f-05.ciac-SCO-security-patches
12a172cac972fca21a972c7db1b6e3698d6e023527f4e02b8a7d52265014943c
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________
INFORMATION BULLETIN
SCO Unix at, login, prwarn, sadc, and pt_chmod Patches Available
December 6, 1994 0800 PST Number F-05
_____________________________________________________________________________
PROBLEM: Security vulnerabilities exist in SCO system software.
PLATFORMS: SCO Unix System V/386 Release 3.2 Versions 4.2, 4.1, and 4.0,
SCO Open Desktop Lite Release 3.0,
SCO Open Desktop Release 3.0 and 2.0,
SCO Open Server Network System Release 3.0, and
SCO Open Server Enterprise System Release 3.0.
DAMAGE: Local users may gain privileged access to the system.
SOLUTION: Install SSE's as described below.
_____________________________________________________________________________
VULNERABILITY These vulnerabilities have been announced on the Internet.
ASSESSMENT: Automated exploitation scripts are beginning to be distributed
as well. CIAC urges sites to install these patches as soon as
possible.
_____________________________________________________________________________
Critical Information about the SCO Security Patches
CIAC has received information from the Santa Cruz Operation (SCO) regarding
patches to correct serious vulnerabilities in SCO Unix system software.
These vulnerabilities will allow local users to gain root access to the
system. The SCO Advisory announcing these patches is reprinted in its
entirety below. Please refer any questions to CIAC.
_____________________________________________________________________________
===========================================================================
SCO Advisory 94:001
November 30th, 1994
Patches for at(C), login(M), prwarn(C), sadc(ADM), pt_chmod
---------------------------------------------------------------------------
The Santa Cruz Operation has been informed of the following problems present
in our software.
I. Description
The programs at(C), login(M), prwarn(C) sadc(ADM), and pt_chmod
may each allow unauthorized root access to the system.
There are four unrelated issues present, one for each program listed
above.
II. Impact
Any user with an account on the system may obtain root access using
any one of the programs listed.
III. Releases
These problems exist on the following releases of SCO Products:
SCO Unix System V/386 Release 3.2 Versions 4.2, 4.1, and 4.0
SCO Open Desktop Lite Release 3.0
SCO Open Desktop Release 3.0 and 2.0
SCO Open Server Network System Release 3.0
SCO Open Server Enterprise System Release 3.0
IV. Solution
SCO is providing the following (S)ystem (S)ecurity (E)nhancements, SSEs,
to address these problems. These are preliminary patches which SCO
feels addresses the issues at hand, but these patches have not been
fully tested and integrated and hence cannot officially be supported.
Official patches should be available in the near future via a
(S)upport (L)evel (S)upplement. (SLS). The README file mentioned below
will be updated when an official Supplement is available.
Binary Patch
------ ------
at(C) sse001
login(M) sse002
prwarn(C) sse003
sadc(ADM) sse004
pt_chmod sse005
These are available at the following sites:
Anonymous ftp: ftp.sco.COM:/SSE
UUCP downloading, and SOS access: sosco (USA), scolon (Europe),
in the directory /usr/spool/uucppublic/SSE. Note that access to these
Supplements at scolon may not be available until December 2nd, 1994.
The filename conventions are as follows:
ssexxx.tar.Z - compressed tar file of supplement
ssexxx.ltr.Z - compressed cover letter for supplement
xxx indicates the number of the supplement, i.e. sse001.tar.Z.
See the README file in the directories listed above for checksum
information. Connection information is available at the end of this
document.
Please note that these Supplements are not generally available from
SCO on diskette media.
If you have further questions, contact your support provider. If you
need to contact SCO, please send electronic mail to support@sco.COM, or
contact SCO as follows.
USA/Canada: 6am-5pm Pacific Standard Time (PST)
-----------
1-800-347-4381 (voice)
1-408-427-5443 (fax)
Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific
------------------------------------------------ Standard Time
(PST)
1-408-425-4726 (voice)
1-408-427-5443 (fax)
Europe, Middle East, Africa: 9am-5:30pm British Standard Time (BST)
----------------------------
+44 (0)923 816344 (voice)
+44 (0)923 817781 (fax)
Downloading Information
-----------------------
ftp to ftp.sco.com
Login name: ftp
Password: your email address
For anonymous UUCP connection:
------------------------------
For USA, Canada, Pacific Rim, Asia and Latin America customers:
Machine name: sosco
Login name: uusls (fourth character is the letter "l")
No password
List of modems available for UUCP transfer from sosco.sco.com:
Standard V.32, (300-9600bps) 4@ 408-425-3502
Hayes V Series 9600 2@ 408-427-4470
Telebit Trailblazer 408-429-1786
For Europe/Middle East/Africa customers there is a system located at
SCO EMEA (London):
Machine name: scolon
Login name: uusls
Password: bbsuucp
List of modems available for UUCP transfer from scolon.sco.com:
Dowty Trailblazer +44 (0)923 210911
For SCO Online Support (SOS) BBS download:
------------------------------------------
For those customers that have accounts on SOS these files can be
downloaded interactively via X, Y, Z MODEM or Kermit. Follow the
menus selections under "Toolchest" from the main SOS menu.
List of modems available for interactive transfer from sosco.sco.com:
First four are Standard V.32 (300-9600bps) 408-426-9495
Last three are Hayes 2400 compatible
Telebit Trailblazer 408-426-9525
For ftp via World Wide Web:
---------------------------
URL to open: ftp://www.sco.com
These problems, except for pt_chmod, were reported to the Santa Cruz
Operation by the "[8LGM] Security Team", 8lgm@bagpuss.demon.co.uk.
_____________________________________________________________________________
If you require additional assistance or wish to report a vulnerability,
contact CIAC at:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
Previous CIAC notices, anti-virus software, and other information are
available on the Internet via anonymous FTP from ciac.llnl.gov (IP address
128.115.19.53).
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information, and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:
subscribe list-name LastName, FirstName PhoneNumber
as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov
e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36
You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.