_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ INFORMATION BULLETIN Unix /bin/mail Vulnerabilities January 27, 1995 1030 PST Number F-09 _____________________________________________________________________________ PROBLEM: The Unix /bin/mail utility contains security vulnerabilities. PLATFORMS: DEC OSF/1 1.2, 1.3, and 2.0 DEC Ultrix 4.3, 4.3A, and 4.4 SCO Unix System V/386 Release 3.2 OS Version 4.2 SCO Open Desktop Lite Release 3.0 SCO Open Desktop Release 3.0 SCO Open Server Enterprise System Release 3.0 SCO Open Server Network System Release 3.0 Solbourne OS4.1x SunOS 4.x DAMAGE: Local users may gain privileged (root) access. SOLUTION: Apply appropriate vendor patch as described below. _____________________________________________________________________________ VULNERABILITY The vulnerabilities in the /bin/mail program have been openly ASSESSMENT: discussed in several Internet forums, and automated scripts exploiting the vulnerabilities have been widely distributed. These tools have been used in many recent attacks. CIAC recommends sites install these patches as soon as possible. _____________________________________________________________________________ Critical Information about Unix /bin/mail Vulnerabilities The /bin/mail utility on several Unix versions based on BSD 4.3 Unix contain a security vulnerability. The vulnerability is the result of race conditions that exist during the delivery of messages to local users. These race conditions will allow intruders to create or modify files on the system, resulting in privileged access to the system. Below is a summary of systems known to be either vulnerable or not vulnerable. If your vendor's name is not listed, please contact the vendor or CIAC for more information. Vendor or Source Status ---------------- ------------ Apple Computer, Inc. Not vulnerable Berkeley SW Design, Inc. (BSDI) Not vulnerable Cray Research, Inc. Not vulnerable Data General Corp. Not vulnerable Digital Equipment Corp. Vulnerable FreeBSD Not vulnerable Harris Not vulnerable IBM Not vulnerable NetBSD Not vulnerable NeXT, Inc. Not vulnerable Pyramid Not vulnerable The Santa Cruz Operation (SCO) Vulnerable Solbourne (Grumman) Vulnerable Sun Microsystems, Inc. SunOS 4.x vulnerable Solaris 2.x not vulnerable Patch Information ----------------- DEC The /bin/mail patch is a part of a comprehensive Security Enhanced Kit that addresses other security problems as well. This kit was released on May 17, 1994 and was described in DEC Security Advisory #0505 and CIAC Notes 94-03. OSF/1 users should upgrade to a minimum of version 2.0 and install Security Enhanced Kit CSCPAT_4061 v1.0. Ultrix users should upgrade to at least version 4.4 and install Security Enhanced Kit CSCPAT_4060 v1.0. Both kits are available from your Digital support channel or electronically by request via DSNlink. SCO Vulnerabilities in SCO's /bin/mail utility are removed by applying SCO's Support Level Supplement (SLS) uod392a. It is available via anonymous FTP from ftp.sco.com in the /SLS directory: Description Filename MD5 Checksum ------------ ------------- -------------------------------- Disk image uod392a.Z 2c26669d89f61174f751774115f367a5 Cover letter uod392a.ltr.Z 52db39424d5d23576e065af2b80aee49 Solbourne Grumman System Support Corporation now performs all Solbourne software and hardware support. Please contact them for further information: E-mail: support@nts.gssc.com Phone: 1-800-447-2861 FTP: ftp.nts.gssc.com Sun Sun has made patches available to remove vulnerabilities in /bin/mail. These patches address all vulnerabilities CIAC has seen exploited to date, and CIAC recommends they be installed. However, the patches will be updated again in the near future to remove additional vulnerabilities that have recently come to light. CIAC will announce the availability of the new patches when they are released. The patches may be obtained from your local Sun Answer Center or through anonymous FTP from sunsolve1.sun.com in the /pub/patches directory: SunOS Filename MD5 Checksum ------- --------------- -------------------------------- 4.1.x 100224-13.tar.Z 90a507017a1a40c4622b3f1f00ce5d2d 4.1.3U1 101436-08.tar.Z 0e64560edc61eb4b3da81a932e8b11e1 Alternative Solution -------------------- For those sites unable to obtain a vendor patch for a vulnerable version of /bin/mail, a replacement package called mail.local has been developed and made freely available on the Internet. The /bin/mail program is relatively complex software, serving both as a mail delivery agent and a user interface, allowing users to send and read E-mail messages. Complex system software, like /bin/mail, is more likely to exhibit security vulnerabilities. The mail.local package was written to perform only one task: the delivery of mail to local users. It is comparatively small, and the code has been examined carefully by experts in the security community. While it has not been formally evaluated, it is probable that mail.local addresses all vulnerabilities currently being exploited in /bin/mail. For more information, see the file README in the directory ftp://coast.cs.purdue.edu/pub/tools/unix/mail.local/. _____________________________________________________________________________ CIAC wishes to acknowledge the contributions of the CERT Coordination Center in the construction of this bulletin. _____________________________________________________________________________ For emergencies and off-hour assistance, DOE and DOE contractor sites can contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number. To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX number is 510-423-8002, and the STU-III number is 510-423-2604. Send E-mail to ciac@llnl.gov. Previous CIAC notices, anti-virus software, and other information are available on the Internet via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53). CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send requests of the following form: subscribe list-name LastName, FirstName PhoneNumber as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov not to: ciac@llnl.gov e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address and initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.