MCI Telecommunications internetMCI Security Group Report Title: iMCI MIIGS Security Alert Report Name: Digital DoP Vulnerability Report Number: iMCISE:IMCICERT:031497:01:P1R1 Report Date: 03/14/97 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) -------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Vendor-Initiated Bulletin VB-97.01 March 14, 1997 Topic: Division of Privilege (DoP) - Potential Security Vulnerability Source: Digital Equipment Corporation To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Digital Equipment Corporation. Digital urges you to act on this information as soon as possible. Digital Equipment Corporation contact information is included in the forwarded text below; please contact them if you have any questions or need further information. =======================FORWARDED TEXT STARTS HERE============================ _______________________________________________________________________ PRODUCT: DIGITAL UNIX[TM] V4.0, V4.0A, V4.0B MARCH 6, 1997 TITLE: Division of Privilege (DoP) - Potential Security Vulnerability SOURCE: Digital Equipment Corporation Software Security Response Team/Colorado Springs USA "Digital is broadly distributing this Security Advisory in order to bring to the attention of users of Digital's products the important security information contained in this Advisory. Digital recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Digital does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Digital will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." - ---------------------------------------------------------------------- IMPACT: Digital has discovered a potential vulnerability with the Division of Privilege (DoP), "/usr/sbin/dop" for DIGITAL UNIX V4.0, V4.0A and V4.0B, where under certain circumstances, an unauthorized user may gain unauthorized privileges. Digital strongly recommends that the workaround be implemented immediately for any version affected, and that the appropriate patch kit be installed as soon as it becomes available. - ---------------------------------------------------------------------- RESOLUTION: This potential security issue has been resolved and an official fix for this problem will be made available beginning the 13th of March 1997. As the patches become available per affected version, Digital will provide them through: o the World Wide Web at the following FTP address: ftp://ftp.service.digital.com/public/ the sub directory Digital_UNIX, key identifier SSRT0435U Note: [1]The patch kits mentioned above will be replaced in the near future through normal patch release procedures. [2]The appropriate patch kit must be reinstalled following any upgrade beginning with V4.0 up to and including V4.0b. - ---------------------------------------------------------------------- TEMPORARY WORKAROUND: Prior to receiving the official patch for this fix, a temporary workaround for this problem is to clear the setuid bit from the /usr/sbin/dop command as follows: # chmod 0 /usr/sbin/dop This temporary workaround will resolve the security issue, but will also defeat DoP's purpose. See "ADDITIONAL COMMENTS" below for the purpose of DoP, the effect of using this temporary workaround, and what to do as a solution while using this temporary workaround. - ---------------------------------------------------------------------- ADDITIONAL COMMENTS: The DoP command is used to provide non-root users with the ability to enter the root password to access the graphical system management applications via the CDE application manager or the Host Manager. When a non-root user attempts to execute a system management application through one of these applications, the user will be prompted with a password dialog. If the user enters the correct root password, they will gain root privilege while running the given application. If the setuid bit is cleared from /usr/sbin/dop, then users will not be able to access the system management applications from either the CDE application manager or the Host Manager. The following are workarounds to allow users to run the graphical system management applications with DoP disabled: [1] Log into a CDE session as root and access the system management applications. [2] If logged in as a normal user, become root in your preferred X-based terminal emulator (xterm, dxterm, dtterm, etc.) and run the graphical system management application via the command line. If you need further information, please contact your normal DIGITAL support channel. DIGITAL appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. __________________________________________________________________ Copyright (c) Digital Equipment Corporation, 1995 All Rights Reserved. Unpublished Rights Reserved Under The Copyright Laws Of The United States. __________________________________________________________________ ========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). See http://www.first.org/team-info/. We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address CERT is a service mark of Carnegie Mellon University. This file: ftp://info.cert.org/pub/cert_bulletins/VB-97.01.dec -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMymfzXVP+x0t4w7BAQEROAP9H/PcbBKFzLmjSCULXVfHmMzpjJglJEdJ 0NIE0GL83JTGqke1bhj0DuB/HXOltWRf4YDFAPsjDzoCF/0dDRSH9xfRQsHvpkcN BSWwPPavH5qfVGKR+S4At9Duhf7hCOv7qexDbM+XGSO9VjDWLf/x2aJ9s1YMhVdR mJBFYH/3gV4= =yCwx -----END PGP SIGNATURE-----