NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Vulnerability In AT&T /usr/etc/rexecd February 25, 1992, 1100 PDT Number C-18 ________________________________________________________________________ PROBLEM: A vulnerability exists in AT&T /usr/etc/rexecd PLATFORM: AT&T TCP/IP Release 4.0 running on SVR4 systems for both the 386/486 and 3B2 RISC platforms. DAMAGE: misuse of /usr/etc/rexecd may allow a user on a remote machine to run commands as root on the target host (the host running the affected /usr/etc/rexecd). SOLUTIONS: Disable the vulnerable program until a replacement or patch is obtained. ________________________________________________________________________ Critical Information About ATT /usr/etc/rexecd CIAC has learned of a new vulnerability in AT&T TCP/IP Release 4.0 running on SVR4 systems for both the 386/486 and 3B2 RISC platforms. The existing error, in the remote execution server /usr/etc/rexecd, has been corrected, and a new executable for rexecd is available from AT&T by calling 800-543-9935. Patches may be obtained outside the U.S. by calling your local technical support. The numbers associated with the fix are 5127 (3.5" media) and 5128 (5.25" media). Administrators of affected systems should execute, as root, the following command to immediately turn off access to rexecd until the new binary can be obtained. # chmod 400 /usr/etc/rexecd You may then obtain and install the new patch. The fix will be supplied as one diskette, and it comes with one page of instructions documenting the procedure for replacing the existing /usr/etc/rexecd binary. The problem does not exist in TCP/IP release 3.2 for SVR3, or any earlier versions of the TCP/IP product running on either the 3B2 or 386 platforms. In addition, the version of TCP/IP distributed with SVR4 by UNIX(r) System Laboratories, Inc. (a subsidiary of AT&T) does not contain this vulnerability. UNIX(r) is a registered trademark of UNIX System Laboratories, Inc. For additional information or assistance, please contact CIAC: David Brown (510) 423-9878/(FTS) 543-9878 dsbrown@llnl.gov Call CIAC at (510) 422-8193/(FTS) 532-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002/(FTS) 543-8002. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). CIAC would like to thank Bradley E. Smith, Network & Technical Services, Bradley University, AT&T, and the CERT/CC for assistance with this bulletin. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Some of the other teams include the NASA NSI response team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your agency's team will coordinate with CIAC. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.