tested. If you have any questions please call the SOURCE at 1-800-447-2861 or send email to support@solbourne.com. The full text of Solbourne's advisory can be found in /pub/vendors/solbourne/advisories/sendmail on info.cert.org. --------------- Sony Corporation These vulnerabilities have been fixed in NEWS-OS 6.0.1. A patch is available for NEWS-OS 4.x. Customers should contact their dealers for any additional information. --------------- Sun Microsystems, Inc. Sun has made patches for sendmail available as described in their SUN MICROSYSTEMS SECURITY BULLETIN: #00125, 12/23/93. These patches can be found in the /systems/sun/sun-dist directory on ftp.uu.net: System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- --------- SunOS 4.1.x 100377-08 100377-08.tar.Z 05320 755 58761 1510 Solaris 2.1 100840-06 100840-06.tar.Z 59489 195 61100 390 Solaris 2.2 101077-06 101077-06.tar.Z 63001 179 28185 358 Solaris 2.3 101371-03 101371-03.tar.Z 27539 189 51272 377 MD5 checksums are: MD5 (100377-08.tar.Z) = 8e8a14c0a46b6c707d283cacd85da4f1 MD5 (100840-06.tar.Z) = 7d8d2c7ec983a58b4c6a608bf1ff53ec MD5 (101077-06.tar.Z) = 78e165dec0b8260ca6a5d5d9bdc366b8 MD5 (101371-03.tar.Z) = 687d0f3287197dee35941b9163812b56 A patch for x86 based systems will be forthcoming as patch 101352-02. 4.1 sites installing these patches may require sites to modify their configuration files slightly. Full details are given in the Sun advisory. The full text of Sun Microsystems's advisory can be found in /pub/vendors/sun/advisories/sendmail on info.cert.org. -------------