__________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                          IBM AIX rmail Vulnerability

April 16, 1996 20:00 GMT                                           Number G-19
______________________________________________________________________________
PROBLEM:       A problem in the IBM AIX "rmail" program. 
PLATFORM:      AIX Version 3 (Version 4 does not contain this vulnerability). 
DAMAGE:        A user can gain unauthorized access to another user's mail. 
SOLUTION:      Implement the recommended solutions described below. 
______________________________________________________________________________
VULNERABILITY  Knowledge of how to exploit this vulnerability is becoming 
ASSESSMENT:    widely known. 
______________________________________________________________________________

CIAC has obtained information from IBM-ERS pertaining to an IBM AIX rmail 
vulnerability. CIAC recommends that you apply the two solutions mention in 
the IBM Bulletin.
 
[ Start of IBM Bulletin ]

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
        SECURITY VULNERABILITY ALERT

16 April 1996 16:00 GMT                          Number: ERS-SVA-E01-1996:003.1
===============================================================================
                             VULNERABILITY  SUMMARY

VULNERABILITY:  Vulnerability in the IBM AIX "rmail" program.

PLATFORMS:  AIX Version 3 (Version 4 does not contain this vulnerability).

SOLUTION:  Take one of the actions described below.

THREAT:    A user can gain unauthorized access to another user's mail.

===============================================================================
                              DETAILED INFORMATION

I. Description

There is a potential security exposure in the "rmail" program on Version 3
of the IBM AIX operating system.

Version 4 of AIX does not contain this vulnerability.

II. Impact

A user with knowledge of this vulnerability can exercise it to obtain
unauthorized access to another user's electronic mail.

III. Solutions

The IBM AIX Response Team recommends two solutions to this problem:

1. Log in to the workstation as "root" and issue the command:

  # /usr/bin/chmod 555 /usr/bin/rmail /bin/rmail

2. Apply the following APAR to your system once the APAR is available:

  APAR - IX57680

The first solution should be applied immediately to remove the vulnerability
to your system.  Once the APAR is available, you should also apply the second
solution.

IV. Acknowledgements

IBM-ERS would like to thank the IBM AIX Response Team for providing the
information contained in this alert.

===============================================================================

Copyright 1996 International Business Machines Corporation.

[ End of IBM Bulletin ]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of IBM Emergency Response Service
(IBM-ERS) for the information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy (DOE) and the
National Institute of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding member of
FIRST, the Forum of Incident Response and Security Teams, a global organization
established to foster cooperation and coordination among computer security 
teams worldwide.
 
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be
contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov
 
For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH
may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the
CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243
(800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the
primary PIN number, 8550070, is for the CIAC duty person, and the secondary
PIN number, 8550074 is for the CIAC Project Leader.
 
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
 
   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)
 
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
   and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
   software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
   SPI products.
 
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for list-name and valid information for LastName FirstName and
PhoneNumber when sending
 
E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
 
You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or
get help.
 
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these communities,
please contact your agency's response team to report incidents. Your agency's
team will coordinate with CIAC. The Forum of Incident Response and Security 
Teams (FIRST) is a world-wide organization. A list of FIRST member 
organizations and their constituencies can be obtained by sending email to 
docserver@first.org with an empty subject line and a message body containingt
the line: send first-contacts.
 
This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, apparatus, product,
or process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government or the University of California, and shall not
be used for advertising or product endorsement purposes.
 
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
 
(G-9b)  Unix sendmail Vulnerability
(G-10a) Winword Macro Viruses
(G-11)  HP Syslog Vulnerability
(G-12)  SGI ATT Packaging Utility Security Vulnerability
(G-13)  Kerberos Version 4 Key Server Vulnerability
(G-14)  Domain Name Service Vulnerabilities
(G-15)  Sunsoft Demo CD Vulnerability
(G-16)  SGI rpc.statd Program Security Vulnerabilities
(G-17)  Vulnerabilities in Sample HTTPD CGIs
(G-18)  Digital OSF/1 dxconsole Security Vulnerability
 
RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released, 
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update