From support@us.external.hp.com Wed Mar 13 00:51:43 1996 Date: Wed, 13 Mar 1996 01:00:16 -0800 From: HPSL Mail Service Reply to: support-feedback@us.external.hp.com To: Damien Sorder Subject: RE: send doc HPSBUX9503-025 -------- ## Regarding your request: Send Doc HPSBUX9503-025 The following are the results of your request from the HP SupportLine mail service. =============================================================================== Document Id: [HPSBUX9503-025] Date Loaded: [04-03-95] Description: Sendmail permits unauthorized remote program execution. =============================================================================== ------------------------------------------------------------------------- HEWLETT-PACKARD SECURITY BULLETIN: #00025, 2 April 95 ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett- Packard will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. _______________________________________________________________________ PROBLEM: Sendmail permits unauthorized remote program execution. PLATFORM: HP 9000 series 300/400s and 700/800s 8.x and 9.x DAMAGE: Remote users can cause sendmail to execute any program. SOLUTION: Apply patch PHNE_5402 (series 700/800, HP-UX 9.x), or PHNE_5401 (series 700/800, HP-UX 8.x), or PHNE_5384 (series 300/400, HP-UX 9.x), or PHNE_5383 (series 300/400, HP-UX 8.x), or PHNE_5387 (series 700, HP-UX 9.09), or PHNE_5388 (series 700, HP-UX 9.09+), or PHNE_5389 (series 800, HP-UX 9.08) AVAILABILITY: All patches are available now. _______________________________________________________________________ I. Vulnerability in /usr/lib/sendmail A. A vulnerability in sendmail A vulnerability in sendmail has been discovered that permits remote users to cause sendmail to execute any program that is allowed with the permissions: uid=1(daemon) gid=1(other) Files and programs that are not world-writeable or world-executable and are not in the 'other' group or owned by 'daemon' are safe from modification. This means that /etc/passwd cannot be modified, for example. B. Fixing the problems The two vulnerabilities can be eliminated from releases 8.x and 9.x of HP-UX by applying a patch. Hewlett-Packard recommends that all customers concerned with the security of their HP-UX systems apply the appropriate patch as soon as possible. It is further advised that system administrators closely scan their mail syslogs for evidence of any unusual activity, using: grep "|" /usr/spool/mqueue/syslog* If there is any evidence of an intrusion, system administrators are strongly urged to require password changes for all accounts. C. How to Install the Patch (for HP-UX 8.x and 9.x) 1. Determine which patch is appropriate for your hardware platform and operating system: PHNE_5402 (series 700/800, HP-UX 9.x), PHNE_5401 (series 700/800, HP-UX 8.x), PHNE_5384 (series 300/400, HP-UX 9.x), PHNE_5383 (series 300/400, HP-UX 8.x), PHNE_5387 (series 700, HP-UX 9.09), PHNE_5388 (series 700, HP-UX 9.09+), PHNE_5389 (series 800, HP-UX 9.08) 2. Hewlett Packard's HP-UX patches are available via email and the World Wide Web. To obtain a copy of the HP SupportLine email service user's guide, send the following in the TEXT PORTION OF THE MESSAGE to support@support.mayfield.hp.com (no Subject is required): send guide The users guide explains the process for downloading HP-UX patches via email and other services available. World Wide Web service for downloading of patches is available via our URL: http://support.mayfield.hp.com 3. Apply the patch to your HP-UX system. 4. Examine /tmp/update.log for any relevant WARNINGs or ERRORs. This can be done as follows: a. At the shell prompt, type "tail -60 /tmp/update.log | more" b. Page through the next three screens via the space bar, looking for WARNING or ERROR messages. D. Impact of the patch and workaround The patch for HP-UX releases 8.x and 9.x provides a new version of /usr/lib/sendmail which fixes the vulnerability. No patches will be available for versions of HP-UX prior to 8.0. E. To subscribe to automatically receive future NEW HP Security Bulletins from the HP SupportLine mail service via electronic mail, send an email message to: support@support.mayfield.hp.com (no Subject is required) Multiple instructions are allowed in the TEXT PORTION OF THE MESSAGE, here are some basic instructions you may want to use: To add your name to the subscription list for new security bulletins, send the following in the TEXT PORTION OF THE MESSAGE: subscribe security_info To retrieve the index of all HP Security Bulletins issued to date, send the following in the TEXT PORTION OF THE MESSAGE: send security_info_list To get a patch matrix of current HP-UX and BLS security patches referenced by either Security Bulletin or Platform/OS, put the following in the text portion of your message: send hp-ux_patch_matrix World Wide Web service for browsing of bulletins is available via our URL: http://support.mayfield.hp.com Choose "Support news", then under Support news, choose "Security Bulletins" F. To report new security vulnerabilities, send email to security-alert@hp.com _______________________________________________________________________