PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER {ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS SUBJECT: NEXT NETINFO "_WRITERS" VULNERABILITIES {AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM {ASSIST} BULLETIN 93-02}. 1. NEXT COMPUTER INC. HAS PROVIDED INFORMATION CONCERNING A VULNERABILITY IN THE DISTRIBUTED PRINTING FACILITY OF NEXT COMPUTERS RUNNING ALL RELEASES OF NEXTSTEP SOFTWARE THROUGH NEXTSTEP RELEASE 3.0. THE DEFAULT NETINFO "_WRITERS" PROPERTIES ARE CONFIGURED TO ALLOW USERS TO INSTALL PRINTERS AND FAX MODEMS AND TO EXPORT THE DEVICES TO THE NETWORK. USERS COULD ALSO CONFIGURE OTHER PARTS OF THE SYSTEM, SUCH AS MONITOR SCREENS. THESE ACTIONS COULD BE COMPLETED WITHOUT THE ASSISTANCE OR KNOWLEDGE OF THE SYSTEM ADMINISTRATOR AND ALLOW USERS TO GAIN UNAUTHORIZED PRIVILEGES ON THE SYSTEM. 2. IN THE "/PRINTERS" AND THE "/FAX_MODEMS" DIRECTORIES, THE "_WRITERS" PROPERTY CAN PERMIT USERS TO OBTAIN UNAUTHORIZED ROOT ACCESS TO A SYSTEM. IN THE "/LOCALCONFIG/SCREENS" DIRECTORY, THE "_WRITERS" PROPERTY CAN POTENTIALLY PERMIT A USER TO DENY NORMAL LOGIN ACCESS TO OTHER USERS. 3. TO CLOSE THE VULNERABILITIES, REMOVE THE "_WRITERS" PROPERTIES FROM THE "/PRINTERS", "/FAX_MODEMS", AND "/LOCALCONFIG/SCREENS" DIRECTORIES IN ALL NETINFO DOMAINS ON THE NETWORK, AND FROM ALL IMMEDIATE SUBDIRECTORIES OF ALL "/PRINTERS", "/FAX_MODEMS", AND "/LOCALCONFIG/SCREENS" DIRECTORIES. THE "_WRITERS" PROPERTIES MAY BE REMOVED USING ANY ONE OF THE FOLLOWING THREE METHODS. A. AS ROOT, USE THE "NIUTIL" COMMAND-LINE UTILITY. FOR EXAMPLE, TO REMOVE THE "_WRITERS" PROPERTY FROM THE "/PRINTERS" DIRECTORY: # /USR/BIN/NIUTIL -DESTROYPROP . /PRINTERS _WRITERS B. ALTERNATIVELY, USE THE NETINFOMANAGER APPLICATION: OPEN THE DESIRED DOMAIN, OPEN THE APPROPRIATE DIRECTORY, SELECT THE "_WRITERS" PROPERTY, CHOOSE THE "DELETE" COMMAND [CMD-R] FROM THE "EDIT" MENU, AND SAVE THE DIRECTORY. C. TO ASSIST SYSTEM ADMINISTRATORS IN EDITING THEIR NETINFO DOMAINS, A SHELL SCRIPT, "WRITERSFIX", IS AVAILABLE VIA ANONYMOUS FTP FROM NEXT.COM (129.18.1.2): FILENAME SIZE CHECKSUM -------- ---- -------- PUB/MISC/UTILITIES/WRITERSFIX.COMPRESSED 5600 25625 6 AFTER TRANSFERRING THIS FILE USING BINARY TRANSFER TYPE, DOUBLE-CLICK ON THE FILE. A "WRITERSFIX" DIRECTORY WILL BE CREATED IN YOUR FILE SYSTEM, CONTAINING THE SCRIPT ("WRITERSFIX") AND SOME DOCUMENTATION ("WRITERSFIX.RTF"). 4. ASSIST STRONGLY RECOMMENDS REMOVING "_WRITERS" FROM OTHER NETINFO DIRECTORIES AS WELL (FOR EXAMPLE, "/LOCATIONS"). BY REMOVING THE "_WRITERS" PROPERTIES, THE NETWORK AND THE COMPUTERS ON THE NETWORK BECOME MORE SECURE, BUT A SYSTEM ADMINISTRATOR'S ASSISTANCE IS REQUIRED WHERE IT PREVIOUSLY WAS NOT REQUIRED. REFER TO THE NEXTSTEP NETWORK AND SYSTEM ADMINISTRATION MANUAL FOR ADDITIONAL INFORMATION ON "_WRITERS". NOTE THAT THE SUBDIRECTORIES OF THE "/USERS" DIRECTORY HAVE "_WRITERS_PASSWD" SET TO THE USER WHOSE ACCOUNT IS DESCRIBED BY THE DIRECTORY. THIS IS ESSENTIAL IF USERS ARE TO BE ABLE TO CHANGE THEIR OWN PASSWORDS, AND THIS DOES NOT COMPROMISE SYSTEM SECURITY. 5. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS PETE HAMMES, COMM {703} 696-1924/04 OR DSN 226-1924/04. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE {800- 759-7243}, PIN NUMBER 2133937. WHEN CALLING THE PAGER SERVICE, FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK NUMBER AFTER THE PROMPT. THE ASSIST DUTY OFFICER WILL CALL YOU BACK WITHIN 30 MINUTES. IF FASTER SERVICE IS REQUIRED, PREFIX YOUR TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL BACK WITHIN 5 MINUTES. ASSIST CAN BE REACHED VIA E-MAIL AT "DOD- CERT{AT-SIGN}DDN-CONUS.DDN.MIL". BT