-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in libXt November 20, 1997 23:00 GMT Number H-51a ______________________________________________________________________________ PROBLEM: A vulnernability exist for a buffer overflow condition in the Xt library and the file xc/lib/Xt/Error.c. PLATFORM: See "Appendix A - Vendor Information" below for platforms effected. DAMAGE: Allows unauthorized file access possibly gaining root privilege. SOLUTION: Apply the patches and workarounds listed ______________________________________________________________________________ VULNERABILITY Exploit details involving this vulnerability have been made ASSESSMENT: publicly available. ______________________________________________________________________________ [ Appended to H-51 on November 20,1997 with additional patch information from Silicon Graphics Inc. ] [ Start CERT Advisory ] ============================================================================= CERT* Advisory CA-97.11 Original issue date: May 1, 1997 Last revised: -- Topic: Vulnerability in libXt - ------------------------------------------------------------------------------ There have been discussions on public mailing lists about buffer overflows in the Xt library of the X Windowing System made freely available by The Open Group (and previously by the now-defunct X Consortium). The specific problem outlined in those discussions was a buffer overflow condition in the Xt library, and the file xc/lib/Xt/Error.c. Exploitation scripts were made available. Since then (the latter half of 1996), The Open Group has extensively reviewed the source code for the entire distribution to address the potential for further buffer overflow conditions. These conditions can make it possible for a local user to execute arbitrary instructions as a privileged user without authorization. The programs that pose a potential threat to sites are those programs that have been built from source code prior to X11 Release 6.3 and have setuid or setgid bits set. Some third-party vendors distribute derivatives of the X Window System, and if you use a distribution that includes X tools that have setuid or setgid bits set, you may be vulnerable as well. The CERT/CC team recommends upgrading to X11 Release 6.3 or installing a patch from your vendor. If you cannot do one of these, then as a last resort we recommend that you remove the setuid or setgid bits from any executable files contained in your distribution of X; this may have an adverse effect on some system operations. We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site. - ------------------------------------------------------------------------------ I. Description There have been discussions on public mailing lists about buffer overflows in the Xt library of the X Windowing System made freely available by The Open Group (and previously by the now-defunct X Consortium). During these discussions, exploitation scripts were made available for some platforms.** The specific problem outlined in those discussions was a buffer overflow condition in the Xt library and the file xc/lib/Xt/Error.c. It was possible for a user to execute arbitrary instructions as a privileged user using a program built by this distribution with setuid or setgid bits set. Note that in this case a root compromise was only possible when programs built from this distribution (e.g., xterm) were setuid root. Since then The Open Group has extensively reviewed the source code for the entire distribution to address the potential for further buffer overflow condition. If you use a distribution of the X Windowing System earlier than X11 Release 6.3 that you downloaded and compiled yourself, we encourage you to take the steps outlined in either Section IV A or C. If you use third-party vendor-supplied distributions of the X Windowing System containing setuid root programs, we encourage you to take the steps outlined in Sections IV B or C. ** Note: Discussions of this specific instance of the vulnerability appeared on mailing lists during the second half of 1996. Exploitation scripts were made public at that time. II. Impact Platforms that have X applications built with the setuid or setgid bits set may be vulnerable to buffer overflow conditions. These conditions can make it possible for a local user to execute arbitrary instructions as a privileged user without authorization. Access to an account on the system is necessary for exploitation. III. Finding Potentially Vulnerable Distributions A. For Sites That Download and Build Their Own Distributions As discussed earlier, the programs that pose a potential threat to sites are those programs that have been built from source code, prior to X11 Release 6.3 and have setuid or setgid bits set. Sites that have downloaded the X source code from the X Consortium should be able to identify such programs by looking in the directory hierarchy defined by the "ProjectRoot" constant described in the xc/config/cf/site.def file in the source code distribution. The default is /usr/X11R6.3. The X11R6.3 Installation Guide states: "ProjectRoot The destination where X will be installed. This variable needs to be set before you build, as some programs that read files at run-time have the installation directory compiled in to them. Assuming you have set the variable to some value /path, files will be installed into /path/bin, /path/include/X11, /path/lib, and /path/man." B. For Vendor-Supplied Distributions Some third-party vendors distribute derivatives of the X Window System. If you use a distribution that includes X tools that have setuid or setgid bits set, then you may need to apply Solution B or C in Section IV. If you use a distribution that does not have setuid or setgid bits enabled on any X tools, then you do not need to take any of the steps listed below. Below is a list of vendors who have provided information about this problem. If your vendor's name is not on this list and you need clarification, you should check directly with your vendor. IV. Solution If any X tools that you are using are potentially vulnerable (see Section III), we encourage you to take one of the following steps. If the setuid or setgid bits are not enabled on any of the tools in your distribution, you do not need to take any of the steps listed below. For distributions that were built directly from the source code supplied by The Open Group (and previously by the X Consortium), we encourage you to apply either Solutions A or C. For vendor-supplied distributions, we encourage you to apply either Solutions B or C. A. Upgrade to X11 Release 6.3 If you download and build your own distributions directly from the source code, we encourage you to install the latest version, X11 Release 6.3. The source code can be obtained from ftp://ftp.x.org/pub/R6.3/tars/xc-1.tar.gz ftp://ftp.x.org/pub/R6.3/tars/xc-2.tar.gz ftp://ftp.x.org/pub/R6.3/tars/xc-3.tar.gz Note that these distributions are very large. The compressed files consume about 40M of disk space. The uncompressed tar files consume about 150M of disk space. B. Install a patch from your vendor Below is a list of vendors who have provided information about this problem. Details are in Appendix A of this advisory; we will update the appendix as we receive more information. If your vendor's name is not on this list, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Berkeley Software Design, Inc. (BSDI) Digital Equipment Corporation (DEC) FreeBSD, Inc. Hewlett-Packard Company IBM Corporation NEC Corporation NeXT Software, Inc. The Open Group (formerly OSF/X Consortium) The Santa Cruz Operation, Inc. (SCO) Sun Microsystems, Inc. C. Remove the setuid bit from affected programs If you are unable to apply Solutions A or B, then as a last resort we recommend removing the setuid or setgid bits from the executable files in your distribution of X. Note that this may have an adverse effect on some system operations. For instance, on some systems the xlock program needs to have the setuid bit enabled so that the shadow password file can be read to unlock the screen. By removing the setuid bit from this program, you remove the ability of the xlock program to read the shadow password file. This means that particular version of the xlock program should not be used at all, or it should be killed from another terminal when necessary. _____________________________________________________________________ Appendix A - Vendor Information Below is a list of the vendors who have provided information for this advisory. We will update this appendix as we receive additional information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact the vendor directly. Berkeley Software Design, Inc. (BSDI) ===================================== We released a patch for this for the 2.1 BSD/OS release, and it's already fixed in our current release. Digital Equipment Corporation (DEC) =================================== At the time of writing this document, patches(binary kits) are in progress and final testing is expected to begin soon. Digital will provide notice of the completion/availability of the patches through AES services (DIA, DSNlink FLASH) and be available from your normal Digital Support channel. FreeBSD, Inc. ============= We're aware of the problem and are trying to correct it with a new release of the Xt library. Hewlett-Packard Company ======================= For HP-UX, Install the applicable patches: PHSS_10167 9.X X11R5/Motif1.2 Runtime PHSS_10168 9.X X11R5/Motif1.2 Development PHSS_9809 10.0X/10.10 X11R5/Motif1.2 Runtime PHSS_9810 10.0X/10.10 X11R5/Motif1.2 Development PHSS_10688 10.20 X11R5/Motif1.2 Runtime PHSS_9813 10.20 X11R5/Motif1.2 Development PHSS_10789 10.20 X11R6/Motif1.2 Runtime PHSS_9815 10.20 X11R6/Motif1.2 Development Apply the library patches and relink any suid/sgid programs that are linked with the archived version of libXt. IBM Corporation =============== See the appropriate release below to determine your action. AIX 3.2 ------- Apply the following fix to your system: APAR - IX61784,IX67047,IX66713 (PTF - U445908,U447740) To determine if you have this PTF on your system, run the following command: lslpp -lB U445908 U447740 AIX 4.1 ------- Apply the following fix to your system: APAR - IX61031 IX66736 IX66449 To determine if you have this APAR on your system, run the following command: instfix -ik IX61031 IX66736 IX66449 Or run the following command: lslpp -h X11.base.lib Your version of X11.base.lib should be 4.1.5.2 or later. AIX 4.2 ------- Apply the following fix to your system: APAR - IX66824 IX66352 To determine if you have this APAR on your system, run the following command: instfix -ik IX66824 IX66352 Or run the following command: lslpp -h X11.base.lib Your version of X11.base.lib should be 4.2.1.0 or later. To Order -------- APARs may be ordered using Electronic Fix Distribution (via FixDist) or from the IBM Support Center. For more information on FixDist, reference URL: http://service.software.ibm.com/aixsupport/ or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist". IBM and AIX are registered trademarks of International Business Machines Corporation. NEC Corporation =============== EWS-UX/V(Rel4.2) R7.x - R10.x vulnerable EWS-UX/V(Rel4.2MP) R10.x vulnerable UP-UX/V(Rel4.2MP) R5.x - R7.x vulnerable UX/4800 R11.x - current vulnerable Patches for this vulnerability are in progress. For further information, please contact by e-mail: UX48-security-support@nec.co.jp NeXT Software, Inc. =================== X-Windows is not part of any NextStep or OpenStep release. We are not vulnerable to this problem. The Open Group (formerly OSF/X Consortium) ================================ Not vulnerable. The Santa Cruz Operation, Inc. (SCO) ==================================== We are investigating this problem and will provide updated information for this advisory when it becomes available. Sun Microsystems, Inc. ====================== We are investigating. [ End CERT Advisory ] [ Appended Silicon Graphics Advisory ] - -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: libXt Security Issues Title: CERT CA-97.11 Number: 19971101-01-PX Date: November 18, 1997 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics provides the information in this Security Advisory on an "AS-IS" basis only, and disclaims all warranties with respect thereto, express, implied or otherwise, including, without limitation, any warranty of merchantability or fitness for a particular purpose. In no event shall Silicon Graphics be liable for any loss of profits, loss of business, loss of data or for any indirect, special, exemplary, incidental or consequential damages of any kind arising from your use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ - ------------------------ - ---- Issue Specifics --- - ------------------------ In disussions on public newsgroups and mailing lists, buffer overruns in the Xt library of the X Windowing System and X application programs have been discussed. Silicon Graphics Inc. has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL SGI systems. This issue will be corrected in future releases of IRIX. - --------------- - ---- Impact --- - --------------- All Silicon Graphics computer systems running IRIX 4.x, IRIX 5.x and IRIX 6.x utilize the X Windowing system and have X applications by default. A local account is required in order to exploit these vulnerabilities both locally and remotely. This issue has been publically disclosed and discussed in several public forums newsgroups and mailing lists in addition to security advisories CERT CA-97.11. - --------------------------- - ---- Temporary Solution --- - --------------------------- Unfortunately, there are no immediate or temporary workarounds for this issue. The issue can only be addressed with a patch. - ----------------- - ---- Solution --- - ----------------- OS Version Vulnerable? Patch # Other Actions ---------- ----------- ------- ------------- IRIX 3.x no IRIX 4.x yes not avail Note 1 IRIX 5.0.x yes not avail Note 1 IRIX 5.1.x yes not avail Note 1 IRIX 5.2 yes not avail Note 1 IRIX 5.3 yes 2155 IRIX 6.0.x yes not avail Note 1 IRIX 6.1 yes not avail Note 1 IRIX 6.2 yes 2154 IRIX 6.3 yes 2153 IRIX 6.4 yes 2396 NOTES 1) upgrade to supported operating system version Patches are available via anonymous FTP and your service/support provider. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Security information and patches can be found in the ~ftp/security and ~ftp/patches directories, respectfully. ##### Patch File Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.2153 Algorithm #1 (sum -r): 25316 10 README.patch.2153 Algorithm #2 (sum): 65501 10 README.patch.2153 MD5 checksum: 61E23CC48D1295A14FF1BD14F1AE63E9 Filename: patchSG0002153 Algorithm #1 (sum -r): 63016 6 patchSG0002153 Algorithm #2 (sum): 54172 6 patchSG0002153 MD5 checksum: 283699BC58ABFF6F7C8BA3713D0AEEC4 Filename: patchSG0002153.idb Algorithm #1 (sum -r): 28889 8 patchSG0002153.idb Algorithm #2 (sum): 46999 8 patchSG0002153.idb MD5 checksum: B556DB55B2B5CF749C54E1AB5A4864A0 Filename: patchSG0002153.x_dev_sw Algorithm #1 (sum -r): 03700 1039 patchSG0002153.x_dev_sw Algorithm #2 (sum): 2287 1039 patchSG0002153.x_dev_sw MD5 checksum: 2D95358E6433CDBE96D52F62D08A4CD3 Filename: patchSG0002153.x_dev_sw32 Algorithm #1 (sum -r): 64841 1251 patchSG0002153.x_dev_sw32 Algorithm #2 (sum): 38376 1251 patchSG0002153.x_dev_sw32 MD5 checksum: EE7BE878CB7486BBA689DE31C49F2C2D Filename: patchSG0002153.x_dev_sw64 Algorithm #1 (sum -r): 43845 1344 patchSG0002153.x_dev_sw64 Algorithm #2 (sum): 31671 1344 patchSG0002153.x_dev_sw64 MD5 checksum: 02803C4F21D9440D6B365B5E051260C6 Filename: patchSG0002153.x_eoe_sw Algorithm #1 (sum -r): 43004 3102 patchSG0002153.x_eoe_sw Algorithm #2 (sum): 56526 3102 patchSG0002153.x_eoe_sw MD5 checksum: 4E50E4D94BFEA5652D20CE08BD120D0D Filename: patchSG0002153.x_eoe_sw32 Algorithm #1 (sum -r): 38854 3358 patchSG0002153.x_eoe_sw32 Algorithm #2 (sum): 910 3358 patchSG0002153.x_eoe_sw32 MD5 checksum: B5701DA482684D031D40249D6096971B Filename: patchSG0002153.x_eoe_sw64 Algorithm #1 (sum -r): 24290 3562 patchSG0002153.x_eoe_sw64 Algorithm #2 (sum): 43506 3562 patchSG0002153.x_eoe_sw64 MD5 checksum: 73709C1BAF1B6A08DB6966DEB435B668 Filename: README.patch.2154 Algorithm #1 (sum -r): 02162 15 README.patch.2154 Algorithm #2 (sum): 39280 15 README.patch.2154 MD5 checksum: 5EEF5483CBDC8D804A29A0473230D277 Filename: patchSG0002154 Algorithm #1 (sum -r): 40324 14 patchSG0002154 Algorithm #2 (sum): 59115 14 patchSG0002154 MD5 checksum: 273ABFD8DAFDFC05BAA4727A39FB93D7 Filename: patchSG0002154.idb Algorithm #1 (sum -r): 64074 7 patchSG0002154.idb Algorithm #2 (sum): 61404 7 patchSG0002154.idb MD5 checksum: AF140498F7B12405046D2647E3DAFD73 Filename: patchSG0002154.x_dev_sw Algorithm #1 (sum -r): 64669 1038 patchSG0002154.x_dev_sw Algorithm #2 (sum): 43733 1038 patchSG0002154.x_dev_sw MD5 checksum: 59113DE469DDD394ED11B9EC9E0BAD3A Filename: patchSG0002154.x_dev_sw32 Algorithm #1 (sum -r): 09060 1252 patchSG0002154.x_dev_sw32 Algorithm #2 (sum): 50637 1252 patchSG0002154.x_dev_sw32 MD5 checksum: 801FBBD3B849DCCCCE32581006248194 Filename: patchSG0002154.x_dev_sw64 Algorithm #1 (sum -r): 45827 1344 patchSG0002154.x_dev_sw64 Algorithm #2 (sum): 7788 1344 patchSG0002154.x_dev_sw64 MD5 checksum: 4CE9812E5FBEAAA3BEE07EA1C8430C5A Filename: patchSG0002154.x_eoe_sw Algorithm #1 (sum -r): 14887 3034 patchSG0002154.x_eoe_sw Algorithm #2 (sum): 11241 3034 patchSG0002154.x_eoe_sw MD5 checksum: BC5AA5A65C7560CD4734A68E73F3F853 Filename: patchSG0002154.x_eoe_sw32 Algorithm #1 (sum -r): 57921 2726 patchSG0002154.x_eoe_sw32 Algorithm #2 (sum): 41588 2726 patchSG0002154.x_eoe_sw32 MD5 checksum: 54C206869F69397875FD93216D991930 Filename: patchSG0002154.x_eoe_sw64 Algorithm #1 (sum -r): 53814 2868 patchSG0002154.x_eoe_sw64 Algorithm #2 (sum): 839 2868 patchSG0002154.x_eoe_sw64 MD5 checksum: DB3862DE7C2E986E13E3E14C5E161E5E Filename: README.patch.2155 Algorithm #1 (sum -r): 21907 13 README.patch.2155 Algorithm #2 (sum): 27373 13 README.patch.2155 MD5 checksum: E6DABFBEE2945099D42F6063A11B6A7E Filename: patchSG0002155 Algorithm #1 (sum -r): 02117 3 patchSG0002155 Algorithm #2 (sum): 5954 3 patchSG0002155 MD5 checksum: 35A01C9F197B55E05846A49F86001F33 Filename: patchSG0002155.idb Algorithm #1 (sum -r): 36349 2 patchSG0002155.idb Algorithm #2 (sum): 1931 2 patchSG0002155.idb MD5 checksum: 7CE668036AABD4B63E65AF2E18A85079 Filename: patchSG0002155.x_dev_sw Algorithm #1 (sum -r): 40176 1005 patchSG0002155.x_dev_sw Algorithm #2 (sum): 14410 1005 patchSG0002155.x_dev_sw MD5 checksum: FB9E15AB9A24418A771D1A4239AACA9D Filename: patchSG0002155.x_eoe_sw Algorithm #1 (sum -r): 42558 2534 patchSG0002155.x_eoe_sw Algorithm #2 (sum): 60261 2534 patchSG0002155.x_eoe_sw MD5 checksum: 249A8BA0FD006A6543ED58548A961086 Filename: README.patch.2396 Algorithm #1 (sum -r): 21490 10 README.patch.2396 Algorithm #2 (sum): 59973 10 README.patch.2396 MD5 checksum: 51FBF3D675E4E43F2DF105FD60173D7E Filename: patchSG0002396 Algorithm #1 (sum -r): 31021 6 patchSG0002396 Algorithm #2 (sum): 59122 6 patchSG0002396 MD5 checksum: 1CB84057C049D0AEEF1769147484D51D Filename: patchSG0002396.eoe_sw Algorithm #1 (sum -r): 44998 7 patchSG0002396.eoe_sw Algorithm #2 (sum): 42468 7 patchSG0002396.eoe_sw MD5 checksum: 948C51F29D9B18C71211551F2A9E2786 Filename: patchSG0002396.idb Algorithm #1 (sum -r): 44652 6 patchSG0002396.idb Algorithm #2 (sum): 50192 6 patchSG0002396.idb MD5 checksum: 88153D362FE99D3C38B148649926B5E9 Filename: patchSG0002396.x_dev_sw Algorithm #1 (sum -r): 21683 2337 patchSG0002396.x_dev_sw Algorithm #2 (sum): 1525 2337 patchSG0002396.x_dev_sw MD5 checksum: D7A1332304D0053EE790F64C0C0D6B27 Filename: patchSG0002396.x_dev_sw64 Algorithm #1 (sum -r): 49044 1361 patchSG0002396.x_dev_sw64 Algorithm #2 (sum): 14474 1361 patchSG0002396.x_dev_sw64 MD5 checksum: 38F89FD774611E2D8DC65358C3CF809F Filename: patchSG0002396.x_eoe_sw Algorithm #1 (sum -r): 26996 5177 patchSG0002396.x_eoe_sw Algorithm #2 (sum): 42378 5177 patchSG0002396.x_eoe_sw MD5 checksum: 909745597814CC56DD5466CA4BEC3411 Filename: patchSG0002396.x_eoe_sw64 Algorithm #1 (sum -r): 25487 2832 patchSG0002396.x_eoe_sw64 Algorithm #2 (sum): 20908 2832 patchSG0002396.x_eoe_sw64 MD5 checksum: E683B61D66B99B1A055AB8ACFFE28C32 - ------------------------- - ---- Acknowledgments --- - ------------------------- Silicon Graphics wishes to thank the CERT Coordination Center for their assistance in this matter. - ------------------------------------------------------------ - ---- Silicon Graphics Inc. Security Information/Contacts --- - ------------------------------------------------------------ If there are questions about this document, email can be sent to cse-security-alert@sgi.com. ------oOo------ Silicon Graphics provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security information and patches is sgigate.sgi.com (204.94.209.1). Security information and patches are located under the directories ~ftp/security and ~ftp/patches, respectively. The Silicon Graphics Security Headquarters Web page is accessible at the URL http://www.sgi.com/Support/security/security.html. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ Silicon Graphics provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/Support/security/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ Silicon Graphics provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/Support/security/security.html. ------oOo------ For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. ______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, Silicon Graphics is appropriately credited and the document retains and includes its valid PGP signature. - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBNHIbU7Q4cFApAP75AQHsmwP/a1yXEj4nbsISnuabnIOdPHtsZY+EZd3U m6HArcRazNJdn+EOncr7y6oygCce6ASpOzd//uJ+Mn0C660x3X76PpEHn7w7Exxy 4nHR2Lepor1Qck/uTJNoLwO/6BMd+jLowZtyrIkgnVXQ7z2f/Yz6CwlKa0U0s0rz AyT9O4fFFgo= =QaJc - -----END PGP SIGNATURE----- [ End Silicon Graphics Inc. Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT, Kaleb Keithly of The Open Group and Silicon Graphics Inc. for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) H-42: HP MPE/iX with ICMP Echo Request (ping) Vulnerability H-44: Solaris 2.x fdformat Buffer Overflow Vulnerability H-45: Windows NT SAM permission Vulnerability H-46: Vulnerability in IMAP and POP H-47A: AOL4FREE.COM Trojan Horse Program Destroys Hard Drives H-48: Internet Information Server Vulnerability H-49: NLS Buffer Overflow Vulnerability H-22a: talkd Buffer Overrun Vulnerability H-29a: HP-UX sendmail Patches Vulnerability H-50: HP-UX SYN Flood and libXt patches -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNHS88bnzJzdsy3QZAQF1gQP/Vfj2DMP8ej3feM1S9Sry6xdZwuRGqqR4 rCdGcgHEbhHmtvGgAywNb8Pz7nmn/pjEjiP5Uqdz0tbHHuYpW+JNBfvPoB+T1v/J w1GSNyOdVtN5SGsYHumag/I5yevH+Xq/amTFim460kymlixdUM5nD4XhMLW9z8zm jP5lLDYqoNs= =Ctw4 -----END PGP SIGNATURE-----