-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Niels den Otter Index : S-98-27 Distribution : World Page : 1 Classification: External Version: 1 Subject : Digital Unix ftpd (ftp bounce) vulnarabil. Date : 08-May-98 =============================================================================== By courtesy of the Software Security Response Team (SSRT) of Digital Equipment Corporation we received information on a vulnerability in Digital ftpd (ftp bounce), where under certain circumstances, an user may gain unauthorized privileges. CERT-NL recommends to follow the Digital recommendation, which is to upgrade to a minimum of Digital UNIX V4.0b, and to install the appropriate patch kit immediately. ============================================================================== * No Restrictions For Distribution * ______________________________________________________________ UPDATE: APR 30, 1998 TITLE: DIGITAL UNIX ftpd V3.2g, V4.0, V4.0a, V4.0b, V4.0c - Potential Security Vulnerability ref#: SSRT0452U ftpd (ftp bounce) SOURCE: Digital Equipment Corporation Software Security Response Team "Digital is broadly distributing this Security Advisory in order to bring to the attention of users of Digital's products the important security information contained in this Advisory. Digital recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Digital does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Digital will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." - ---------------------------------------------------------------------- IMPACT: Digital has discovered a potential vulnerability with the FTP (bounce) for DIGITAL UNIX software, where under certain circumstances, an user may gain unauthorized privileges. Digital strongly recommends upgrading to a minimum of Digital UNIX V4.0b accordingly, and that the appropriate patch kit be installed immediately. - ---------------------------------------------------------------------- RESOLUTION: This potential security problem has been resolved and an official patch for this problem has been made available as an early release kit for DIGITAL UNIX V4.0a (duv40ass0000600041100-19980317.*) and, included in the latest DIGITAL UNIX V4.0b aggregate DUPATCH Kit. The V3.2g aggregate BL 10 patch kit #5 is scheduled for release in late June 1998. The V4.0 aggregate BL 9 patch kit #6 is scheduled for release mid May 1998. The V4.0c aggregate BL10 patch kit #6 is scheduled for release mid May 1998. *This potential problem was included in the distributed release of DIGITAL UNIX V4.0d o the World Wide Web at the following FTP address: http://www.service.digital.com/html/patch_service.html Use the FTP access option, select DIGITAL_UNIX directory then choose the appropriate version directory and download the patch accordingly. Note: [1]The appropriate patch kit must be installed following any upgrade to V4.0a, V4.0b, or V4.0c. [2] Please review the appropriate release notes prior to installation. If you need further information, please contact your normal DIGITAL support channel. DIGITAL appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ______________________________________________________________ Copyright (c) Digital Equipment Corporation, 1998 All Rights Reserved. Unpublished Rights Reserved Under The Copyright Laws Of The United States. ______________________________________________________________ ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 52 87 92 82 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 52 87 92 82 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: cp850 iQCVAwUBNVb8t1pSTqmIRWKVAQEaYwQAwy++PqMv2rWkyOnFCr+Ox3v1xxmqQoLn SQeW7dkTHi0ll55IXwyBF7uESdd9Atn1RiBnQI/RsvijGt5UMtjQBG36wf9+GZ+Z TSJwFl2AFARb229w/ukLSM8c19IusKsALv2YRe7GheEGMEnTT9wV0v9QsB4ICMSH vEKFpTlBsZk= =NTMH -----END PGP SIGNATURE-----