******************************************************************************
             ------               -----   -----  ---     -----
             |      ----- ----   |          |    |  |   |
             |---   |     |   |  |          |    |  |   |
             |      |--   |   |  |          |    |--    |
             |      |     |   |  |          |    | \    |
             |      ----- ----    -----   -----  |  \    -----

                               A D V I S O R Y

                                   FA-98.05
******************************************************************************
Topic: Vulnerabilities in CDE
Source: CERT/CC

Creation Date: January 21, 1998
Last Updated:


To aid in the wide distribution of essential security information, FedCIRC is
forwarding the following information from CERT/CC Advisory CA-98.02. 
FedCIRC urges you to act on this information as soon as possible.

If you have any questions, please contact FedCIRC:

        Telephone:      +1 888 282 0870
        Email:          fedcirc@fedcirc.gov



=======================FORWARDED TEXT STARTS HERE============================

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-98.02
Original issue date: Jan. 21, 1998
Last revised: --

Topic: Vulnerabilities in CDE
- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of several vulnerabilities
in some implementations of the Common Desktop Environment (CDE). The root
cause of these vulnerabilities is that the dtappgather program does not
adequately check all information passed to it by users. As a result, it is
possible for a local user to gain unauthorized privileged access or cause a
denial of service on the system.

We recommend installing a vendor patch as soon as possible. Until you can do
so, we encourage you to disable vulnerable copies of the program. Section
III.A. of this advisory contains information on checking for potentially
vulnerable copies and disabling them. Section III.B and the appendix contain
vendor information.

We will update this advisory as we receive additional information.  Please
check our advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     There are several vulnerabilities in some implementations of the Common
     Desktop Environment (CDE). The root cause of these vulnerabilities is
     that the setuid root program "dtappgather" does not adequately check all
     information passed to it by users. By exploiting these vulnerabilities,
     an attacker can gain either unauthorized privileged access or cause a
     denial of service on the system.


II.  Impact

     Local users are able to gain write access to arbitrary files. This can be
     leveraged to gain privileged access.

     Local users may also be able to remove files from arbitrary directories,
     thus causing a denial of service.


III. Solution

     We recommend installing a vendor patch as soon as possible and disabling
     the vulnerable program until you can do so. Instructions for determining
     whether you have a potentially vulnerable version of this program are
     given in Section A. Vendor patches are discussed in Section B.

     A. How to check for and disable potentially vulnerable versions of
        dtappgather

        To find potentially vulnerable versions of dtappgather and to
        disable those programs, use the following find(1) command or a
        variant. Consult your local system documentation to determine how
        to tailor the find(1) program on your system.

        You will need to run the find(1) command on each system you
        maintain because the command examines files on local disks only.
        Substitute the names of your local file systems for
        FILE_SYSTEM_NAMES in the example. Example local file system names
        are /, /usr, and /var. You should do this as root.

        Note that this is one long command, though we have separated
        it onto three lines using backslashes.

             find FILE_SYSTEM_NAMES -xdev -type f -user root \
                    -name 'dtappgather' -perm -04000 -exec ls -l '{}' \; \
                    -ok chmod u-s '{}' \;

        This command will find all files on a system that
            - are only in the file systems you name (FILE_SYSTEM_NAMES -xdev)
            - are regular files (-type f)
            - are owned by root (-user root)
            - have the name "dtappgather" (-name 'dtappgather')
            - are setuid (-perm -04000)

        Once found, those files will
            - have their names and details printed (-exec ls -l '{}')
            - no longer be setuid root, but only if you type `y' in
              response to the prompt (-ok chmod u-s '{}' \;)


        Until you are able to install the appropriate patch, we recommend
        that you remove the setuid bit from the dtappgather program.  Note
        that doing this will affect the functionality of the dtappgather
        program for some users.  For example, newly created users that have
        not logged into the CDE desktop may not have any icons in the
        Application Manager window; existing users may not notice any
        change in functionality.


     B. Obtain and install a patch for this problem.

        If your vendor has a patch for this problem, we encourage you to
        apply the patch as soon as possible.

        Appendix A contains a list of vendors who have provided information
        about this problem. We will update the appendix as we receive more
        information. If you do not see your vendor's name, the CERT/CC did
        not hear from that vendor. Please contact your vendor directly.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional information.
If you do not see your vendor's name, the CERT/CC did not hear from that
vendor. Please contact the vendor directly.


Digital Equipment Corporation
- ------------------------------

  At the time of writing this document, patches(binary kits) are in
  progress. Distribution of the fix for this problem is expected to begin
  soon.  Digital will provide notice of the completion/availability of the
  patches through AES services (DIA, DSNlink FLASH) and be available from
  your normal Digital Support channel.


Hewlett-Packard Company
- -----------------------

  This problem is addressed HP Security Bulletin 075. This bulletin can be
  found at one of these URLs:

     http://us-support.external.hp.com
       (for US, Canada, Asia-Pacific, & Latin-America)

     http://europe-support.external.hp.com
       (for Europe)

  Security Bulletin 075: Security Vulnerability in CDE on HP-UX

  PLATFORM: HP9000 Series 700/800s running CDE on:
          HP-UX 10.10, HP-UX 10.20,
          HP-UX 10.24 (VVOS),
          HP-UX 11.00

  SOLUTION:  Apply one of:
           PHSS_13723  HP-UX 10.10
           PHSS_13724  HP-UX 10.20
           PHSS_13725  HP-UX 10.30
           PHSS_13772  HP-UX 10.24
           PHSS_13406  HP-UX 11.00


IBM Corporation
- ---------------

  The version of dtappgather shipped with AIX is vulnerable.  The
  following fixes are in progress:

  AIX 3.2:  not vulnerable; CDE not shipped in 3.2
  AIX 4.1:  IX73436
  AIX 4.2:  IX73437
  AIX 4.3:  IX73438

  To Order
  --------
    APARs may be ordered using Electronic Fix Distribution (via FixDist)
    or from the IBM Support Center.  For more information on FixDist,
    reference URL:

       http://service.software.ibm.com/aixsupport/

    or send e-mail to aixserv@austin.ibm.com with a subject of "FixDist".


  IBM and AIX are registered trademarks of International Business Machines
  Corporation.


The Open Group
- --------------

  The Open Group is investigating this vulnerability, and if reproduced
  will develop a solution and provide a patch for its CDE licensees.


Silicon Graphics, Inc.
- ----------------------

  Silicon Graphics provides only the third party TriTeal CDE product.

  Triteal Corporation provides all support on the SGI offered CDE product.
  Customers requiring support on the SGI CDE product should contact TriTeal
  Corporation at 1-800-874-8325, or email support@triteal.com.

  For other Silicon Graphics related security information, please see the
  SGI Security Headquarters website located at:

        http://www.sgi.com/Support/security/security.html


Sun Microsystems, Inc.
- ----------------------

  105837-01 1.2
  105837-01 1.2_x86
  104498-02 1.02
  104500-02 1.02_x86
  104497-02 1.01
  104499-02 1.01_x86


- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).


CERT/CC Contact Information
- ----------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key
         ftp://ftp.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://ftp.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

   To be added to our mailing list for advisories and bulletins, send
   email to
        cert-advisory-request@cert.org
   In the subject line, type
  SUBSCRIBE  your-email-address

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

- ---------------------------------------------------------------------------

This file: ftp://ftp.cert.org/pub/cert_advisories/CA-98.02.CDE
           http://www.cert.org/pub/alerts.html



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNMZnF3VP+x0t4w7BAQGWBQP7BShnArreucgtTS8y7xzx5g0ZjQyzDVbq
IucgO+CaG3U+HSzNoZ8BWX3TktozL2LmsSqzSMAVzEIOBpi7TZmnXeeRbMHfRKIf
oR8uqj/6Ilv60Ff9RiIefybO0wsbx5nUmzW3IZAAVFs/YrBMzevWqGhajVlLaQAR
SGUh+pVQDPE=
=EhOA
-----END PGP SIGNATURE-----


========================FORWARDED TEXT ENDS HERE=============================

The National Institute of Standards and Technology (NIST) has
established a Federal Computer Incident response Capability (FedCIRC)
to assist federal civilians agencies in their incident handling
efforts by providing proactive and reactive computer security related
services.  FedCIRC is a partnership among NIST, the Computer Incident
Advisory Capability (CIAC), and the CERT* Coordination Center
(CERT/CC). 

If you believe that your system has been compromised, please contact
FedCIRC: 

        Telephone:      +1 888 282 0870
        Email:          fedcirc@fedcirc.gov
        Web Server:     http://www.fedcirc.gov/

* Registered in U.S. Patent and Trademark Office
 
The CERT Coordination Center is part of the Software Engineering
Institute.  The Software Engineering Institute is sponsored by the
U.S. Department of Defense.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
 
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.