_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN Security Patch Kits for ULTRIX, DECnet-ULTRIX and OSF/1 May 18, 1994 1530 PDT Number E-24 ______________________________________________________________________________ PROBLEM: Digital Equipment Corporation has identified vulnerabilities in ULTRIX v4.3 and v4.4, DECnet-ULTRIX v4.2, and OSF/1 v1.2 through v2.0. PLATFORM: Digital's VAX and RISC based workstations. DAMAGE: Users may obtain unauthorized access or privilege. SOLUTION: Upgrade software; install patches available from DEC. ______________________________________________________________________________ VULNERABILITY Similar vulnerabilities have been exploited on systems ASSESSMENT: connected to the Internet. Digital recommends sites upgrade older versions and/or install the appropriate fix immediately. ______________________________________________________________________________ Critical Information about Vulnerabilities in ULTRIX, DECnet-ULTRIX and OSF/1 CIAC has been advised by the Software Security Response Team (SSRT) of Digital Equipment Corporation of security patches for their ULTRIX, DECnet-ULTRIX and OSF/1 products. SSRT requests that their advisory be reprinted without change [only minor corrections were necessary-ed]. ============================ Begin SSRT Advisory ============================= SOURCE: Digital Equipment Corporation - ( DSIN / DSNlink FLASH MAIL ) Software Security Response Team 17.MAY.94 PRODUCT: ULTRIX Versions 4.3, 4.3A, V4.4 DECnet-ULTRIX Version 4.2 DEC OSF/1 Versions 1.2, 1.3, 1.3A, 2.0 ADVISORY INFORMATION: SUBJECT: Security Enhanced Kit for DECNET-ULTRIX V4.2, ULTRIX V4.3 (VAX/RISC), ULTRIX V4.3A (RISC), ULTRIX V4.4 (VAX/RISC), ULTRIX Worksystem Software and DEC OSF/1 V1.2 - V2.0 IMPACT: Potential security vulnerabilities exist where, under certain circumstances, user access or privilege may be expanded. SOLUTION: ULTRIX: Upgrade/Install ULTRIX to a minimum of V4.4 and install the Security Enhanced Kit DEC OSF/1: Upgrade/Install to a minimum of V1.2 and install the Security Enhanced Kit ________________________________________________________________________________ These kits are available from Digital Equipment Corporation by contacting your normal Digital support channel or by request via DSNlink for electronic transfer. ________________________________________________________________________________ IMPACT: Digital has discovered the existence of potential software security vulnerabilities in the ULTRIX V4.3, V4.3a, V4.4 and DEC OSF/1 V1.2, V1.3, V2.0 Operating Systems, and in DECnet-ULTRIX V4.2. These potential vulnerabilities were discovered as a result of evaluating recent reports of potential security vulnerabilities which were distributed on the INTERNET and as a result of Digital's continued engineering efforts. The solutions to these vulnerabilities have been included in the next release of ULTRIX and DEC OSF/1. The kits have been created to correct potential software security vulnerabilities which, under certain circumstances may expand user access or privilege. Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of ULTRIX V4.4 and DEC OSF/1 V2.0 then apply the Security Enhanced Kit. - Please refer to the applicable Release Note information prior to upgrading your installation. ________________________________________________________________________________ KIT PART NUMBERS and DESCRIPTIONS CSC PATCH # CSCPAT_4060 V1.0 ULTRIX V4.3 thru V4.4 (Includes DECnet-ULTRIX V4.2) CSCPAT_4061 V1.0 DEC OSF/1 V1.2 thru V2.0 _______________________________________________________________ These kits will not install on versions previous to ULTRIX V4.3 or DEC OSF/1 V1.2. _______________________________________________________________ ________________________________________________________________________________ The ULTRIX Security Enhanced kit replaces the following images: /usr/etc/comsat ULTRIX V4.3, V4.3a, V4.4 /usr/ucb/lpr " " /usr/bin/mail " " /usr/lib/sendmail " " *sendmail - is a previously distributed solution. /usr/etc/telnetd ULTRIX V4.3, V4.3a only ______________________________________ for DECnet-ULTRIX V4.2 installations: /usr/etc/dlogind /usr/etc/telnetd.gw ________________________________________________________________________________ The DEC OSF/1 Security Enhanced kit replaces the following images: /usr/sbin/comsat DEC OSF/1 V1.2, V1.3 V2.0 /usr/bin/binmail /usr/bin/lpr " " /usr/sbin/sendmail DEC OSF/1 V1.2, V1.3 only *sendmail - is a previously distributed solution. /usr/bin/rdist " " /usr/shlib/libsecurity.so DEC OSF/1 V2.0 only ________________________________________________________________________________ Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ________________________________________________________________________________ NOTE: For non-contract/non-warranty customers contact your local Digital support channels for information regarding these kits. ============================ End SSRT Advisory ============================= CIAC wishes to thank Richard Boren of Digital Equipment Corporation's SSRT for providing the advisory used in this bulletin. DEC's SSRT can be contacted directly at 1-800-354-9000. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.