-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN NEC /UNIX "nosuid" mount option Vulnerability October 14, 1997 20:00 GMT Number I-004 ______________________________________________________________________________ PROBLEM: NEC Corporation has identified and corrected a vulnerability with the "nosuid" mount(1) option. PLATFORM: The following NEC/UNIX platforms are affected: EWS-UX/V(Rel4.2) R7.x - R10.x EWS-UX/V(Rel4.2MP) R10.x UP-UX/V(Rel4.2MP) R5.x - R7.x UX/4800 R11.x - 12.1 DAMAGE: Local users may invoke commands as other users and possibly achieve root privileges to execute arbitrary commands. SOLUTION: Apply patches or workarounds as listed below. ______________________________________________________________________________ VULNERABILITY NEC strongly recommends that administrators of affected systems ASSESSMENT: follow the instructions in section 3 of this bulletin. ______________________________________________________________________________ [ Start NEC Corporation Advisory ] ______________________________________________________________________________ NEC Corporation Security Bulletin Title: Vulnerability in "nosuid" mount option Affects: EWS-UX/V(Rel4.2) R7.x - R10.x EWS-UX/V(Rel4.2MP) R10.x UP-UX/V(Rel4.2MP) R5.x - R7.x UX/4800 R11.x - 12.1 Document ID: SB-19971010-01 Date Issued: October 10, 1997 ______________________________________________________________________________ 1. Description NEC Corporation has identified and corrected a problem with the "nosuid" mount(1) option. The "nosuid" mount(1) option nullifies the effect of setuid and setgid bits for files on a particular file system. This problem manifests itself by allowing setuid and setgid program execution on file systems mounted with "nosuid". The following NEC/UNIX platforms are affected: EWS-UX/V(Rel4.2) R7.x - R10.x EWS-UX/V(Rel4.2MP) R10.x UP-UX/V(Rel4.2MP) R5.x - R7.x UX/4800 R11.x - 12.1 NEC strongly recommends that administrators of affected systems follow the instructions in section 3 of this bulletin. 2. Impact By exploiting this vulnerability, local users can invoke commands as other users and possibly achieve root privileges to execute arbitrary commands. 3. Workarounds/Solution The patches listed below change the way execution privileges are calculated so that setuid and setgid bits are correctly ignored on file systems mounted with the "nosuid" option. Patches for platforms not listed in Section 3.2 are still in progress. For these systems, we recommend either unmounting file systems mounted "nosuid" or applying the workaround as described in Section 3.1 until patches are made available. 3.1. Remove setuid/setgid permission (workaround) To prevent possible exploitation of this vulnerability, until a patch is made available for your platform, we recommend the following steps: 1) Make a local copy of each remote file system mounted with the "nosuid" option. # find -depth -print | cpio -pdm 2) Unmount the remote file system and replace it with the local copy. # umount # mount 3) Run the find(1) command below to remove all setuid and setgid bits on files in the local copy of the remote hierarchy. # find -print -exec chmod ug-s {} \; 3.2. Install a patch This vulnerability is corrected by the following patches: OS version Patch ID ---------- -------- EWS-UX/V(Rel4.2) R7.x NECe70093 EWS-UX/V(Rel4.2) R8.x NECe80121 EWS-UX/V(Rel4.2) R9.x NECe90281, NECe90282(for 110N) EWS-UX/V(Rel4.2) R10.x NECea0168 EWS-UX/V(Rel4.2MP) R10.x NECma0378 UP-UX/V(Rel4.2MP) R5.x NECu50078 UP-UX/V(Rel4.2MP) R6.x NECu60217 UP-UX/V(Rel4.2MP) R7.x NECu70541 UX/4800 R11.x NECmb0668 UX/4800 R12.x NECmc0054 See section 4 of this bulletin for checksum information. These patches are available from: ftp://ftp.meshnet.or.jp/pub/48pub/security For a directory tree map, consult the README file. For further information, please contact by e-mail: UX48-security-support@nec.co.jp 4. Checksum and additional information for patches. Patch ID: NECe70093 Patch : NECe70093.210.pkg.Z Target Hardware: 210,120LT,215,130LT,210II sum : 17018 22 md5 : 56CE37185FD7D5BCB6D28F6BD8DEFFBB Patch : NECe70093.220.pkg.Z Target Hardware: 220,260,230 sum : 16078 22 md5 : 251A0B2239B415A6F9324F68C99F8B14 Patch : NECe70093.330.pkg.Z Target Hardware: 330,110LT,310,320,360 sum : 18075 22 md5 : 54A7DA54894E470CC8F4C879E6283AD0 Patch : NECe70093.350.pkg.Z Target Hardware: 350,350F,380 sum : 892 21 md5 : BCBB5A319A0AB471ECB8EE5F154ECDCE Patch ID: NECe80121 Patch : NECe80121.210.pkg.Z Target Hardware: 210,120LT,215,130LT,210II sum : 35542 21 md5 : 6D33DCE306B41996CB671EB9DB3DADD3 Patch : NECe80121.220.pkg.Z Target Hardware: 220,260,230 sum : 19176 21 md5 : 32F955A3DEA4B76D552ACE5C3125AA9B Patch : NECe80121.330.pkg.Z Target Hardware: 330,110LT,310,320,360 140LT,150LT,360AD,360A,OM sum : 6993 21 md5 : 9425197116B75C919B10DF0F2A948A78 Patch : NECe80121.350.pkg.Z Target Hardware: 350,350F,380 sum : 4723 21 md5 : 5A86DA101711317C1DA87541155229CC Patch ID: NECe90281 Patch : NECe90281.210.pkg.Z Target Hardware: 210,120LT,215,130LT,210II sum : 1426 20 md5 : 1BE96184A9C6645899DD6CFFC1C5E00D Patch : NECe90281.220.pkg.Z Target Hardware: 220,260,230 sum : 4671 20 md5 : CA002CF9C4B86880D044F320B80D9800 Patch : NECe90281.330.pkg.Z Target Hardware: 330,110LT,310,320,360 140LT,150LT,360AD,360A,OM 310LC,320EX,320SX,330EX,330AD 360EX,360ADII sum : 49879 20 md5 : 2045FF5FC608600DBE87D8C2AF08F7AA Patch : NECe90281.350.pkg.Z Target Hardware: 350,350F,380 sum : 53666 20 md5 : D0722E3257CEADFA8E3B60D68EAA9C8C Patch ID: NECe90282 Patch : NECe90282.110N.pkg.Z Target Hardware: 110N sum : 49054 20 md5 : A244594291D8A8E398105EF1786B5A2A Patch ID: NECma0378 Patch : NECma0378.330.pkg.Z Target Hardware: 330,110LT,310,320,360 140LT,150LT,360AD,360A,OM 310LC,320EX,320SX,330EX,330AD 360EX,360ADII,320VX,360SX sum : 62412 25 md5 : 0ABDB0D337474622A178B5A90010DF1F Patch : NECma0378.360MP.pkg.Z Target Hardware: 360MP sum : 23244 25 md5 : 682AA6A8BC97E91DBC14253F8E9C6FFC Patch ID: NECea0168 Patch : NECea0168.110N.pkg.Z Target Hardware: 110N,310EC sum : 13328 21 md5 : 21D6648E69158622AECAD8A1F1538511 Patch ID: NECmb0668 Patch : NECmb0668.110N.pkg.Z Target Hardware: 110N,310EC,310LX,310ECII,110NII sum : 61039 24 md5 : 066DBA2EBAAB87B10D3C55C4161232F1 Patch : NECmb0668.210.pkg.Z Target Hardware: 210,120LT,215,130LT,210II sum : 43893 24 md5 : D6A0A08C2008F11BF1D11D670910893F Patch : NECmb0668.220.pkg.Z Target Hardware: 220,260,230 sum : 47818 24 md5 : A93FA1EE90055120892BF96FED4071C9 Patch : NECmb0668.330.pkg.Z Target Hardware: 330,110LT,310,320,360 140LT,150LT,360AD,360A,OM 310LC,320EX,320SX,330EX,330AD 360EX,360ADII,320VX,360SX sum : 63097 24 md5 : FBEEC273976D44E8593791CBC3006E94 Patch : NECmb0668.350.pkg.Z Target Hardware: 350,350F,380 sum : 46118 24 md5 : 14AFB2F7CBE0FECE66C43E15D53A6959 Patch : NECmb0668.360MP.pkg.Z Target Hardware: 360MP sum : 34423 24 md5 : 04FFC169C0056C2E0E991C5593EC13EB Patch : NECmb0668.FM.pkg.Z Target Hardware: 760,660R sum : 34722 24 md5 : 0E875E8E6677223C19EF92FFD8AAA17B Patch : NECmb0668.ML.pkg.Z Target Hardware: 610 sum : 31695 24 md5 : 43F48AE10F46DD5675F54C4171979B93 Patch : NECmb0668.RH.pkg.Z Target Hardware: 660,680,690,670,675 675AD sum : 42993 24 md5 : 84FCEF5034A0E5A430367A6F4F813839 Patch : NECmb0668.RH0.pkg.Z Target Hardware: 640,650 sum : 26945 24 md5 : 5CC49D44154183D39DD18C51BA6D8BD9 Patch : NECmb0668.RL.pkg.Z Target Hardware: 605,615,615AD,615A sum : 2916 24 md5 : 0C88DA08FF160A1B132538E8A46E9E4B Patch : NECmb0668.RM.pkg.Z Target Hardware: 625,635,635AD sum : 63205 24 md5 : 47D10396FC39C0FB7FE617D0B180DF08 Patch : NECmb0668.TH2.pkg.Z Target Hardware: 310PX,320PX,330PX sum : 56681 24 md5 : 12BC633B68667D8EC08E56B95CD1EC5B Patch : NECmb0668.UD2.pkg.Z Target Hardware: 360PX,360PXII sum : 26095 24 md5 : 53251D6148665B16ADF3DF224485BA96 Patch ID: NECmc0054 Patch : NECmc0054.110N.pkg.Z Target Hardware: 110N,310EC,310LX,310ECII,110NII sum : 38080 23 md5 : B27726AA05A082079E951F00222D6E7D Patch : NECmc0054.210.pkg.Z Target Hardware: 210,120LT,215,130LT,210II sum : 39082 23 md5 : 590586BE5E847BD34780D2A68A908495 Patch : NECmc0054.220.pkg.Z Target Hardware: 220,260,230 sum : 37616 23 md5 : CA9AD4DB7476E6753C7E06F5835AC61B Patch : NECmc0054.330.pkg.Z Target Hardware: 330,110LT,310,320,360 140LT,150LT,360AD,360A,OM 310LC,320EX,320SX,330EX,330AD 360EX,360ADII,320VX,360SX sum : 42500 23 md5 : 31F228CA399A16DCEC4C7641D63D2E54 Patch : NECmc0054.350.pkg.Z Target Hardware: 350,350F,380 sum : 47172 23 md5 : 711FBF6BD131FFA6FB1AC2E82BDB863D Patch : NECmc0054.360MP.pkg.Z Target Hardware: 360MP sum : 32933 23 md5 : 20C52796D74B8FE1CD7FEC7CEA116708 Patch : NECmc0054.EH3.pkg.Z Target Hardware: 410,420 sum : 33478 23 md5 : 5DE177B5E0BA6517192A6CB6DB53E4E8 Patch : NECmc0054.EL.pkg.Z Target Hardware: 710 sum : 2088 23 md5 : 35908F4C918DA2D164D8C9B27A71061A Patch : NECmc0054.FL.pkg.Z Target Hardware: 740 sum : 31787 23 md5 : A4DD978D309F37DA72151247770ECC0D Patch : NECmc0054.FM.pkg.Z Target Hardware: 760,660R,760R sum : 31135 23 md5 : F5FC7DBA2CFAD595FE72B520268BA02B Patch : NECmc0054.ML.pkg.Z Target Hardware: 610 sum : 18801 23 md5 : AD5954BF0E57B1593B12BAEB5A0C7151 Patch : NECmc0054.RH.pkg.Z Target Hardware: 660,680,690,670,675 675AD,770 sum : 18516 23 md5 : A84E91CE094441E55BC967F0A33129E5 Patch : NECmc0054.RH0.pkg.Z Target Hardware: 640,650 sum : 27899 23 md5 : 5B47CABA685D0C428869CC300BB1E8DE Patch : NECmc0054.RL.pkg.Z Target Hardware: 605,615,615AD,615A sum : 48090 23 md5 : 5AD2B54F85BF83EE934D10BA8ABA3637 Patch : NECmc0054.RM.pkg.Z Target Hardware: 625,635,635AD sum : 49278 23 md5 : 3EEEAB2D6B42B8EF58291F07F7986E0E Patch : NECmc0054.TH2.pkg.Z Target Hardware: 310PX,320PX,330PX sum : 36503 23 md5 : 7F937DFCAC8A09E39CDFA3DB757C7529 Patch : NECmc0054.UD2.pkg.Z Target Hardware: 360PX,360PXII sum : 34087 23 md5 : 7BD3E3E1C0C44AC0FF96071F0D7E3B04 Patch : NECmc0054.UD3.pkg.Z Target Hardware: 460 sum : 21713 23 md5 : 02850DACF247867594A999A9CF32E5C3 Patch ID: NECu50078 Patch : NECu50078.RH.pkg.Z Target Hardware: 660,680 sum : 24590 23 md5 : A0CB7CE51889544BA00BA8600CA64068 Patch ID: NECu60217 Patch : NECu60217.RH.pkg.Z Target Hardware: 660,680,690 sum : 12320 23 md5 : B2853692FDB387C7A132BF5AE5047B33 Patch : NECu60217.RH0.pkg.Z Target Hardware: 640,650 sum : 18714 23 md5 : EB2AD3AD7F0AC59E0750491D19446115 Patch : NECu60217.RL.pkg.Z Target Hardware: 605,615,615AD,615A sum : 40312 24 md5 : 3EFBE0C6873017ABFA7D2632BB7F686D Patch : NECu60217.RM.pkg.Z Target Hardware: 625,635,635AD sum : 21912 24 md5 : 6B5B2936D081D849DEBC649595F917DD Patch ID: NECu70541 Patch : NECu70541.ML.pkg.Z Target Hardware: 610 sum : 43559 25 md5 : E009D5CC456DDB3E5347038A584C724C Patch : NECu70541.RH.pkg.Z Target Hardware: 660,680,690 sum : 47473 25 md5 : 26A98C96AF71341961CC57CC5E55EB27 Patch : NECu70541.RH0.pkg.Z Target Hardware: 640,650 sum : 36458 25 md5 : EAD7B3F4A48E97E4BCBAE83B298EE265 Patch : NECu70541.RL.pkg.Z Target Hardware: 605,615,615AD,615A sum : 56520 25 md5 : 593BD721536ABC1BC0694D757DD4387B Patch : NECu70541.RM.pkg.Z Target Hardware: 625,635,635AD sum : 5840 25 md5 : 5D9AA821BE9D01AF39512E448E3F520E ============================================================================ [ End NEC Corporation Advisory ] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of NEC Corporation for the information contained in this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (198.128.39.53) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-notes You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) H-104: HP-UX libXt Vulnerability H-105: HP-UX vuefile, vuepad, dtfile, & dtpad Vulnerabilities H-106: SGI IRIX LOCKOUT & login/scheme Vulnerabilities H-107: UNIX Buffer Overflow in rdist Vulnerability H-108: SunOS, Solaris libX11 Buffer Overflow Vulnerability H-109: Solaris DCE and AFS Integrated login Vulnerability H-110: Samba Servers Vulnerability I-001: HP-UX Denial of Service via telnet Vulnerability I-002: Cisco CHAP Authentication Vulnerability I-003: HP-UX mediainit(1) Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNEUC97nzJzdsy3QZAQFLSwP+MGifaeGhaY4+l4yxlv7zWuZIjESp9UnW SN1XTTzDTdpjFxJfmqMXJdHRcUElDDAeosPjsuCLLftQUzN4AFf9/UMa4oR5f1hu T8MQvHqv5XFAuLlzeRfAx6eB2ZBclpeRI8mCFjh3ec8CycplLih4AYIP3/etVQKw HK2LJyJUy8o= =lJo/ -----END PGP SIGNATURE-----