-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Vendor-Initiated Bulletin VB-96.05 April 3, 1996 Topic: OSF/1 dxconsole vulnerability Source: Digital Equipment Corporation To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Digital Equipment Corporation. Digital Equipment Corporation urges you to act on this information as soon as possible. Digital Equipment Corporation contact information is included in the forwarded text below; please contact them if you have any questions or need further information. ========================FORWARDED TEXT STARTS HERE============================ - --------------------------------------------------------------------- Copyright (c) Digital Equipment Corporation 1996. All rights reserved. TITLE: SSRT0358_OSF1032C Digital OSF/1 V2.0 thru 3.2C dxconsole SOURCE: Digital Equipment Corporation Software Security Response Team - --------------------------------------------------------------------- PROBLEM: - -------- Digital recently discovered a potential security vulnerability with dxconsole for OSF/1 V2.0 thru V3.2C. This potential vulnerability may allow authorized users to gain unauthorized privileges. Digital has corrected this potential vulnerability and provided kits containing new images. The appropriate kits and images are identified below. APPLICABILITY: - -------------- Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of DEC OSF/1 V3.0 then apply the Security patch. ECO INFORMATION: - ---------------- ECO Kit Name: SSRT0358_OSF1032C ECO Kits Superseded by This ECO Kit: None ECO Kit Approximate Size: ssrt0358_osf1032C.tar_Z 76571 Bytes System Reboot Necessary: Yes __________________________________________________________________ These kits will not install on versions previous to DEC OSF/1 V2.0 __________________________________________________________________ AVAILABILITY: - ------------- Software service contract or warranty customers can obtain the kits through normal Digital support channels via AES (Advanced Electronic Service) or from the appropriate version directory listed by accessing: ftp://ftp.service.digital.com/public/osf Please refer to the applicable Release Note information prior to upgrading your installation. Note: Non-contract/non-warranty customers should contact local Digital support channels for information regarding these kits. As always, Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. - DIGITAL EQUIPMENT CORPORATION - --------------------------------------------------------------------- =========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMaMvDnVP+x0t4w7BAQF7OQP/Sk9XpEUBbUwIgbJbKXO1KekntFaV75Uc 2horIX9reLvAGq3k1CDGv4QvfagHreiVd1yKBR9BAYB4tKTEoG6NRog1vmvKlRip toIDmXbWwxOOpI2bgQ09WfCi2bEBVZLlv+mXgxxt2TY/KdQO24BPJHEp+ZEOKDIV wvUadwbinDA= =wNuQ -----END PGP SIGNATURE-----