*********************************************************************** DDN Security Bulletin 9117 DCA DDN Defense Communications System 18 Sep 91 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) (800) 235-3155 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DCA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.67.67.20] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001). ********************************************************************** SunOS SPARC Integer Division Vulnerability + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Communications Agency's Security Coordination ! ! Center distribution system as a means of providing DDN ! ! subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + CA-91:16 CERT Advisory September 18, 1991 SunOS SPARC Integer Division Vulnerability --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability in Sun Microsystems, Inc. (Sun) integer division on their SPARC architecture. This vulner- ability exists on all SPARC platforms (including sun4 and sun4c) for SunOS versions 4.1 and 4.1.1. Sun has provided patches for this vulnerability. They are available through your local Sun Answer Centers worldwide as well as through anonymous ftp from the ftp.uu.net system (in the sun-dist directory). Fix Patch ID Filename Checksum /sys/sun{4,4c}/OBJ/crt.o 100376-01 100376-01.tar.Z 09989 11 Please note that Sun Microsystems sometimes updates patch files. If you find that the checksum is different please contact Sun Microsystems or us for verification. --------------------------------------------------------------------------- I. Description A security vulnerability exists in the integer division on the SPARC architecture that can be used to gain root privileges. II. Impact Any user logged into the system can gain root access. III. Solution Replace /sys/sun{4,4c}/OBJ/crt.o and rebuild the kernel(s) necessary for your host configuration(s). Reboot each host using the appropriate kernel. Please refer to the System and Network Administration Manual for instructions on building and configuring a new custom kernel. --------------------------------------------------------------------------- The CERT/CC wishes to thank Gordon Irlam of the Department of Computer, University of Adelaide, Australia, for bringing this vulnerability to our attention and for his further assistance with the solution. We also wish to thank Sun Microsystems for their prompt response to this vulnerability. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EDT, on call for emergencies during other hours. Past advisories and other computer security related information are available for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.