************************************************************************** Security Bulletin 9422 DISA Defense Communications System August 23, 1994 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= CA-94:11 CERT Advisory June 9, 1994 Majordomo Vulnerabilities ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of vulnerabilities in all versions of Majordomo up to and including version 1.91. These vulnerabilities enable intruders to gain access to the account that runs the Majordomo software, even if the site has firewalls and TCP wrappers. CERT recommends that all sites running Majordomo replace their current version with version 1.92 (see Section III for instructions). It is possible to apply a quick fix to versions prior to 1.92, but we strongly recommend obtaining 1.92 instead. As we receive additional information relating to this advisory, we will place it, along with any clarifications, in a CA-94:11 README file. CERT advisories and their associated README files are available by anonymous FTP from info.cert.org. We encourage you to check the README files regularly for updates on advisories that relate to your site. ----------------------------------------------------------------------------- I. Description Two vulnerabilities have recently been found in Majordomo. These vulnerabilities enable intruders to gain access to the account that runs the Majordomo software, thus gaining the ability to execute arbitrary commands. The vulnerabilities can be exploited without a valid user name and password on the local machine, and firewalls and TCP wrapper protection can be bypassed. CERT has received reports that the vulnerabilities are currently being exploited. II. Impact Intruders can install and execute programs as the user running the Majordomo software. III. Solution A. Recommended solution for all versions through 1.91 Obtain and install Majordomo version 1.92, following the instructions in the README file included with 1.92. This new version is available by anonymous FTP from FTP.GreatCircle.COM and is located in the directory /pub/majordomo as a compressed tar file, majordomo-1.92.tar.Z. This file is also available from ftp.cs.umb.edu in the directory /pub/rouilj and from ftp.pgh.net in the directory /pub/majordomo. BSD SVR4 File Checksum Checksum MD5 Digital Signature ----------------- -------- --------- -------------------------------- majordomo-1.92.tar.Z 55701 223 23408 446 17d9bb9fd4872ab09d01bfeb643b5ebb B. Quick fix for versions 1.91 and earlier Until you are able to install the new version of Majordomo, you should install the following quick fix, which has two steps. If you are running Majordomo 1.90 and earlier, you must take both steps. If you are running version 1.91, you need only take the first step. Step 1 - Disable new-list by either renaming the new-list program or removing it from the aliases file. If you have version 1.90 and earlier, go on to Step 2. Step 2 - In every place in the Majordomo code where there is a string of any of these forms, "|/usr/lib/sendmail -f $to" #majordmo.pl "|/usr/lib/sendmail -f $reply_to" #request-answer "|/usr/lib/sendmail -f \$to" #majordomo.cf Change that string to "|/usr/lib/sendmail -f -t" Generally, you will find the strings in the request-answer file, the majordomo.pl file, and your local majordomo.cf file. Note: If you are running a mailer other than sendmail, this step may not fix the vulnerability. You should obtain and install version 1.92 as described in Section A above. --------------------------------------------------------------------------- The CERT Coordination Center thanks Brent Chapman of Great Circle Associates and John Rouillard of the University of Massachusetts at Boston for their support in responding to the problem. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT via electronic mail, CERT strongly advises that the e-mail be encrypted. CERT can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT for details). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 USA Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Many users outside of the DOD computing communities receive DDN Security bulletins. If you are not part of DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.