-----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 95-14 Release date: 21 Apr, 1995, 4:30PM EDT (GMT -4) SUBJECT: Vulnerability in HP /usr/lib/sendmail. SUMMARY: The following is information about the problem released by Hewlett Packard. ASSIST recommends prompt action be taken to remedy the problem on any affected HP systems within DoD. - ------------------------------------------------------------------------- HEWLETT-PACKARD SECURITY BULLETIN: #00025, 2 April 95 - ------------------------------------------------------------------------- The information in the following Security Bulletin should be acted upon assoon as possible. Hewlett- Packard will not be liable for any consequencesto any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. PROBLEM: Sendmail permits unauthorized remote program execution. PLATFORM: HP 9000 series 300/400s and 700/800s 8.x and 9.x DAMAGE: Remote users can cause sendmail to execute any program. SOLUTION: Apply patch PHNE_5402 (series 700/800, HP-UX 9.x), or PHNE_5401 (series 700/800, HP-UX 8.x), or PHNE_5384 (series 300/400, HP-UX 9.x), or PHNE_5383 (series 300/400, HP-UX 8.x), or PHNE_5387 (series 700, HP-UX 9.09), or PHNE_5388 (series 700, HP-UX 9.09+), or PHNE_5389 (series 800, HP-UX 9.08) AVAILABILITY: All patches are available now. I. Vulnerability in /usr/lib/sendmail. A. A vulnerability in sendmail. A vulnerability in sendmail has been discovered that permits remote users to cause sendmail to execute any program that is allowed with the permissions: uid=1(daemon) gid=1(other) Files and programs that are not world-writeable or world-executable and are not in the 'other' group or owned by 'daemon' are safe from modification. This means that /etc/passwd cannot be modified, for example. B. Fixing the problems The two vulnerabilities can be eliminated from releases 8.x and 9.x of HP-UX by applying a patch. Hewlett-Packard recommends that all customers concerned with the security of their HP-UX systems apply the appropriate patch as soon as possible. It is further advised that system administrators closely scan their mail syslogs for evidence of any unusual activity, using: grep "|" /usr/spool/mqueue/syslog* [Editor's note: If your site links grep to egrep or the Gnu grep, the above command matches every line in the file. An alternative is to use fgrep where you are looking for the "|" character. ] If there is any evidence of an intrusion, system administrators are strongly urged to require password changes for all accounts. C. How to Install the Patch (for HP-UX 8.x and 9.x) 1. Determine which patch is appropriate for your hardware platform and operating system: PHNE_5402 (series 700/800, HP-UX 9.x), PHNE_5401 (series 700/800, HP-UX 8.x), PHNE_5384 (series 300/400, HP-UX 9.x), PHNE_5383 (series 300/400, HP-UX 8.x), PHNE_5387 (series 700, HP-UX 9.09), PHNE_5388 (series 700, HP-UX 9.09+), PHNE_5389 (series 800, HP-UX 9.08) 2. Hewlett Packard's HP-UX patches are available via email and the World Wide Web. To obtain a copy of the HP SupportLine email service user's guide, send the following in the TEXT PORTION OF THE MESSAGE to support@support.mayfield.hp.com (no Subject is required): send guide The users guide explains the process for downloading HP-UX patches via email and other services available. World Wide Web service for downloading of patches is available via our URL: http://support.mayfield.hp.com Choose "Support news", then under Support news, choose "Security Bulletins" F. To report new security vulnerabilities, send email to security-alert@hp.com ASSIST would like to thank the CERT Coordiantion Center for information contained in this bulletin. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-756-7993/1154 DSN 289-7993/1154, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. ASSIST Contact Information: PHONE: 800-357-4231 (or 703-756-7974 DSN 289), duty hours are 06:00 to 22:30 EDT (GMT -4) Monday through Friday. During off duty hours, weekends and holidays, ASSIST can be reached via pager at 800-791- 4857. The page will be answered within 30 minutes, however if a quicker response is required, prefix the phone number with "999". ELECTRONIC MAIL: Send to assist@assist.mil. ASSIST BBS: Leave a message for the "sysop". ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital signature mechanism for bulletins. PGP 2.6.2 incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt. In accordance with the terms of that license, PGP 2.6.2 may be used for non-commercial purposes only. Instructions for downloading the PGP 2.6.2 software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP 2.6.2 and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQL1xx7tH6sbnW 3Io9AQEBYwP9FvIJbnKjtMLUj8ghd6hophSx8WZnfQsOmZX/BbX8vKz1a5BkBn4q ANvW+uKGdUlE8LLMEm1PD59Cihcb3OoWDOU8zIOIErvry4eqa+LzEXV8nnBdes+A a1MCMGSz+K3OaP78lQ7JCGoY9TXTWIelfAdBVBG4VQcSQRn8tjRdG2e0KEFTU0lT VCBUZWFtIDxhc3Npc3RAYXNzaXN0Lmltcy5kaXNhLm1pbD6JAJUCBRAuLnHoh0Y9 0jC+b6kBAU0TA/4yXSL7K6tcfVm9ACnP4crCoutFM2w10e7YKxD850ajhWrh6rI9 O+sjU5WObqiPJ7sZHdEw/KARzPSijH/5h8HlyYa6ClksWxYuymzCsUYYJctdjcGr uakfXgYQ1TkkyUfNrN5G90NuRK/vTRe7bkmyGNYjN9Njac1Q18WVF59Chg== =d5rP - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBL5gVt9H6sbnW3Io9AQEqAAP9Gnf6ktlWiqeRm76Um+1crvciqcGAadS6 RWlXEThZdObiXI7T4EVnrXcivp4KFpZ904VLpQ99nr5hsqooumaV2xxh0oHz+axc 3Ma7SKKQrhQHPqTMb0PWq4orVPNYK4uA9VNMmE/foCgHXCTYHv54/qBYw7ZJA8zB eSIdGI2DAzc= =K1FV -----END PGP SIGNATURE-----