PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
(ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER
(IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS
SUBJECT:  COMMODORE AMIGA UNIX FINGER VULNERABILITY (AUTOMATED SYSTEM
SECURITY INCIDENT SUPPORT TEAM (ASSIST) BULLETIN 93-06).
1.  THIS BULLETIN ADDRESSES A VULNERABILITY IN THE "FINGER" PROGRAM
OF COMMODORE BUSINESS MACHINE'S AMIGA UNIX PRODUCT.  THE
VULNERABILITY AFFECTS COMMODORE AMIGA UNIX VERSIONS 1.1, 2.03, 2.1,
2.1P1, 2.1P2, AND 2.1P2A.  COMMODORE IS AWARE OF THE VULNERABILITY,
AND BOTH A WORKAROUND AND A PATCH ARE AVAILABLE.  DIRECTIONS FOR
OBTAINING THE PATCH AND INSTALLING THE WORKAROUND ARE GIVEN BELOW. 
DOD SITES AFFECTED BY THIS VULNERABILITY SHOULD APPLY EITHER THE
WORKAROUND OR THE PATCH AS SOON AS POSSIBLE.  ADDITIONAL QUESTIONS
CAN BE FORWARDED TO COMMODORE'S DAVID MILLER VIA E-MAIL AT 
DAVIDM(AT-SIGN)CDMVAX.COMMODORE.COM.
2.  THE "FINGER" COMMAND IN AMIGA UNIX CONTAINS A SECURITY
VULNERABILITY WHICH COULD ALLOW NON-PRIVILEGED USERS TO GAIN
UNAUTHORIZED ACCESS TO FILES.  COMMODORE HAS SUPPLIED A WORKAROUND
AND A PATCH TO CORRECT THE PROBLEM AS FOLLOWS:
A. WORKAROUND: AS ROOT, MODIFY THE PERMISSION OF THE EXISTING
/USR/BIN/FINGER TO PREVENT MISUSE BY EXECUTING THE FOLLOWING COMMAND.
# /BIN/CHMOD 0755 /USR/BIN/FINGER
B. PATCH: AS ROOT, INSTALL THE "PUBSRC" PACKAGE FROM THE DISTRIBUTION
TAPE.  IN THE FILE, "/USR/SRC/PUB/CMD/FINGER/SRC/FINGER.C", ADD THE
LINE:
SETUID(GETUID());
IMMEDIATELY BEFORE THE LINE READING:
DISPLAY_FINGER(FINGER_LIST);
SAVE A COPY OF THE EXISTING /USR/BIN/FINGER AND MODIFY ITS PERMISSION
TO PREVENT MISUSE BY EXECUTING THE FOLLOWING COMMANDS.
# /BIN/MV /USR/BIN/FINGER /USR/BIN/FINGER.ORIG
# /BIN/CHMOD 0755 /USR/BIN/FINGER.ORIG
IN THE DIRECTORY, "/USR/SRC/PUB/CMD/FINGER", ISSUE THE COMMAND:
# CD /USR/SRC/PUB/CMD/FINGER
# MAKE INSTALL
3.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
PETE HAMMES, COMM (703) 696-1924/5/6 OR DSN 226-1924/5/6.  ASSIST CAN
BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE (800-
759-7243), PIN NUMBER 2133937.  WHEN CALLING THE PAGER SERVICE,
FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK
NUMBER AFTER THE PROMPT.  THE ASSIST DUTY OFFICER WILL CALL YOU BACK
WITHIN 30 MINUTES.  IF FASTER SERVICE IS REQUIRED, PREFIX YOUR
TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL
BACK WITHIN 5 MINUTES.  ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-
CERT(AT-SIGN)DDN-CONUS.DDN.MIL".
BT