001
beb566a4cd03b74e72952c536625603f2dc61ad6b631543bcdff7bbd65f1727cFrom support@us.external.hp.com Wed Mar 13 01:01:45 1996
Date: Wed, 13 Mar 1996 01:09:41 -0800
From: HPSL Mail Service <support@us.external.hp.com>
Reply to: support-feedback@us.external.hp.com
To: Damien Sorder <jericho@netcom.com>
Subject: RE: send doc HPSBUX9311-001
--------
## Regarding your request:
Send Doc HPSBUX9311-001
The following are the results of your request from the HP SupportLine mail
service.
===============================================================================
Document Id: [HPSBUX9311-001]
Date Loaded: [02-05-94]
Description: Security Vulnerability in Sendmail
===============================================================================
-----------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: #00001, 12 November 93
-----------------------------------------------------------------------
_______________________________________________________________________
PROBLEM: Security vulnerability in sendmail in all releases of HP-UX
PLATFORM: HP 9000 series 300/400s and 700/800s
DAMAGE: A mail message can trigger arbitrary commands to be executed
as any user except root.
SOLUTION: Apply patch PHNE_3369 (series 300/400, HP-UX 8.x), or
PHNE_3370 (series 300/400, HP-UX 9.x), or
PHNE_3371 (series 700/800, HP-UX 8.x), or
PHNE_3372 (series 700/800, HP-UX 9.x), or
modify the sendmail configuration file (releases of HP-UX
prior to 8.0)
AVAILABILITY: Wednesday 17 November
_______________________________________________________________________
I. Sendmail Update
A. Recent CERT advisory on Sendmail
A recent CERT advisory (CERT CA-93:16) described a vulnerability
in most versions of sendmail that allowed "unauthorized remote or
local users to execute programs as any system user other than
root."
"This vulnerability affects the final destination sendmail host
and can be exploited through an intermediate mail machine.
Therefore, all sendmail recipient machines within a domain are
potentially vulnerable."
It has been found that all HP-UX systems have this sendmail
vulnerability. This serious security vulnerability allows a
malicious user to cause arbitrary commands to be executed on a
vulnerable system. These commands can be run as any user except
root. The commands are sent to the user in a specially-formatted
electronic mail message which exploits the vulnerability.
B. Fixing the problem
The vulnerability can be eliminated from releases 8.x and 9.x of
HP-UX by applying a patch. Releases of HP-UX prior to 8.0 must
modify the sendmail configuration file (/usr/lib/sendmail.cf) to
disable the ``prog'' mailer function; no patch will be available
for releases of HP-UX prior to 8.0.
THIS VULNERABILITY IS EXPLOITED WITH ELECTRONIC MAIL MESSAGES,
MEANING THAT EVERY HP-UX SYSTEM RUNNING SENDMAIL IS VULNERABLE.
Hewlett-Packard recommends that all customers concerned with the
security of their HP-UX systems either apply the appropriate
patch or edit the sendmail configuration file as soon as possible.
C. How to Install the Patch (for HP-UX 8.x and 9.x)
(NOTE: Since patches will not be available until Wednesday,
November 17, HP-UX 8.x and 9.x systems can be protected until
that time by disabling the sendmail ``prog'' mailer as mentioned
below in section D. for HP-UX 6.x and 7.x systems.)
1. Determine which patch is appropriate for your hardware platform
and operating system:
PHNE_3369 -- Series 300/400, HP-UX 8.x
PHNE_3370 -- Series 300/400, HP-UX 9.x
PHNE_3371 -- Series 700/800, HP-UX 8.x
PHNE_3372 -- Series 700/800, HP-UX 9.x
2. Get a copy of the patch from one of the following locations:
a. Auto-Patch Email
If you know the name of the patch needed, Email to
hprc_patch@hprc.atl.hp.com with the subject of the message
stated as "patch phkl_9999 rchandle" where phkl_9999 is the patch
name, rchandle is your Response Center system identifier or
company name if you are not currently under Response
Center support. It will automatically be emailed back to you.
b. HP SupportLine
Effective early 1993, all new patches are loaded on HPSL. If
you don't have HPSL access or need to know how to sign on, in
the U.S. you can call the following numbers:
Response Center Customers: 1-800-633-3600
BasicLine Customers: 1-415-691-3888
Outside the U.S., contact your local Response Center.
Note that a list of patches can be obtained at any time by
emailing to hprc_patch@hprc.atl.hp.com with the subject of
the message stated as "p-list rchandle", where rchandle is
your Response Center system identifier or your company name
if you are not currently under Response Center support.
The list will automatically be emailed back to you. The list
includes a short description of the patch. A more detailed
patch description is included in the patch itself.
3. Apply the patch to your HP-UX system.
a. Become superuser (or root).
b. At the shell prompt, type "cd /tmp"
c. At the shell prompt, type "sh /tmp/PHNE_33nn"
d. At the shell prompt, for 9.x systems type
"/etc/update -s /tmp/PHNE_33nn.updt \*"
and for 8.x systems (s700) type
"/etc/update -S700 -s /tmp/PHNE_33nn.updt \*"
or for 8.x systems (s800) type
"/etc/update -S800 -s /tmp/PHNE_33nn.updt \*"
or for 8.x systems (s300 or s400) type
"/etc/update -S300 -s /tmp/PHNE_33nn.updt \*"
Note: "nn" refers to the last two digits of the appropriate patch
from the list in step 1.
The update process kills the running sendmail, replaces the
/usr/lib/sendmail binary, and starts the new sendmail. If you
do not have a frozen configuration file (/usr/lib/sendmail.fc), skip
to step 4. If you do use a frozen configuration file, continue with
step 3e.
e. Kill the running sendmail. At the shell prompt, type:
"/usr/lib/sendmail -bk"
f. Freeze the configuration file. At the shell prompt, type:
"/etc/freeze"
g. Restart the sendmail daemon. At the shell prompt, type:
"/usr/lib/sendmail -bd -q30m"
4. Examine /tmp/update.log for any relevant WARNINGs or ERRORs. This
can be done as follows:
a. At the shell prompt, type "tail -60 /tmp/update.log | more"
b. Page through the next three screens via the space bar, looking
for WARNING or ERROR messages.
D. How to modify the sendmail.cf file (releases of HP-UX prior to 8.0)
(NOTE: This workaround only applies to versions of HP-UX
prior to 8.0. Later versions of HP-UX should follow the patch
installation instructions above; UNTIL THE ABOVE PATCH IS
INSTALLED, however, THIS APPROACH CAN BE USED to protect the system.)
The workaround for HP-UX 6.x and 7.x sendmail involves
modifying the sendmail configuration file (/usr/lib/sendmail.cf).
However, this approach disables the sendmail program mailer
facility. THIS MEANS THAT PROGRAMS THAT ARE DESIGNED TO
RECEIVE MAIL FROM SENDMAIL WILL NOT WORK! For example,
``vacation'' is a program that is frequently sent to in users'
.forward files. With this workaround, ``vacation'' will no
longer work!
So, all programs that are designed to receive mail from sendmail
should be moved to computers that have the patched version
of sendmail for HP-UX 8.x and 9.x.
1. Save a copy of the existing sendmail.cf file.
2. Use an editor to modify the sendmail.cf file:
change line:
Mprog, P=/bin/sh, F=DFMPlshu, S=10, R=20, A=sh -c $u
to:
Mprog, P=/bin/false, F=DFMPlshu, S=10, R=20, A=sh -c $u
3. Once this change has been made, you must kill the sendmail
daemon, freeze the sendmail configuration, and restart sendmail.
The commands are:
a. Kill sendmail daemon
/usr/lib/sendmail -bk
b. Freeze the sendmail configuration file
/etc/freeze
c. Restart the sendmail daemon:
/usr/lib/sendmail -bd -q30m
E. Impact of the patch and workaround
The patch for HP-UX releases 8.x and 9.x provides a new version of
/usr/lib/sendmail which fixes the vulnerability. No patches will be
available for versions of HP-UX prior to 8.0. Instead, the workaround
to disable the ``prog'' mailer by modifying the sendmail configuration
file is required.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed