-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Don Stikvoort Index : S-96-32 Distribution : World Page : 1 Classification: External Version: 1 Subject : Digital Software Security Kits release Date : 02-Jul-96 =============================================================================== By courtesy of the Software Security Response Team (SSRT) of Digital Equipment Corporation we received information on a major release of new software security kits. CERT-NL recommends to pay proper attention and download and install the kits relevant to your situation. ============================================================================== _________________________________________________________________________ #96.0383 SOURCE: 27JUN1996 Digital Equipment Corporation Software Security Response Team Copyright (c) Digital Equipment Corporation 1996. All rights reserved. Digital is broadly distributing this Security Advisory in order to bring to the attention of users of Digital's products the important security information contained in this Advisory. Digital recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Digital does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Digital will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory. SUMMARY DESCRIPTION: Digital has recently released the software security kits identified below that address recently reported, potential security vulnerabilities. SEVERITY LEVEL: High SUMMARY ECO KIT INFORMATION: The ECO Kits identified in this advisory will not be applicable to versions previous to those identified in the OP/SYS identified for each ECO. ***** NOTE* (1) These ECO's must be re-applied if an update or installation ***** is performed thru V3.2d2 of Digital UNIX, and V4.5 of ULTRIX. (2) The solutions will be included in future releases of these Operating Systems. ___________________________________________________________________________ |TITLE(s): | | ---------------------------------------------------------------------------| | SSRT035901_OSF1020 |Digital UNIX (OSF/1) V2.0 (syslog & C2) | | -----------------------|---------------------------------------------------| | SSRT035901_OSF1030 |Digital UNIX (OSF/1) V3.0 (syslog & C2) | | -----------------------|---------------------------------------------------| | SSRT035901_OSF1030B |Digital UNIX (OSF/1) V3.0b (syslog & C2) | | -----------------------|---------------------------------------------------| | SSRT035902_OSF1032 |Digital UNIX (OSF/1) V3.2 (syslog & C2) | | | Replaces: SSRT035901_OSF1032 | | -----------------------|---------------------------------------------------| | SSRT035901_OSF1032B |Digital UNIX (OSF/1) V3.2b (syslog & C2) | | -----------------------|---------------------------------------------------| | SSRT035901_OSF1032C |Digital UNIX (OSF/1) V3.2c (syslog & C2) | | -----------------------|---------------------------------------------------| | SSRT035901_OSF1032D |Digital UNIX (OSF/1) V3.2d (syslog & C2) | | -----------------------|---------------------------------------------------| | SSRT035902_ULT45 |Digital ULTRIX V4.3 thru 4.5 (syslog) | | | Replaces: SSRT035901_ULT45 | | | Cross Reference: SSRT035901_OSF1020, | | | SSRT035901_OSF1030, SSRT035901_OSF1030B, | | | SSRT035902_OSF1032, SSRT035901_OSF1032B, | | | SSRT035901_OSF1032C, SSRT035901_OSF1032D, | | | & [ CERT/CC Advisory CA-95:13 ] | | -----------------------|---------------------------------------------------| | SSRT037901_DUNIX1032D2 |Digital UNIX (OSF/1) V3.0 thru V3.2D2 (mountd) | | | Cross Reference: SSRT037901_ULT45 | | -----------------------|---------------------------------------------------| | SSRT038301_DUNIX1032D2 |Digital UNIX (OSF/1) V3.0 thru V3.2D2 (rpc.statd) | | | Cross Reference: [ CERT/CC Advisory CA-96:09 ] | | -----------------------|---------------------------------------------------| | SSRT038301_ULT045 |Digital ULTRIX V4.3 thru V4.5 (rpc.statd) | | | Cross Reference:| SSRT038301_DUNIX1032D2 | | | Cross Reference: [ CERT/CC Advisory CA-96:09 ] | | -----------------------|---------------------------------------------------| |SSRT039601_DUNIX1032D2 |Digital UNIX (OSF/1) V3.0 thru V3.2D2 (pcnfsd) | | | Cross Reference: [ CERT/CC Advisory CA-96:08 ]| | | | | | *At the time of writing this document, patches | | | (binary kits) for Digital's UNIX operating | | | system are in final testing and packaging. | | | Digital will provide notice of availability for | | | the kits through AES services (DIA, DSNlink | | | FLASH) and also be available from your normal | | | Digital Support channel. | | | | --------------------------------------------------------------------------- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ECO KIT NAME(S): SSRT035901_OSF1020, SSRT035901_OSF1030, SSRT035901_OSF1030B, SSRT035902_OSF1032, SSRT035901_OSF1032B, SSRT035901_OSF1032C, SSRT035901_OSF1032D +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Op/SYS: DIGITAL UNIX (DEC OSF/1) Kit(s) Apply To: V2.0,V3.0, V3.0b, V3.2, V3.2b, V3.2c, V3.2d1, V3.2d2 ECO Kits Superseded by These ECO Kits: SSRT0359_OSF1032C System Reboot Necessary: Yes ------------------------------------------------------------------- PROBLEM: 1. Digital has discovered a potential security vulnerability identified with disabled accounts (library routines) for Digital UNIX (OSF/1) when running C2 security (enhanced). Cross Reference: none 2. A potential security vulnerability has been identified with syslog, under certain circumstances, may allow unauthorized file access from unauthorized systems users. Cross Reference: [ CERT/CC Advisory CA-95:13 - Syslog Vulnerability ] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ECO KIT NAME: SSRT035902_ULT45, (syslog) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Op/SYS: DIGITAL ULTRIX Operating System Kit Applies To: V4.3 (VAX & MIPS), V4.3a (MIPS), V4.4 (VAX & MIPS), V4.5 (VAX & MIPS) ECO Kits Superseded by This ECO Kit: SSRT0359_ULT45 System Reboot Necessary: Yes ------------------------------------------------------------------- PROBLEM: A potential security vulnerability has been identified with syslog that may, under certain circumstances, allow unauthorized file access from unauthorized systems users. Cross Reference: [ CERT/CC Advisory CA-95:13 - Syslog Vulnerability ] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ECO KIT NAME: SSRT037901_DUNIX1032D2, (mountd) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Op/SYS: Digital UNIX (DEC OSF/1) Kit Applies To: V3.0, V3.0b, V3.2, V3.2b, V3.2c, V3.2d1, V3.2d2 ECO Kits Superseded by This ECO Kit: None System Reboot Necessary: Yes ------------------------------------------------------------------- PROBLEM: Digital has recently discovered a potential security vulnerability identified with mountd. This potential vulnerability may, under certain circumstances, allow an NFS server to be spoofed. Cross Reference: None +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ECO KIT NAME: SSRT038301_DUNIX1032D2, (rpc.statd) +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Op/SYS: DIGITAL UNIX (DEC OSF/1) Operating System Kit Applies To: V3.0, V3.0b, V3.2, V3.2b, V3.2c, V3.2d1, V3.2d2 ECO Kits Superseded by This ECO Kit: None System Reboot Necessary: Yes __________________________________________________ ECO KIT NAME: SSRT038301_ULT045 (rpc.statd) __________________________________________________ Op/SYS: DIGITAL ULTRIX Operating System Kit Applies To: V4.3, V4.3a, V4.4, V4.5 (VAX & MIPS) ECO Kits Superseded by This ECO Kit: None System Reboot Necessary: Yes ------------------------------------------------------------------- PROBLEM: A potential security vulnerability has been identified with rpc.statd, that may, may under certain circumstances, allow unauthorized file access from unauthorized systems users. Cross Reference: [ CERT/CC Advisory CA-96:09 - Vulnerability in rpc.statd ] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ECO AVAILABILITY: Software service contract or warranty customers may obtain the ECO kits through normal Digital support channels, via AES (Advanced Electronic Service) or from the appropriate OS type and version directory listed by accessing: ftp://ftp.service.digital.com/public/{OS/{vn.n} | | | |--version |--osf or ultrix Please refer to the applicable Release Note information prior to upgrading your installation. Note: Non-contract/non-warranty customers should contact local Digital support channels for information regarding these kits. As always, Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. 6/96 - DIGITAL EQUIPMENT CORPORATION --------------------------------------------------------------------- ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMdkNWGL2fnkJN/jpAQF7sAP/dYkPdbPoRUewIrFwp0UlahsbGUFQMH2S Hy1i0zYMDe8aZT9WkV00n9AWT5942L1YlgA61jXH7phSVf+viLjlwfBeTbrk40RZ bSLZuck2G0NIezXzidt7pEoRqwV8Agk7xfApy7b2DdRT2SoAQBmRp4ppuz0Dvgm9 Uuf3pZKar/Y= =WF7z -----END PGP SIGNATURE----- -- End --