PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
{ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE
MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,309/DS-SIM
SUBJ:  UNIX SYSTEM V SECURITY PROBLEM ON 386/486 PLATFORMS (UAREA
BUG) {AUTOMATED SYSTEMS SECURITY INCIDENT SUPPORT TEAM {ASSIST}
92-53}
1.  DISCUSSION:  A VULNERABILITY EXISTS IN UNIX SYSTEM V THAT
ALLOWS PRIVILEGED ACCESS TO FILES ON SOME VERSIONS OF UNIX SYSTEM
V RUNNING ON AN INTEL 80386/80486 BASED COMPUTER.  THIS PROBLEM
KNOWN AS THE UAREA BUG, HAS BEEN CORRECTED BY AT&T.  MOST VENDORS
OF UNIX SYSTEM V BASED ON THE AT&T SOFTWARE HAVE RECENTLY RELEASED
PATCHES SPECIFICALLY DESIGNED FOR THEIR PRODUCTS.  THIS BULLETIN
PROVIDES A PARTIAL LIST OF VENDORS THAT ARE PROVIDING PATCHES FOR
THIS PROBLEM, AS WELL AS VENDORS WHOSE PRODUCT NEVER HAD THE
VULNERABILITY IN A SPECIFIED RELEASE.  
2.  RECOMMENDATION: CHECK THE MATRIX LISTED BELOW FOR ANY   
VENDOR/VERSION COMBINATIONS THAT ARE APPLICABLE TO YOUR SYSTEM.
FOR EACH VENDOR, THE LISTED VERSIONS WERE TESTED FOR THIS
VULNERABILITY, AND A PATCH WAS DEVELOPED FOR THOSE VERSIONS FOUND
TO BE VULNERABLE.  IF THE VENDOR/VERSION COMBINATION DOES NOT
EXHIBIT THE VULNERABILITY, "NO" APPEARS IN THE THIRD COLUMN.
VENDOR                    VERSION       EXHIBITS VULNERABILITY 
------------------------  ---------     --------------------- 
DELL                      SVR3.2/1.0.6  YES, PATCH AVAILABLE
DELL                      SVR3.2/1.1    NO
DELL                      SVR4.0/2.0    NO 
INTERACTIVE               2.0.2         YES, PATCH AVAILABLE
INTERACTIVE               2.2           YES, PATCH AVAILABLE
INTERACTIVE               2.2.1         YES, PATCH AVAILABLE
EVEREX (ESIX)             REV. D        YES, PATCH AVAILABLE
AT&T                      SVR3.2.0      YES, PATCH AVAILABLE
AT&T                      SVR3.2.1      NO
SCO                       ALL VERSIONS  NO 
MICROPORT                 2.2           NO
MOST VENDORS ARE AWARE OF THIS BUG, AND HAVE TAKEN STEPS TO 
CORRECT THE PROBLEM.  IF YOUR VENDOR/VERSION OF UNIX IS NOT 
LISTED, OR IS LISTED AS VULNERABLE, CONTACT YOUR UNIX SYSTEM V
VENDOR FOR THE PATCH.
3.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55.  ASSIST
CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE,
PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK
NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE
THE ASSIST DUTY OFFICER PAGED.  ASSIST CAN BE REACHED VIA E-MAIL
AT "DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."