_______________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                         Information Bulletin
 
              Novell NetWare LOGIN.EXE Security Patch

September 7, 1993 1140 PDT                                   Number D-21
________________________________________________________________________
PROBLEM:  A security vulnerability has been discovered in the login 
          procedure of NetWare 4.x
PLATFORM: PC/MS-DOS with Novell NetWare 4.x
DAMAGE:   User accounts may be readily compromised
SOLUTION: Obtain and install replacement LOGIN.EXE v4.02
________________________________________________________________________
        Critical Facts about the LOGIN.EXE vulnerability

CIAC has learned of a vulnerability within Novell's LOGIN.EXE program
which can allow compromise of user accounts.  This vulnerability
affects NetWare 4.x only, and does not affect NetWare 2.x, 3.x, nor
Netware for Unix.  Operation of the vulnerable LOGIN.EXE may cause the
inadvertant compromise of a user's name and password.  Further details
of this vulnerability are contained in the text file included with the
patch.

The patch (LOGIN.EXE) and text file (SECLOG.TXT) are created by
executing the distribution file SECLOG.EXE, a self-extracting archive.
After extracting the files, the dir command should produce the
following output.

   SECLOG   EXE  166276    xx-xx-xx   xx:xxx
   LOGIN    EXE  354859    08-25-93   11:43a
   SECLOG   TXT    5299    09-02-93   11:16a

To install the patch, follow the directions contained in the text file
SECLOG.TXT, and then instruct all your users to change their
passwords.

CIAC recommends that you replace your current LOGIN.EXE with the
security enhanced version as soon as possible.  This patch is
available via anonymous FTP as SECLOG.EXE on irbis.llnl.gov in the
~pub/ciac/pcvirus directory, and on CIAC's bulletin board Felicia.  It
can also be retrieved via anonymous FTP from first.org in the
~pub/software directory.  This file is also available at no charge
through NetWare resellers, on NetWire in Library 14 of the NOVLIB
forum, or by calling 1-800-NETWARE.  NetWare customers outside the
U.S. may call Novell at 303-339-7027 or 31-55-384279 or fax a request
for LOGIN.EXE v4.02 to Novell at 303-330-7655 or 31-55-434455. Include
company name, contact name, mailing address and phone number in the
fax request.


CIAC would like to acknowledge the efforts of Richard Colby of
Chem Nuclear Geotech, Inc. for discovering this vulnerability, and the
efforts of Novell in the resolution of this issue.

For additional information or assistance, please contact CIAC at
(510) 422-8193 or send e-mail to ciac@llnl.gov.  FAX messages
to: (510) 423-8002.

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Your agency's team will coordinate with CIAC.  The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization.  A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts. 

This document was prepared as an account of work sponsored by an
agency of the United States Government.  Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.