NASIRC BULLETIN #93-01 September 17,1993 SECURITY VULNERABILITY IN NOVELL NETWARE LOGIN.EXE =========================================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================================== NASIRC has received information concerning a vulnerability that exists in the LOGIN.EXE program for Novell NetWare V4.x which can compromise user accounts. The vulnerability is not present in NetWare 2.x, 3.x, or NetWare for Unix. Usage of NetWare 4.x with the vulnerable LOGIN.EXE could cause the inadvertant compromise of a user's name and password. Novell has produced a patch which is available via FTP over the Internet. The NASIRC can also distribute the patch to sites which are not connected to the Internet. The patch file is in the form of a self-extracting archive file for DOS, called SECLOG.EXE. NASIRC recommends that all NASA sites running Novell NetWare V4.x obtain and install the revised LOGIN.EXE program (v4.02) as soon as possible to close this vulnerability. The patch (SECLOG.EXE) is available from the machine FIRST.ORG in the ~pub/software directory. This file is also available at no charge through NetWare resellers, on NetWire in Library 14 of the NOVLIB forum, or by calling 1-800-NETWARE. NetWare customers outside the U.S. may call Novell at 303-339-7027 or 31-55-384279 or fax a request for SECLOG.EXE v4.02 to Novell at 303-330-7655 or 31-55-434455. Include company name, contact name, mailing address and phone number in the fax request. The patch (LOGIN.EXE) and text file (SECLOG.TXT) are created by executing the distribution file SECLOG.EXE, a self-extracting archive. After extracting the files, the dir command should produce the following output. SECLOG EXE 166276 xx-xx-xx xx:xxx LOGIN EXE 354859 08-25-93 11:43a SECLOG TXT 5299 09-02-93 11:16a To install the patch, follow the directions contained in the text file SECLOG.TXT, and then instruct all your users to change their passwords. NASIRC ACKNOWLEDGES: Karyn Pichnarczyk of the DOE CIAC team for her work in coordinating and distributing the information relating to this vulnerability and patch. Richard Colby of Chem Nuclear Geotech, Inc. for discovering and reporting the vulnerability, and Novell, Inc. for their resolution of this issue. PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organization which provides for coordination between incident response teams in handling computer-security-related issues. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. ================================================================== For further assistance, please contact the NASIRC helpdesk at 1-800-7-NASIRC. Fax Messages may be sent to (301)306-1010. 24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866 ==================================================================