From support@us.external.hp.com Wed Mar 13 01:01:40 1996 Date: Wed, 13 Mar 1996 01:09:35 -0800 From: HPSL Mail Service Reply to: support-feedback@us.external.hp.com To: Damien Sorder Subject: RE: send doc HPSBUX9312-002 -------- ## Regarding your request: Send Doc HPSBUX9312-002 The following are the results of your request from the HP SupportLine mail service. =============================================================================== Document Id: [HPSBUX9312-002] Date Loaded: [02-05-94] Description: Security Vulnerability in Xterm =============================================================================== ------------------------------------------------------------------------- HEWLETT-PACKARD SECURITY BULLETIN: #00002, 30 November 93 REVISED 01 December 93 ------------------------------------------------------------------------- _______________________________________________________________________ PROBLEM: Security vulnerability in xterm in all releases of HP-UX PLATFORM: HP 9000 series 300/400s and 700/800s DAMAGE: A vulnerability in the logging function of xterm exists if the xterm operates as a setuid or setgid process. The vulnerability allows local users to create files or modify any existing files. SOLUTION: Apply patch PHSS_3399 (series 700/800, HP-UX 9.x), or PHNE_3408 (series 700 , HP-UX 8.x), or PHNE_3409 (series 800 , HP-UX 8.x), or PHSS_3410 (series 300/400, HP-UX 9.x), or PHSS_3411 (series 300/400, HP-UX 8.x), or remove the setuid permissions from xterm (releases of HP-UX prior to 8.0) Note: Removing the setuid permissions may create another vulnerability. The only solution without known or suspected vulnerabilities is to install the patch. AVAILABILITY: PHSS_3399 and PHSS_3410 are available now. The other patches are estimated to be available by 07 December. _______________________________________________________________________ I. Xterm Update A. Recent CERT advisory on Xterm A recent CERT advisory (CERT CA-93:17) described a vulnerability in the logging function of xterm for X Version 11, Release 5 (X11R5) and earlier versions of X11. The vulnerability allows local users to create files or modify any existing files. If the setuid or setgid privilege bit is not set on the xterm program, the vulnerability cannot be exploited. It has been found that all HP-UX systems have this xterm vulnerability. B. Fixing the problem The vulnerability can be eliminated from releases 8.x and 9.x of HP-UX by applying a patch. Releases of HP-UX prior to 8.0 must modify the xterm permissions (chmod 555 /usr/bin/X11/xterm). Hewlett-Packard recommends that all customers concerned with the security of their HP-UX systems either apply the appropriate patch or change the xterm permissions as soon as possible. Removing the setuid permission from xterm prevent it from making entries in utmp. This means that commands that depend on utmp, such as who(1), may not function as expected. C. How to Install the Patch (for HP-UX 8.x and 9.x) (NOTE: Since some patches will not be available until about December 07, HP-UX 8.x and 9.x systems can be protected until that time by removing the setuid permissions from xterm.) 1. Determine which patch is appropriate for your hardware platform and operating system: PHSS_3399 (series 700/800, HP-UX 9.x) PHNE_3408 (series 700 , HP-UX 8.x) PHNE_3409 (series 800 , HP-UX 8.x) PHSS_3410 (series 300/400, HP-UX 9.x) PHSS_3411 (series 300/400, HP-UX 8.x) 2. Get a copy of the patch from one of the following locations: a. Auto-Patch Email If you know the name of the patch needed, Email to hprc_patch@hprc.atl.hp.com with the subject of the message stated as "patch phkl_9999 rchandle" where phkl_9999 is the patch name, rchandle is your Response Center system identifier or company name if you are not currently under Response Center support. It will automatically be emailed back to you. b. HP SupportLine Effective early 1993, all new patches are loaded on HPSL. If you don't have HPSL access or need to know how to sign on, in the U.S. you can call the following numbers: Response Center Customers: 1-800-633-3600 BasicLine Customers: 1-415-691-3888 Outside the U.S., contact your local Response Center. Note that a list of patches can be obtained at any time by emailing to hprc_patch@hprc.atl.hp.com with the subject of the message stated as "p-list rchandle", where rchandle is your Response Center system identifier or your company name if you are not currently under Response Center support. The list will automatically be emailed back to you. The list includes a short description of the patch. A more detailed patch description is included in the patch itself. 3. Apply the patch to your HP-UX system. 4. Examine /tmp/update.log for any relevant WARNINGs or ERRORs. This can be done as follows: a. At the shell prompt, type "tail -60 /tmp/update.log | more" b. Page through the next three screens via the space bar, looking for WARNING or ERROR messages. D. Impact of the patch and workaround The patch for HP-UX releases 8.x and 9.x provides a new version of /usr/lib/X11/xterm which fixes the vulnerability. No patches will be available for versions of HP-UX prior to 8.0.