From longstaf Wed Aug 14 22:25:45 1991 Return-Path: Received: by (4.1/SMI-4.1) id AA14944; Wed, 14 Aug 91 22:24:12 PDT Date: Wed, 14 Aug 91 22:24:12 PDT From: longstaf (Tom Longstaff) Message-Id: <9108150524.AA14944@> To: external Cc: Subject: CIAC bulletin B-36: New patch available for /usr/ucb/telnet on ULTRIX systems Status: RO _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin New patch available for /usr/ucb/telnet on ULTRIX systems August 14, 1991, 1300 PDT Number B-36 Critical Facts about /usr/ucb/telnet patch ------------------------------------------------------------------------------- PROBLEM: ULTRIX 4.1 and 4.2 systems running the Lat-Telnet gateway software (lattelnet) may allow unauthorized privileged access. PLATFORM: ULTRIX 4.1 and 4.2 systems on RISC and VAX architectures. DAMAGE: Potential for considerable damage (e.g., creating bogus accounts, installing trojan horse, etc.) once unauthorized privileged access is obtained. SOLUTIONS: Obtain and install new telnet program from DEC or CIAC. ------------------------------------------------------------------------------- A new patch to close a vulnerability in the Lat-Telnet gateway software for ULTRIX 4.1 and 4.2 systems is now available. This patch will close a vulnerability in the telnet software that may allow unauthorized privileged access to the ULTRIX system running the Lat-Telnet gateway software (lattelnet). The method used to exploit this patch has recently been posted to the Internet, so it is important that you install this patch if your system supports the LAT-Telnet gateway software. Since there is no apparent harm in applying this patch to any ULTRIX 4.2 system, CIAC encourges all sites to install this patch. The LAT/Telnet software requires special installation and is NOT part of the default ULTRIX configuration. To determine if this software is active on your system, execute the following command: > grep lattelnet /etc/ttys If this command returns a result similar to the one below, you are running the Lat-Telnet gateway software. tty## "/usr/etc/lattelnet std.9600" vt100 on nomodem Patches for both the VAX and RISC architectures are available from DEC or CIAC (e.g., via anonymous FTP). To obtain the patch from the DEC Customer Support Center, sites within the USA should call 1-800-525-7100. Other sites should contact DEC through their normal channels. If you have Internet access, the following procedure will transfer the patches from the CIAC anonymous FTP server: > ftp irbis.llnl.gov user: anonymous password: {your e-mail address} ftp> binary ftp> get pub/ciac/unix/ultrix/usr-ucb-telnet.vax ftp> get pub/ciac/unix/ultrix/usr-ucb-telnet.risc ftp> quit Once you have obtained the version of /usr/ucb/telnet appropriate to your architecture, use the following procedure to install the new telnet program: Become "root" on the system to be patched. (i.e., use the su command). Rename the original telnet program (to avoid overwriting this code with a new patch) by entering: # mv /usr/ucb/telnet /usr/ucb/telnet-dist Copy the new version of telnet to /usr/ucb (The filename shown below is for VAX architectures. Substitute "risc" for "vax" if you are using a RISC architecture): # cp /{download location}/usr-ucb-telnet.vax /usr/ucb/telnet Assure that the permissions and ownership of the new telnet program are the same as the original (the program sizes shown below may not be the same as those from your system): # chown bin.bin /usr/ucb/telnet # chmod 755 /usr/ucb/telnet # ls -lg /usr/ucb/telnet* -rwxr-xr-x 1 bin bin 280224 {date and time} /usr/ucb/telnet -rwxr-xr-x 1 bin bin 172032 {date and time} /usr/ucb/telnet-dist You can then verify the operation of the new /usr/ucb/telnet program by using the telnet command to connect to other hosts with which you have permission to connect. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416 longstaf@llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@llnl.gov. Digital Equipment Corporation (DEC) and the Computer Emergency Response Team (CERT) provided some of the information contained in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.