-----BEGIN PGP SIGNED MESSAGE-----

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
      OUTSIDE ADVISORY REDISTRIBUTION

25 July 1996 12:00 GMT                           Number: ERS-OAR-E01-1996:008.1
===============================================================================

The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.

IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.

IBM-ERS is forwarding the following information from Hewlett-Packard.  Contact
information for Hewlett-Packard is included in the forwarded text below; please
contact them if you have any questions or need further information.

===============================================================================

********************** FORWARDED INFORMATION STARTS HERE **********************

===============================================================================
                    ***HP SupportLine Mail Service Notice***

This digest contains a summary of all newly received Security Bulletins.

You do not have to have any form of support from Hewlett-Packard to subscribe
to this digest or to procure the recommended patches via the HP SupportLine
mail service.

- -------------------------------------------------------------------------------

To obtain a copy of the HP SupportLine mail service user's guide, send the
following (in the TEXT PORTION OF THE MESSAGE to) to the HP SupportLine mail
service.

To: support@us.external.hp.com

Message Text:

 send guide

- -------------------------------------------------------------------------------

To obtain a patch identified within this Security Bulletin, send the following
(in the TEXT PORTION OF THE MESSAGE) to the HP SupportLine mail service.

To: support@us.external.hp.com

Message Text:

 send xxxxxxxxxxxx

(where xxxxxxxxxxxx represents the specified patch name).

- -------------------------------------------------------------------------------

If you have concerns about security issues, please forward them to:

                   security-alert@hp.com

The security-alert node is monitored during working hours Pacific Daylight Time
by multiple HP Security Response Team personnel. We reply to your message only
if necessary to obtain additional information.

- -------------------------------------------------------------------------------

If you would like to be REMOVED from this mailing lists, send the following (in
the TEXT PORTION OF THE MESSAGE) to the HP SupportLine mail service.

To: support@us.external.hp.com

Message Text:

 unsubscribe security_info

===============================================================================

Digest Name: security_info
Description: Daily Security Bulletins Digest
Created:     Wed Jul 24 03:00:01 1996 PDT

- -------------------------------------------------------------------------------
Summary of 'Daily Security Bulletins Digest' documents
- -------------------------------------------------------------------------------
Document Id    Description            Page 1
- -------------------------------------------------------------------------------
HPSBUX9607-035 Security Vulnerability in nettune executable
HPSBUX9607-034 Security Vulnerability in SAM remote admin
===============================================================================
Detailed list of 'Daily Security Bulletins Digest' documents
===============================================================================
Document Id: [HPSBUX9607-035]
Date Loaded: [07-24-96]

Description: Security Vulnerability in nettune executable
===============================================================================

- -------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY ADVISORY: HPSBU0796-035, 22 July 1996
- -------------------------------------------------------------------------

The information in the following Security Advisory should be acted upon
as soon as possible.  Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Advisory as soon as possible.

- -------------------------------------------------------------------------
PROBLEM:  Incorrect permissions on nettune executable

PLATFORM: HP 9000/700 and 9000/800 systems running operating system
          version 10.0 or 10.01 of HP-UX.

DAMAGE:   The configuration of various networking parameters could be
          modified by non-root users.

SOLUTION: Login as root user and issue the following commands:

          chmod 555 /usr/contrib/bin/nettune
          chown bin /usr/contrib/bin/nettune

AVAILABILITY: Not applicable

- -------------------------------------------------------------------------

I.    Nettune

   A. Background

      The nettune program is a utility program that allows non-root
      users to examine and root users to modify several items that
      affect networking.  The nettune binary that ships with HP-UX
      10.0 and 10.01 has incorrect permission attributes that allow
      non-root users to modify networking parameters which only root
      users should be able to modify.  Operating systems released
      after 10.01, such as HP-UX 10.10, correctly set the permissions
      on this program file and are therefore not vulnerable.


   B. Fixing the problem

      The fix for this problem is to modify the owner and execution
      permissions of the nettune binary itself.  This can easily be
      accomplished using the chown and chmod commands listed below.


   C. Recommended solution

      Login as root user and issue the following commands:

          chmod 555 /usr/contrib/bin/nettune
          chown bin /usr/contrib/bin/nettune


   D. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP SupportLine mail service via electronic
      mail, send an email message to:

      support@us.external.hp.com   (no Subject is required)

      Multiple instructions are allowed in the TEXT PORTION OF THE
      MESSAGE, here are some basic instructions you may want to use:

      To add your name to the subscription list for new security
      bulletins, send the following in the TEXT PORTION OF THE MESSAGE:

                  subscribe security_info

      To retrieve the index of all HP Security Bulletins issued to
      date, send the following in the TEXT PORTION OF THE MESSAGE:

                  send security_info_list

      To get a patch matrix of current HP-UX and BLS security
      patches referenced by either Security Bulletin or Platform/OS,
      put the following in the text portion of your message:

                  send hp-ux_patch_matrix

       World Wide Web service for browsing of bulletins
       is available via our URL:
       (http://us.external.hp.com)

       Choose "Support news", then under Support news,
       choose "Security Bulletins"


   E. To report new security vulnerabilities, send email to

          security-alert@hp.com

      Please encrypt exploit information using the security-alert PGP
      key, available from your local key server, or by sending a
      message with a -subject- (not body) of 'get key' (no quotes) to
      security-alert@hp.com.


     Permission is granted for copying and circulating this Bulletin to
     Hewlett-Packard (HP) customers (or the Internet community) for the
     purpose of alerting them to problems, if and only if, the Bulletin
     is not edited or changed in any way, is attributed to HP, and
     provided such reproduction and/or distribution is performed for
     non-commercial purposes.

     Any other use of this information is prohibited. HP is not liable
     for any misuse of this information by any third party.

===============================================================================
Document Id: [HPSBUX9607-034]
Date Loaded: [07-24-96]

Description: Security Vulnerability in SAM remote admin
===============================================================================

- -----------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: #HPSBUX9607-034, 22 July 1996
- -----------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

- -----------------------------------------------------------------------
PROBLEM:  Vulnerabilities in SAM remote administration.
PLATFORM: HP 9000/300/400/700 and 800 systems running any currently
          supported version of HP-UX 9.X and 10.X.
DAMAGE:   The security of the enterprise and its applications could
          be compromised.
SOLUTION: Follow the procedure below.

AVAILABILITY: Not applicable

- -----------------------------------------------------------------------
I. Mailing list discussions

   A. Background

      It has recently come to the attention of Hewlett-Packard that
      remote administration of cluster nodes via SAM (System
      Administration Manager) is done with a now widely known
      password.  There is a default account password used in the
      currently shipping SAM binary.  That user gets created via rsh
      on the remote machine.

   B. Recommended workaround

      Hewlett-Packard strongly recommends that administrators concerned
      with the security of their enterprise either:
        a) do not configure remote administration, or
        b) replace that existing password field in /etc/passwd with an
           asterisk (*)

      Hewlett-Packard is working to deliver new scheme in a future
      release of the SAM product.

   C. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP SupportLine mail service via electronic
      mail, send an email message to:

      support@us.external.hp.com   (no Subject is required)

      Multiple instructions are allowed in the TEXT PORTION OF THE
      MESSAGE, here are some basic instructions you may want to use:

      To add your name to the subscription list for new security
      bulletins, send the following in the TEXT PORTION OF THE MESSAGE:

                  subscribe security_info

      To retrieve the index of all HP Security Bulletins issued to
      date, send the following in the TEXT PORTION OF THE MESSAGE:

                  send security_info_list

      To get a patch matrix of current HP-UX and BLS security
      patches referenced by either Security Bulletin or Platform/OS,
      put the following in the text portion of your message:

                  send hp-ux_patch_matrix

       World Wide Web service for browsing of bulletins
       is available via our URL:
       (http://us.external.hp.com)

       Choose "Support news", then under Support news,
       choose "Security Bulletins"


   D. To report new security vulnerabilities, send email to

          security-alert@hp.com

      Please encrypt exploit information using the security-alert PGP
      key, available from your local key server, or by sending a
      message with a -subject- (not body) of 'get key' (no quotes) to
      security-alert@hp.com.


     Permission is granted for copying and circulating this Bulletin to
     Hewlett-Packard (HP) customers (or the Internet community) for the
     purpose of alerting them to problems, if and only if, the Bulletin
     is not edited or changed in any way, is attributed to HP, and
     provided such reproduction and/or distribution is performed for
     non-commercial purposes.

     Any other use of this information is prohibited. HP is not liable
     for any misuse of this information by any third party.

*********************** FORWARDED INFORMATION ENDS HERE ***********************

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information.  The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBMfdf7/WDLGpfj4rlAQFiCgQAy2nJUqK2nQdQl+lAzZFSYtk9twkspyZj
ftUAfl3nWXsD1f8xnz87qe97/c2cVS7JCE0W7iWh3k9O5w9nalXqe/7lSGPXb72S
QWHMoWdgJKY2aNOOXL0OPRTQHCIsoz2RBEnkNGX7T4FUsieAYlA/anTxV6qtiV2E
SVSQQk3FtNE=
=kvv3
-----END PGP SIGNATURE-----