PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
{ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER
{IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
SUBJECT:  CONVEXOS AND CONVEXOS/SECURE VULNERABILITIES {AUTOMATED
SYSTEM SECURITY INCIDENT SUPPORT TEAM {ASSIST} BULLETIN 92-71}.
1.  ASSIST HAS RECEIVED INFORMATION CONCERNING SEVERAL
VULNERABILITIES IN THE FOLLOWING CONVEX COMPUTER CORPORATION
PRODUCTS: CONVEXOS/SECURE, CONVEX CXBATCH, CONVEX STORAGE MANAGER
(CSM), AND CONVEXOS EMACS.  THESE VULNERABILITIES CAN AFFECT CONVEXOS
VERSIONS V6.2 - V10.2 AND CONVEXOS/SECURE VERSIONS V9.5 AND V10.0 ON
ALL SUPPORTED ARCHITECTURES.  CONVEX IS AWARE OF THE VULNERABILITIES,
AND FIXES OR WORKAROUNDS ARE AVAILABLE.  THREE OF THE FIXES ARE
IMPLEMENTED AS FULL ENGINEERING CHANGE NOTICE (ECN) PATCHES AND, AS
SUCH, WILL BE SHIPPED WITH ALL NEW SYSTEMS AS WELL AS BEING RELEASED
AS UPGRADES FOR THE PRODUCTS CXBATCH, CSM AND CONVEXOS/SECURE.  THERE
IS A WORKAROUND AVAILABLE FOR THE CONVEXOS EMACS VULNERABILITY.
CONVEX IS CURRENTLY INCORPORATING THE FIXES TO THESE VULNERABILITIES
INTO FUTURE RELEASES OF EACH PRODUCT.  FUTURE SHIPMENTS OF THESE
PRODUCTS SHOULD NOT BE VULNERABLE TO THESE PROBLEMS.  IF YOU HAVE ANY
QUESTIONS ABOUT THE AFFECTED PRODUCTS, PLEASE CONTACT YOUR CONVEX
REPRESENTATIVE OR THE CONVEX TECHNICAL ASSISTANCE CENTER
(TAC) AT 1-800-952-0379.
2.  PASSWD PATCH: THE "PASSWD" COMMAND IN CONVEXOS/SECURE CONTAINS A
SECURITY VULNERABILITY IN VERSIONS V9.5 AND V10.0 OF CONVEXOS/SECURE.
THIS VULNERABILITY HAS BEEN FIXED IN CONVEXOS/SECURE V10.1.  THE
VULNERABILITY COULD ALLOW LOCAL USERS TO GAIN UNAUTHORIZED ROOT
ACCESS.  TO CORRECT THIS PROBLEM OBTAIN AND INSTALL CONVEXOS/SECURE
V10.0.2 - PART NO. 710-007815-008.
3.  CONVEX CXBATCH - QMGR PATCH: THE "QMGR" COMMAND IN CONVEX CXBATCH
VERSIONS V1.0 - V2.1.3 CONTAINS A SECURITY VULNERABILITY.  THIS
VULNERABILITY IS PRESENT IN CONVEXOS V6.2 - V10.2 ON SYSTEMS THAT
HAVE INSTALLED THE OPTIONAL CXBATCH FACILITY.  THE VULNERABILITY
COULD ALLOW LOCAL USERS TO GAIN UNAUTHORIZED ROOT ACCESS.  TO CORRECT
THE PROBLEM, WHILE LOGGED IN AS ROOT, RENAME THE EXISTING VERSION OF
/USR/CONVEX/QMGR AND MODIFY THE PERMISSION (FROM 6755 TO 700) TO
PREVENT MISUSE BY EXECUTING THE FOLLOWING COMMANDS.
# /BIN/MV /USR/CONVEX/QMGR /USR/CONVEX/QMGR.ORIG
# /BIN/CHMOD 700 /USR/CONVEX/QMGR.ORIG
NEXT, OBTAIN AND INSTALL CONVEX CXBATCH V2.1.4 - PART NO.
710-007830-011.
4.  CONVEX CSM - MIGMGR PATCH: THE "MIGMGR" COMMAND OF CONVEX CSM
CONTAINS A SECURITY VULNERABILITY, IN CONVEXOS VERSION V10.1 OF
SYSTEMS THAT HAVE INSTALLED THE CSM FACILITY.  THIS VULNERABILITY
WILL BE FIXED IN THE NEXT CSM RELEASE.  THE VULNERABILITY COULD ALLOW
LOCAL USERS TO GAIN UNAUTHORIZED ROOT ACCESS.  TO CORRECT THE
PROBLEM, WHILE LOGGED IN AS ROOT, RENAME THE EXISTING VERSION OF
/USR/CSM/BIN/MIGMGR AND MODIFY THE PERMISSION (FROM 4755 TO 700) TO
PREVENT MISUSE BY EXECUTING THE FOLLOWING COMMANDS.
# /BIN/MV /USR/CSM/BIN/MIGMGR /USR/CSM/BIN/MIGMGR.ORIG
# /BIN/CHMOD 700 /USR/CSM/BIN/MIGMGR.ORIG
NEXT, OBTAIN AND INSTALL CONVEX CSM V1.0.1 - PART NO.         
710-011315-003
5.  CONVEXOS - EMACS EDITOR WORKAROUND: THE EMACS EDITOR OF CONVEXOS
CONTAINS A SECURITY VULNERABILITY, IN CONVEXOS VERSIONS V9.0 - V10.2. 
THE VULNERABILITY COULD ALLOW LOCAL USERS TO GAIN UNAUTHORIZED ACCESS
TO /DEV/KMEM.  TO CORRECT THE PROBLEM, WHILE LOGGED IN AS ROOT,
REMOVE THE SETGID BIT FROM /USR/CONVEX/EMACS BY EXECUTING THE
FOLLOWING COMMAND.
# /BIN/CHMOD 755 /USR/CONVEX/EMACS
6.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {703} 696-1904/24 OR DSN 226-1904/24.  ASSIST CAN
BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE {800-
759-7243}, PIN NUMBER 2133937.  WHEN CALLING THE PAGER SERVICE,
FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK
NUMBER AFTER THE PROMPT.  THE ASSIST DUTY OFFICER WILL CALL YOU BACK
WITHIN 30 MINUTES.  IF FASTER SERVICE IS REQUIRED, PREFIX YOUR
TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL
BACK WITHIN 5 MINUTES.  ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-
CERT{AT-SIGN}DDN-CONUS.DDN.MIL".
BT