************************************************************************** Security Bulletin 9317 DISA Defense Communications System September 20, 1993 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + DISTRIBUTION RESTRICTIONS: PUBLIC RELEASE Enclosed is the final draft of a CERT Advisory. If reprinted, in part or whole, please credit the CERT Coordination Center. ============================================================================= CA-93:13 CERT Advisory September 17, 1993 SCO Home Directory Vulnerability ----------------------------------------------------------------------------- The CERT Coordination Center has received information indicating that SCO Operating Systems may be vulnerable to a potential compromise of system security. This vulnerability allows unauthorized access to the "dos" and "asg" accounts, and, as a result of this access, unauthorized access to the "root" account may also occur. The following releases of SCO products are affected by this vulnerability: SCO UNIX System V/386 Release 3.2 Operating System SCO UNIX System V/386 Release 3.2 Operating System Version 2.0 SCO UNIX System V/386 Release 3.2 Operating System version 4.x SCO UNIX System V/386 Release 3.2 Operating System Version 4.0 with Maintenance Supplement Version 4.1 and/or Version 4.2 SCO Network Bundle Release 4.x SCO Open Desktop Release 1.x SCO Open Desktop Release 2.0 SCO Open Desktop Lite Release 3.0 SCO Open Desktop Release 3.0 SCO Open Server Network System Release 3.0 SCO Open Server Enterprise System Release 3.0 CERT and The Santa Cruz Operation recommend that all sites using these SCO products take action to eliminate the source of vulnerability from their systems. This problem will be corrected in upcoming releases of SCO operating systems. ----------------------------------------------------------------------------- I. Description The home directories of the users "dos" and "asg" are /tmp and /usr/tmp respectively. These directories are designed to have global write permission. II. Impact This vulnerability may allow unauthorized users to gain access to these accounts. This vulnerability may also corrupt certain binaries in the system and thus prevent regular users from running them, as well as introduce a potential for unauthorized root access. III. Solution All affected sites should follow these instructions: 1. Log onto the system as "root" 2. Choose the following sequence of menu selections from the System Administration Shell, which is invoked by typing "sysadmsh" a. Accounts-->User-->Examine--> [select the "dos" account] -->Identity -->Home directory-->Create-->Path--> [change it to /usr/dos instead of /tmp]--> confirm b. Accounts-->User-->Examine--> [select the "asg" account] -->Identity -->Home directory-->Create-->Path--> [change it to /usr/asg instead of /usr/tmp]--> confirm 3. If DOS binaries have been modified, or sites are unable to determine if modification has occurred, we strongly recommend removing and reinstalling the DOS package of the Operating System Extended Utilities. This can be done using custom(ADM). Sites may also want to check their systems for signs of further compromise. This can be facilitated through the use of programs such as COPS. Other security advice and suggestions can be found in CERT's security checklist. This checklist may be obtained through anonymous FTP from cert.org in pub/tech_tips/security_info. Note: COPS may be obtained from many sites, including via anonymous FTP from cert.org in the pub/tools directory. If you have further questions about this issue, please contact SCO Support and ask for more information concerning this CERT advisory, CA-93:13, "SCO Home Directory Vulnerability." Electronic mail: support@sco.COM USA/Canada: 6am-5pm Pacific Daylight Time (PDT) ----------- 1-800-347-4381 (voice) 1-408-427-5443 (fax) Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific ------------------------------------------------ Daylight Time (PDT) 1-408-425-4726 (voice) 1-408-427-5443 (fax) Europe, Middle East, Africa: 9am-5:30pm British Standard Time (BST) ---------------------------- +44 (0)923 816344 (voice) +44 (0)923 817781 (fax) --------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Christopher Durham of the Santa Cruz Operation for reporting this problem and his assistance in responding to this problem. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in Forum of Incident Response and Security Teams (FIRST). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from cert.org (192.88.209.5). **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************