PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER (ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER (IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS SUBJECT: SCO /BIN/PASSWD VULNERABILITY (AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM (ASSIST) BULLETIN 93-16). 1. A PROBLEM HAS RECENTLY BEEN IDENTIFIED THAT COULD ALLOW A COMPROMISE OF SYSTEM INTEGRITY ON SEVERAL RELEASES OF SANTA CRUZ OPERATION'S (SCO'S) OPERATING SYSTEMS. THIS VULNERABILITY DOES NOT ALLOW UNAUTHORIZED ACCESS TO A SYSTEM, BUT IT MAY DENY LEGITIMATE USERS THE ABILITY TO LOG ONTO THE SYSTEM. THE RELEASES OF SCO PRODUCT THAT ARE AFFECTED ARE AS FOLLOWS: SCO UNIX SYSTEM V/386 RELEASE 3.2 OPERATING SYSTEM VERSION 2.0 SCO UNIX SYSTEM V/386 RELEASE 3.2 OPERATING SYSTEM VERSION 4.0 SCO UNIX SYSTEM V/386 RELEASE 3.2 OPERATING SYSTEM VERSION 4.0 WITH MAINTENANCE SUPPLEMENT VERSION 4.1 SCO OPEN DESKTOP RELEASE 1.1.X SCO OPEN DESKTOP RELEASE 2.0 ASSIST RECOMMENDS THAT DOD SITES USING THESE SCO PRODUCTS ELIMINATE THIS VULNERABILITY FROM THEIR SYSTEMS ASAP. THIS PROBLEM WILL BE CORRECTED IN UPCOMING RELEASES OF SCO OPERATING SYSTEMS. 2. SCO HAS PROVIDED A SUPPORT LEVEL SUPPLEMENT (SLS), AS DESCRIBED BELOW. THEY HAVE ALSO PROVIDED AN INTERIM WORKAROUND UNTIL SITES CAN OBTAIN AND INSTALL THE SUPPLEMENT. IF YOU HAVE ANY QUESTIONS ABOUT OBTAINING OR INSTALLING THE SECURITY SUPPLEMENT, CONTACT SCO SUPPORT DURING NORMAL BUSINESS HOURS AT THE APPROPRIATE CONTACT NUMBER LISTED BELOW, OR SEND ELECTRONIC MAIL TO SUPPORT@SCO.COM. USA/CANADA, 6AM-5PM PACIFIC DAYLIGHT TIME (PDT): 1-800-347-4381 (VOICE) 1-408-427-5443 (FAX) PACIFIC RIM, ASIA, AND LATIN AMERICAN CUSTOMERS, 6AM-5PM PACIFIC DAYLIGHT TIME (PDT): 1-408-425-4726 (VOICE) 1-408-427-5443 (FAX) EUROPE, MIDDLE EAST, AFRICA, 9AM-5:30PM BRITISH STANDARD TIME (BST): +44 (0)923 816344 (VOICE) +44 (0)923 817781 (FAX) 3. A PROBLEM EXISTS IN /BIN/PASSWD IN THE SCO OPERATING SYSTEM VERSIONS DETAILED ABOVE. THIS VULNERABILITY CAN DENY LEGITIMATE USERS THE ABILITY TO LOG ONTO THE SYSTEM. ASSIST RECOMMENDS THAT ALL AFFECTED DOD SITES OBTAIN AND INSTALL THE SUPPORT LEVEL SUPPLEMENT ASAP. INSTRUCTIONS ARE PROVIDED BELOW. ASSIST ALSO RECOMMENDS THAT SITES INSTALL THE FOLLOWING WORKAROUND UNTIL THEY ARE ABLE TO OBTAIN AND INSTALL THE SUPPORT LEVEL SUPPLEMENT. A. WORKAROUND: THIS WORKAROUND WILL PREVENT USERS FROM CHANGING THEIR PASSWORDS UNTIL THE SUPPORT LEVEL SUPPLEMENT IS INSTALLED. AS ROOT, MODIFY THE PERMISSION ON THE EXISTING /BIN/PASSWD TO PREVENT MISUSE. # /BIN/CHMOD 2110 /BIN/PASSWD BEFORE INSTALLING THE UPDATE, THE PERMISSIONS SHOULD AGAIN BE RESET. AS ROOT, MODIFY THE PERMISSION ON THE EXISTING /BIN/PASSWD. # /BIN/CHMOD 2111 /BIN/PASSWD B. SUPPLEMENT: SCO HAS PREPARED A SUPPORT LEVEL SUPPLEMENT (SLS) TO ADDRESS THIS PROBLEM. THIS SUPPLEMENT IS FREE TO ALL CUSTOMERS, REGARDLESS OF SUPPORT STATUS. SITES CAN OBTAIN THIS UPDATE VIA ANONYMOUS FTP FROM FTP.SCO.COM (132.147.106.6). THE FILES ARE LOCATED IN: FILENAME FILE CONTENTS SIZE CHECKSUM /SLS/UOD368.Z UPDATE 105857 62288 /SLS/UOD368.LTR ASCII COVER LETTER AND 5514 29520 INSTALLATION INSTRUCTIONS THE UPDATE MAY ALSO BE OBTAINED FROM SCO VIA: - ANONYMOUS UUCP IN THE /USR/SPOOL/UUCPPUBLIC/SLS DIRECTORY ON THE SOS BULLETIN BOARD - COMPUSERVE IN THE SCO UNIX LIBRARY SECTION OF THE SCO FORUM - HARDCOPY FORMAT (ON DISKETTE) FROM THE MEDIA DEPARTMENT AT SCO SUPPORT. 4. TO RETRIEVE AND INSTALL THE SCO SUPPORT LEVEL SUPPLEMENT, YOU MUST FOLLOW THE INSTRUCTIONS BELOW. FTP DOWNLOAD INFORMATION: YOU MUST HAVE A CONNECTION TO THE INTERNET TO USE THIS SERVICE, AND SHOULD BE FAMILIAR WITH THE FTP COMMAND. THE COMMAND TO USE IS: FTP FTP.SCO.COM OR FTP 132.147.106.6 YOU WILL BE PROMPTED FOR A LOGIN AND PASSWORD. LOG IN AS "ANONYMOUS" AND USE YOUR E-MAIL ADDRESS AS THE PASSWORD. ON FTP.SCO.COM THE FIX AND THE COVER LETTER FILES ARE IN THE ./SLS DIRECTORY. YOU WILL WANT TO "CD" TO THIS DIRECTORY, SET "BINARY", AND "GET" THE FILES UOD368.Z AND UOD368.LTR. NOTE THAT THESE FILES ARE ALSO AVAILABLE FROM UUNET VIA ANONYMOUS FTP AT FTP.UU.NET IN THE /SCO-ARCHIVE/SLS DIRECTORY. UUCP DOWNLOAD INFORMATION FOR THE USA, CANADIAN, PACIFIC RIM, ASIA, AND LATIN AMERICAN CUSTOMERS: MACHINE NAME: SOSCO UUCP USER: UUSLS (NO PASSWORD) MODEM PHONE NUMBERS: TELEBIT TRAILBLAZER PLUS 408-429-1786 9600 BAUD TELEBIT 1500 V.32, 2@ 408-425-3502 2400, 9600 BAUD HAYES V SERIES 9600, 2@ 408-427-4470 9600 BAUD FOR EUROPE, THE MIDDLE EAST, AND AFRICA: MACHINE NAME: SCOLON UUCP USER: UUSLS PASSWORD: BBSUUCP MODEM PHONE NUMBERS: DOWTY TRAILBLAZER +44 (0)923 210911 5. THE FOLLOWING INFORMATION EXPLAINS HOW TO TRANSFER THE SLS FROM THE MACHINE SOSCO USING UUCP. A SIMILAR PROCEDURE CAN BE USED FOR SCOLON, BY CHANGING THE SYSTEMS FILE ENTRY APPROPRIATELY. THIS INFORMATION ASSUMES THAT YOU ARE USING AN SCO OPERATING SYSTEM TO DOWNLOAD THE FILES. OTHER SYSTEMS MAY OR MAY NOT BE SIMILAR IN THEIR UUCP SETUP. BEFORE ATTEMPTING TO TRANSFER, YOU MUST HAVE A MODEM CONFIGURED TO DIAL OUT FROM YOUR COMPUTER. FOR MORE INFORMATION ON CONFIGURING A MODEM, SEE THE CHAPTER ON "ADDING TERMINALS AND MODEMS" IN THE SYSTEM ADMINISTRATOR'S GUIDE. ONCE YOU HAVE YOUR MODEM CONFIGURED FOR DIALING OUT, YOU MUST SET UP YOUR UUCP CONFIGURATION TO RECOGNIZE THE SCO SYSTEM WHICH CONTAINS THE FILES. IF YOU HAVE A 2400 BAUD OR LOWER SPEED MODEM, ADD THE FOLLOWING LINE TO THE END OF THE "SYSTEMS" CONFIGURATION FILE IN THE DIRECTORY /USR/LIB/UUCP: SOSCO ANY ACU ANY 14084253502 OGIN:-@-OGIN:-@-OGIN: UUSLS OR SOSCO ANY ACU ANY 14084274470 OGIN:-@-OGIN:-@-OGIN: UUSLS IF YOU HAVE A TELEBIT BRAND MODEM, USE THE FOLLOWING LINE: SOSCO ANY ACU ANY 14084291786 OGIN:-@-OGIN:-@-OGIN: UUSLS 6. ONCE YOUR SYSTEM IS CONFIGURED, YOU CAN USE THE UUCP(C) COMMAND TO REQUEST FILES FROM THE REMOTE SYSTEM. ALL FILES FOR SUPPORT LEVEL SUPPLEMENTS RESIDE IN /USR/SPOOL/UUCPPUBLIC/SLS. THE FIRST FILE THAT SHOU LD BE DOWNLOADED IS "UOD368.Z" (THE ACTUAL FIX). THE UUCP(C) COMMAND TO TRANSFER THIS FILE INTO THE LOCAL DIRECTORY /USR/SPOOL/UUCPPUBLIC ON YOUR SYSTEM WOULD BE: UUCP SOSCO!/USR/SPOOL/UUCPPUBLIC/SLS/UOD368.Z /USR/SPOOL/UUCPPUBLIC/UOD368.Z (IF YOU ARE USING THE C SHELL COMMAND INTERPRETER, YOU MUST ENTER A BACKSLASH CHARACTER "\" BEFORE THE EXCLAMATION MARK "!" TO PREVENT THE C SHELL HISTORY MECHANISM FROM INTERCEPTING THE REST OF THE COMMAND LINE.) NEXT YOU WOULD REPEAT THE ABOVE PROCEDURE FOR "UOD368.LTR" (THE COVER LETTER FOR THE FIX). 7. OBTAINING A HARD COPY OF THE SLS: THIS SLS IS AVAILABLE IN HARD COPY FORM. CUSTOMERS SHOULD ORDER IT FROM THEIR SUPPORT PROVIDER OR BY CALLING SCO SUPPORT DURING NORMAL BUSINESS HOURS AT THE APPROPRIATE NUMBER LISTED IN PARAGRAPH 2. PLEASE BE SURE TO ASK FOR "SUPPORT LEVEL SUPPLEMENT UOD368, THE SECURITY SUPPLEMENT". THIS IS FREE TO ALL CUSTOMERS, REGARDLESS OF SUPPORT STATUS. INSTALLATION PREPARATION: A. UNCOMPRESS THE FILE: UNCOMPRESS UOD368.Z B. FORMAT A DISKETTE THAT IS LARGE ENOUGH TO CONTAIN THE FILE USING THE FORMAT(C) COMMAND. C. USE THE DD(C) COMMAND TO TRANSFER THE FILE TO DISKETTE. DD IF=UOD368 OF=/DEV/FD0135DS18 FOR 3.5" DISKETTES OR DD IF=UOD368 OF=/DEV/FD096DS15 FOR 5.25" DISKETTES FOLLOW THE DIRECTIONS IN THE UOD368.LTR FILE TO INSTALL THE SUPPLEMENT. 8. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS PETE HAMMES, COMM (703) 696-1924/5/6 OR DSN 226-1924/5/6. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE (800- 759-7243), PIN NUMBER 2133937. WHEN CALLING THE PAGER SERVICE, FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK NUMBER AFTER THE PROMPT. THE ASSIST DUTY OFFICER WILL CALL YOU BACK WITHIN 30 MINUTES. IF FASTER SERVICE IS REQUIRED, PREFIX YOUR TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL BACK WITHIN 5 MINUTES. ASSIST CAN ALSO BE REACHED VIA E-MAIL AT "DOD-CERT(AT-SIGN)DDN-CONUS.DDN.MIL", BY DIALING INTO THE ASSIST ELECTRONIC BULLETIN BOARD AT (703) 696-8726, DSN 226, AND LEAVING A MESSAGE FOR THE SYSOP, OR BY LEAVING A VOICE MAIL MESSAGE FOR THE ASSIST TEAM AT (703) 696-1904 (SELECT '9'). BT