002
1d9f7c111e19745fdd8f6baa49780cfb34f9d055c4e137973d8947fd2fbb4073
From support@us.external.hp.com Wed Mar 13 01:01:40 1996
Date: Wed, 13 Mar 1996 01:09:35 -0800
From: HPSL Mail Service <support@us.external.hp.com>
Reply to: support-feedback@us.external.hp.com
To: Damien Sorder <jericho@netcom.com>
Subject: RE: send doc HPSBUX9312-002
--------
## Regarding your request:
Send Doc HPSBUX9312-002
The following are the results of your request from the HP SupportLine mail
service.
===============================================================================
Document Id: [HPSBUX9312-002]
Date Loaded: [02-05-94]
Description: Security Vulnerability in Xterm
===============================================================================
-------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: #00002, 30 November 93
REVISED 01 December 93
-------------------------------------------------------------------------
_______________________________________________________________________
PROBLEM: Security vulnerability in xterm in all releases of HP-UX
PLATFORM: HP 9000 series 300/400s and 700/800s
DAMAGE: A vulnerability in the logging function of xterm exists
if the xterm operates as a setuid or setgid process.
The vulnerability allows local users to create files or
modify any existing files.
SOLUTION: Apply patch PHSS_3399 (series 700/800, HP-UX 9.x), or
PHNE_3408 (series 700 , HP-UX 8.x), or
PHNE_3409 (series 800 , HP-UX 8.x), or
PHSS_3410 (series 300/400, HP-UX 9.x), or
PHSS_3411 (series 300/400, HP-UX 8.x), or
remove the setuid permissions from xterm (releases of HP-UX
prior to 8.0)
Note: Removing the setuid permissions may create another
vulnerability. The only solution without known
or suspected vulnerabilities is to install the patch.
AVAILABILITY: PHSS_3399 and PHSS_3410 are available now. The other
patches are estimated to be available by 07 December.
_______________________________________________________________________
I. Xterm Update
A. Recent CERT advisory on Xterm
A recent CERT advisory (CERT CA-93:17) described a vulnerability
in the logging function of xterm for X Version 11, Release 5 (X11R5)
and earlier versions of X11. The vulnerability allows local users
to create files or modify any existing files. If the setuid or setgid
privilege bit is not set on the xterm program, the vulnerability cannot
be exploited.
It has been found that all HP-UX systems have this xterm
vulnerability.
B. Fixing the problem
The vulnerability can be eliminated from releases 8.x and 9.x of
HP-UX by applying a patch. Releases of HP-UX prior to 8.0 must
modify the xterm permissions (chmod 555 /usr/bin/X11/xterm).
Hewlett-Packard recommends that all customers concerned with the
security of their HP-UX systems either apply the appropriate
patch or change the xterm permissions as soon as possible.
Removing the setuid permission from xterm prevent it from
making entries in utmp. This means that commands that depend
on utmp, such as who(1), may not function as expected.
C. How to Install the Patch (for HP-UX 8.x and 9.x)
(NOTE: Since some patches will not be available until about
December 07, HP-UX 8.x and 9.x systems can be protected until
that time by removing the setuid permissions from xterm.)
1. Determine which patch is appropriate for your hardware platform
and operating system:
PHSS_3399 (series 700/800, HP-UX 9.x)
PHNE_3408 (series 700 , HP-UX 8.x)
PHNE_3409 (series 800 , HP-UX 8.x)
PHSS_3410 (series 300/400, HP-UX 9.x)
PHSS_3411 (series 300/400, HP-UX 8.x)
2. Get a copy of the patch from one of the following locations:
a. Auto-Patch Email
If you know the name of the patch needed, Email to
hprc_patch@hprc.atl.hp.com with the subject of the message
stated as "patch phkl_9999 rchandle" where phkl_9999 is the patch
name, rchandle is your Response Center system identifier or
company name if you are not currently under Response
Center support. It will automatically be emailed back to you.
b. HP SupportLine
Effective early 1993, all new patches are loaded on HPSL. If
you don't have HPSL access or need to know how to sign on, in
the U.S. you can call the following numbers:
Response Center Customers: 1-800-633-3600
BasicLine Customers: 1-415-691-3888
Outside the U.S., contact your local Response Center.
Note that a list of patches can be obtained at any time by
emailing to hprc_patch@hprc.atl.hp.com with the subject of
the message stated as "p-list rchandle", where rchandle is
your Response Center system identifier or your company name
if you are not currently under Response Center support.
The list will automatically be emailed back to you. The list
includes a short description of the patch. A more detailed
patch description is included in the patch itself.
3. Apply the patch to your HP-UX system.
4. Examine /tmp/update.log for any relevant WARNINGs or ERRORs. This
can be done as follows:
a. At the shell prompt, type "tail -60 /tmp/update.log | more"
b. Page through the next three screens via the space bar, looking
for WARNING or ERROR messages.
D. Impact of the patch and workaround
The patch for HP-UX releases 8.x and 9.x provides a new version of
/usr/lib/X11/xterm which fixes the vulnerability. No patches will be
available for versions of HP-UX prior to 8.0.