************************************************************************** Security Bulletin 9544 DISA Defense Communications System November 21, 1995 Published by: DISN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/sec-yynn.txt (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9544.txt). You may also obtain them from our WWW site: http://nic.ddn.mil ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 95-42 Release date: 20 November, 1995, 8:45 AM EDT (GMT -4) SUBJECT: Telnetd Environment Vulnerability. SUMMARY: A vulnerability exists in some versions of the telnet daemon that support RFC 1408 or 1572, both titled the ``Telnet Environment Option,'' running on systems that also support shared object libraries. BACKGROUND: Some telnet daemons support RFC 1572 entitled "Telnet Environment Option." This extension to telnet provides the capability of transferring environment variables from one system to another. If the remote (targeted) system, the one to which the telnet is connecting, is running an RFC 1408/1572 compliant telnet daemon AND the targeted system also supports shared object libraries, then it may be possible to transfer environment variables that influence the login program called by the telnet daemon. By influencing that targeted system, a user may be able to bypass the normal login and authentication scheme and in fact may become root on that system. Not all systems that run an RFC 1572 compliant telnet daemon and support shared object libraries are vulnerable. Some vendors have changed the trust model such that environment variables provided by the telnet daemon are not trusted and therefore are not used by the login program. To determine if your system is potentially vulnerable, refer to the vendor information in the "RECOMMENDED SOLUTIONS" section below. If your vendor is not listed, you will need to determine if your system may be vulnerable. First, consult the telnet(1) manual page, if your telnet(1) program supports the ``environ'' command, then your telnet daemon is probably RFC 1572 compilant. Second, consult the ld(1) manual page, if it describes dynamic or shared objects your system probably supports shared object libraries. IMPACT: Local and remote users with and without local accounts can obtain root access on the targeted system. Users with accounts on the targeted system can exploit this vulnerability. Users without accounts on that system can also exploit this vulnerability if they are first able to deposit an altered shared object library onto the targeted system. Therefore, a system may be vulnerable to users with and without local accounts. RECOMMENDED SOLUTIONS: Replace the telnet daemon with one that changes the environment given to the login program. This should be accomplished by installing a patch from the vendor if one is available. If a patch is not available, use the workaround in (2) below until a patch is available. If you are using Mr. Borman's Telnet package, see (3) below for information about obtaining a new version that fixes the vulnerability. (1) Vendor patches. The following is a list of vendors and patch status. See the appendix at the end of this bulletin for a more detailed listing of vendor patch information. If your vendor's name is not on this list, please contact the vendor directly Vendor or Source Status ---------------- ------------ Apple Computer not vulnerable Berkeley Software Design not vulnerable Cray Research not vulnerable CYGNUS cns-95q1 - vulnerable cns-95q4 - not vulnerable Data General not vulnerable Digital Equipment Ultrix - not vulnerable OSF/1 - vulnerable FreeBSD vulnerable Harris not vulnerable Hewlett-Packard not vulnerable Linux Debian - vulnerable Red Hat - vulnerable Slackware - appears vulnerable MIT-distributed for Athena vulnerable NetBSD 1.0 - vulnerable current - not vulnerable NEC vulnerable Open Software Foundation OSF/1 version 1.3 not vulnerable OpenVision OpenV*Secure 1.2 - vulnerable SCO not vulnerable SGI 5.2, 5.3, 6.0.1, 6.1 - vulnerable Sony Corp. NEWS-OS 6.x - not vulnerable 2) Workaround. Until you can install a patch, you can use the workaround provided below. This wrapper program is meant to be inserted between the execution of the telnet daemon and the login program. The wrapper cleans specific variables from the environment before invoking the real login program. - ------------------------cut here--8<------------------------ /* * This is a login wrapper that removes all instances of * various variables from the environment. * * Note: this program must be compiled statically to be * effective against exploitation. * * Author: Lawrence R. Rogers * * 10/25/95 version 1.1 Original version * 10/26/95 version 1.2 ELF_ variables removed (Linux) * 10/27/95 version 1.3 ELF_ changed to ELF_LD_ * Added AOUT_LD_ (Linux) * */ #include #if !defined(_PATH_LOGIN) # define _PATH_LOGIN "/bin/login.real" #endif main (argc, argv, envp) int argc; char **argv, **envp; { register char **p1, **p2; for (p1 = p2 = envp; *p1; p1++) { if (strncmp(*p1, "LD_", 3) != 0 && strncmp(*p1, "_RLD", 4) != 0 && strncmp(*p1, "LIBPATH=", 8) != 0 && strncmp(*p1, "ELF_LD_", 7) != 0 && strncmp(*p1, "AOUT_LD_", 8) != 0 && strncmp(*p1, "IFS=", 4) != 0 ) { *p2++ = *p1; } } *p2 = 0; execve(_PATH_LOGIN, argv, envp); perror(_PATH_LOGIN); exit(1); } - ------------------------cut here--8<------------------------ The following two examples show how to compile the login-wrapper for SGI's IRIX 5.3 and FreeBSD 2.x systems. The examples move the distributed login program to a new location and install the wrapper in the standard location. When executed, the wrapper first cleanses the environment and then calls the relocated, distributed login program. Note 1: The wrapper must be compiled statically. On SGI's IRIX system, compiling statically requires that the non-shared versions of libraries be installed. Consult your system documentation to determine how to do this. Note 2: You may need to change the _PATH_LOGIN variable to define where the real login program resides on your system. On some systems, login resides in /usr/bin/login. Compiling for IRIX 5.3 - ---------------------- # uname -a IRIX test 5.3 11091812 IP22 mips # /bin/ls -lL /bin/login - -rwsr-xr-x 1 root sys 65832 Sep 9 14:24 /bin/login # /bin/cc -non_shared -O login-wrapper.c -o login-wrapper # /bin/mv /bin/login /bin/login.real # /bin/chmod 755 /bin/login.real # /bin/mv login-wrapper /bin/login # /bin/chmod 4755 /bin/login # /bin/chown root /bin/login # /bin/chgrp sys /bin/login # /bin/ls -lL /bin/login /bin/login.real - -rwxr-xr-x 1 root sys 65832 Sep 9 14:24 /bin/login.real - -rwsr-xr-x 1 root sys 213568 Oct 30 08:42 /bin/login Compiling for FreeBSD 2.x - ------------------------- # /bin/ls -lg /usr/bin/login - -r-sr-xr-x 1 root bin 20480 Jun 10 20:00 /usr/bin/login # /usr/bin/cc -D_PATH_LOGIN=\"/usr/bin/login.real\" -static \ -O login-wrapper.c -o login-wrapper # /bin/mv /usr/bin/login /usr/bin/login.real # /bin/chmod 555 /usr/bin/login.real # /bin/mv login-wrapper /usr/bin/login # /bin/chmod 4555 /usr/bin/login # /usr/sbin/chown root.bin /usr/bin/login # /bin/ls -lg /usr/bin/login /usr/bin/login.real - -r-sr-xr-x 1 root bin 24885 Oct 25 22:14 /usr/bin/login - -r-xr-xr-x 1 root bin 20480 Jun 10 20:00 /usr/bin/login.real Note that you may need to change the _PATH_LOGIN variable to define where the real login program resides on your system. The following example shows how this wrapper is installed on a SunOS 4.1.X system. Notice especially that the wrapper must be compiled statically. # /bin/ls -lg /bin/login - -rwsr-xr-x 1 root wheel 24576 Oct 23 1991 /bin/login # /usr/ucb/cc -Bstatic -O login-wrap.c -o login-wrap # /bin/mv /bin/login /bin/login.real # /bin/chmod 755 /bin/login.real # /bin/mv login-wrap /bin/login # /bin/chmod 4755 /bin/login # /bin/chown root.wheel /bin/login # /bin/ls -lg /bin/login /bin/login.real - -rwxr-xr-x 1 root wheel 24576 Oct 23 1991 /bin/login.real - -rwsr-xr-x 1 root wheel 32768 Oct 25 1995 /bin/login (3). If you have installed a previous version of Mr. Borman's Telnet package, note that he has fixed this problem in the version available at the following location: ftp://ftp.cray.com/src/telnet/telnet.95.10.19.NE.tar.Z MD5 checksum 2e14879a5b0aa6dd855a17fa8a3086cf <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST would like to thank the CERT Coordination Center for information contained in this bulletin. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/ institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided. ASSIST Contact Information: PHONE: 800-357-4231, COMM 703-607-4700, DSN 327-4700. ELECTRONIC MAIL: assist@assist.mil. ASSIST BBS: COMM 703-607-4710, DSN 327-4710, leave a message for the "sysop". FAX: COMM 703-607-4735, DSN 607-4735 ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital signature mechanism for bulletins. PGP 2.6.2 incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt, and through the world wide web from http://net-dist.mit.edu/pgp.html. In accordance with the terms of that license, PGP 2.6.2 may be used for non-commercial purposes only. Instructions for downloading the PGP 2.6.2 software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP 2.6.2 and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQMJVF1JtBJ/Qs yeedAQFnqgQAp1rw7ONT41Mr3gHGs2aVpEwgOH6SeJ9sHZxUp4dJu+ogRMFrqdC+ +NBfzitzj9m1udFVDHpwsGawbv6wg43DDAKaTgIETCHYXa/OM5/9FCS3xJwC99Gb V1iOm8S/Q9FcJruKID9DG2WUJp2yPj+CjTuBQeLjGkqGjuSOR1TNXQiJAJUDBRAw lUPuYKf6jFkmJQkBAWg5A/9ykgo2ULWUsSzZjRkO9yPZUPAlpfH7ReaHwkapK69F fBzqwwQ8Gig1mL+qgmOHS8Zv+OAT491sWWsECN+dfpopFdsgS4Sec19ZjcMyhL1c BVIS9Cmbjetb6Kvfc39AMr0MRCrUlOkUd4qScjHysHFYRAwCl3STRjprNnUPKQbn f4kAlQMFEDB482bk8movIjSrbQEB/VgD/iap/CAb1jq8wMA3QleU8d6/QUqoPzgp jRhP0wP7K2GLVUV0d5sP4EptmzejqViZvlzt6ufnI1bML0Yt2U5loAeblnh714RX JcOmyAah6niiJSKuhCsYUzW6f3EBzXBn5tcu3GP35h+1VQunCQCMICCfnZ0r8Wcv EdwE9LxPYdueiQCVAwUQMHOjMwJPhGsUbeKNAQGOagQAgT5p6CwrIPpi+12yJ170 ekc3MPp8z0aNbvdCQWXTK6qtq1LmS65VeH0RE5xRponsgbWp+5JBvD22v0eGuSg7 7bnHT1HPXazPERAp8sw1zTERs7drMQE+JhHYylh3orKzHNf5EjFx10vwEXdfvGSc sP3Vpcx2xu0lUYHp5oHtPFiJAJUDBRAwar4DFKHh5Qavqe0BAeQqA/4xd0tdq9yF eUYrd1+ZriayzfSjCcIUlCDH1i7vXw1kiHkg2YpOoZLD9k+zNkbOyBs/r570fGHu A23SvUcUfaBUijT1jf9YGU5MQMdpx3p5qqI4kJ0GWUNySZNtaFy0qWNH8Z8NsNp3 FWllVeisye0qe96aoizW0dAyUymlM6YYn4kAlQMFEDBqqvga2zTcAviMgQEBN8wE AIu7O/Of4c1OvMc5tti4+gcyCVw41+fLjxQFB5EtkoW8Js6XhCsv3GcmzgCZw3g8 Sux7wxGe+lspZNV9rvv+JkDBWkA9O5HyOdmdv5JZM1UH41NettZM9Yw7kUtO7lAT aOb4ybHlqrBwJ8/+Lig7r7PwTL847JyGa3g229pGG/uEiQCVAwUQMGpTK+glSuMP TJd1AQE8KQP8Cu+FYuagNoBRllMIQryT9+0ngLRxJJTcTgIbLX4OPwa27JuXCukG kUIXRWFCqkRqkM/7ImZXeuUL4PmAX07f9ygGH7BUyqefhIWkxWFDaGHJVlg3l/pS Wh7NnC+nU6DUJNSzfwYStCABNptOcMiYaT1fY0+DkWpIgJVRTptquOWJAJUCBRAw aHX+IlGW2WZtAFEBATkXA/40QTxVP/x3aJDgC11cvFhwT7M+qJvhGSTRJOtrFz8i soZzihMeaQ8zLiu73dDlFz2E4f0+ettxsDcgFJADNmZ5H7WkPlf9gBUBne4KP2Y6 yIjOCMwd6T7HGm/ErF88DIJ2wn8irhzVRnBBWhnmQfSzr5a7mkjlA6GzAlFucGp3 eokAlQMFEDBpzIC58yc3bMt0GQEBgd4EAI0mE/5wXSWuBNApkALLjPAchBdeC4Kl YF4hQkfY/4YddeIasgTmINKOc5gJWgTHxPI2xKxjTAQhIZlOxuDyXWnBuK+x2hr4 iCh5unEIH+qaqdipGwWjFq0IZEmOOJaBRxlVt2hrmY6nRMpekitFLw8dhWHgI968 WVhJpWfBg+MhiQCVAwUQMGnMcmJl+kgHVnRVAQF+nQP/XK4xmIx1SmjoN9D+vNRY PSiKz8KEzh1Y2/5QTYA7iES8QXC4i/8HOWK7lyoL6FmWGxKYpU8isQ+DJpk0A4N0 U04JexpyFa0EeM/wsfp0YvAWesSVhV5UkDQU6hSC0U8rS1j/qtnSLZ4wXpapPSBh 82daDlxAQCVMzDoQYQZkMi+JAJUDBRAwacftBCZ9eY4KSdEBAbKGA/0VHArALL6v d0a0x7sn4o60Bk2fFzuaCBNTNzb11OOtuu47KMOZLwrl2jv+32ysIVEOXx+puhXP nQAgRrH0LGKV5FOY3B98AHuV+woOmfVjM2T3xB4Bs52Dz+HIIIhaWzzy3955tlp/ 6UyvZnD0QFLS/bre/Pog1Lgl0pxonmILhYkAlQIFEDBpJpXAx/wW8A8EIQEBPVoD /jwgG+7ZrWrb8/dqe6IZhSk8rq0JIHhSA2Hz1T7PhRvyDiquBJ3ulTeaX3BvuWqF bMuLJ4CTqXw9dexDehEnhGlxYycSXVzy8a34pLnmldii8oNvI1bLWMgd4HdM/PPZ GOgHmSIGrXMChkbddt9AoszDI0Whlbe9+wn6AeZVrJVaiQCVAgUQMGkkL2yh0IcG ee2RAQHrTgQAvBRce0S9yBvI/ufC/1jhE3LuUoA3YDdA8+UQ+UekaslZzOEgPs4K Za/nM9Y2vaRYscyzyIg8FGTzCdJQ2be9HZjSkB2xQuakeq88tlV32/cLcQSC8Zrw xsnPWujbIcWYg7B0hv8cCovef/w4kC9GyhjhIzPIsQ/Cr7/TYzheK12JAJUDBRAw Z/38o2xF3nu86kkBARanA/0XO4HBo6pT2xNCdQ7AW9UrvmTCiYUb0XVY7qCnkaPp Sn1KjsK2nGueDMGUBzvx9zWZ0xHAS+BSNkoM61gb9455KcbDwRqw6+47O/WuX1w9 fh7egjTY0kqN6YsP/vtirOuP+Krh19w/s6cDxbEBNbJIiZofRDFRRsZcZ8E2mLCP UIkAlQMFEDBn/EY7f8e8znZrHwEBxQwD/jP+CiwO3Nk45M5Ei++TZzdp7ak82hum XxVXplV2G4w8DN86pfl3IV/XvU67FQXg4NKJr+wm3JknDtlKZTE5g+aKkOYK6Fqt w3FjTd6PTDz11YRruCsdvBeYwMcHPe5XzIhgkwkMXX2Mp99q9LGKfV3087do2LNr V/2S/atn6IuqiQCVAwUQMGW6OliXq3zaXLJBAQFLwgP/bQ1C/Ph54RlRqw9rovJo SXp5wvQAfVqqnkL5nIIIK2uGputcmhMP8RqYKuRv4xaezkCDTeIE/P0327Ajc4// ca4SZCojxfqtrhw3EkfZtvFLJh1tsvAkqZkgHmjJxwA+lY78lQ1ncBZ99dePpuHu MBQew3769SkEA8kk/s5XiYqJAJUDBRAvXHHu0fqxudbcij0BAQFjA/0W8glucqO0 wtSPyCF3qGimFLHxZmd9Cw6Zlf8Ftfy8rPVrkGQGfioA29b64oZ1SUTwsswSbU8P n0KKFxvc6hYM5TzMg4gSu+vLh6pr4vMRdXyecF16z4BrUwIwZLP4rc5o/vyVDskI ahj1NdNYh6V8B0FUEbhVBxJBGfy2NF0bZ7QoQVNTSVNUIFRlYW0gPGFzc2lzdEBh c3Npc3QuaW1zLmRpc2EubWlsPokAlQIFEC45Ys3KbyuD/AwC1QEBKPED/2dwnN+/ OE2iHhvGwv3jZtsm6cH+GVkpNpc0w0vQOKvVwUnLwuETSv+eryz9Fl7nL0U2tv/5 V81dXqqc5C7EvOQW1Dt9RBSjEOundYrOzsfELIMrwh1iJXsIxG7g7iil0HeKzxsQ E/nBFwJbgP6SQaYF4wy7TPuXw+IVVddp0p1riQCVAgUQLi5x6IdGPdIwvm+pAQFN EwP+Ml0i+yurXH1ZvQApz+HKwqLrRTNsNdHu2CsQ/OdGo4Vq4eqyPTvrI1OVjm6o jye7GR3RMPygEcz0oox/+YfB5cmGugpZLFsWLspswrFGGCXLXY3Bq7mpH14GENU5 JMlHzazeRvdDbkSv700Xu25JshjWIzfTY2nNUNfFlRefQoY= =8gi/ - -----END PGP PUBLIC KEY BLOCK----- APPENDIX. Vendor Information Current as of November 1, 1995 Apple Computer, Inc. - -------------------- Apple's A/UX is not vulnerable. Berkeley Software Design, Inc. - ----------------------------- BSDI's BSD/OS is not vulnerable. Cray Research, Inc. - ------------------- Cray's UNICOS is not vulnerable. CYGNUS Network Security V4 Free Network Release - ---------------------------------------------------- cns-95q1 is vulnerable. cns-95q4 is not vulnerable. Customers can use the following URL to obtain the patch: http://www.cygnus.com/data/cns/telnetdpatch.html If customers are unable to obtain the patch in this manner or have any questions, send e-mail to kerbask@cygnus.com/ Note that while the URL and patch are already available, there is no link to the page yet. We will add a link once the announcement has been made. Data General Corporation - ------------------------ Data General believes the DG/UX operating system to be NOT vulnerable to this problem. This includes all supported releases, DG/UX 5.4 Release 3.00, DG/UX 5.4 Release 3.10, DG/UX Release 4.10 and all related Trusted DG/UX releases. Specifically, telnetd shipped in DG/UX does not support environment options and does not support RFC 1572. Digital Equipment Corporation - ----------------------------- Digital's OSF/1: vulnerable Digital's ULTRIX: not vulnerable Digital has corrected this potential vulnerability. Patches containing new images for Digital's OSF/1 platforms are being provided to your normal Digital Support channels beginning October 31 (U.S. time). The kits may be identified as ECO SSRT0367 (telnetd) for DEC OSF/1 V2.0 thru V3.2c This potential vulnerability is not present on Digital's ULTRIX systems. Digital distribution of this announcement will be via AES services (DIA, DSNlink FLASH etc.). Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of DEC OSF/1 V3.0, then apply this patch. FreeBSD - ------- Vulnerable. A patch has been applied to the current development FreeBSDsource tree which is not yet released. This patch is slightly modified compared to posted one, i.e. only variables which affects FreeBSD are disabled. It is telnetd patch, not a login wrapper. For the official patch, location please contact: Jordan Hubbard Harris - ------ Harris Computer Systems Corporation's Night Hawk is not vulnerable. Hewlett-Packard Company - ----------------------- HP/UX is not vulnerable. Linux (freely available software; not a vendor) - ----- Debian GNU/Linux (From "Peter Tobias" ): The current version of the Debian GNU/Linux distribution (released 10/27/95) is not vulnerable anymore. All Debian Installations that use a netstd package version prior to v1.21-1 are vulnerable (telnetd is part of the netstd package). netstd-1.21-1 and above are ok. Patches are available. Peter fixed the bug last week and uploaded the fixed version to our ftp site (ftp.debian.org). Binaries, sources and the diffs against the bsd telnetd can be found there. The URL for the new binary package is: ftp://ftp.debian.org/debian/debian-0.93/binary/net/netstd-1.21-1.deb and the sources and the diff against the bsd telnetd can be found at: ftp://ftp.debian.org/debian/debian-0.93/source/net/netstd-1.21-1/telnetd.tar.gz ftp://ftp.debian.org/debian/debian-0.93/source/net/netstd-1.21-1/telnetd.diff.gz Red Hat Linux (From Erik Troan ): Vulnerable. A fix is now available at: ftp://ftp.redhat.com/pub/redhat-2.0/updates/NetKit-B-0.06-4.i386.rpm ftp://ftp.pht.com/pub/linux/redhat/redhat-2.0/updates/NetKit-B-0.06-4.i386.rpm It will also be fixed in the upcoming Red Hat 2.1 release. Slackware Linux (Alan Cox ): The telnetd distributed with Slackware Linux appears to be vulnerable, although it has not been verified. MIT-distributed Athena telnet/telnet95 - -------------------------------------- Vulnerable. Patches available in: ftp://aeneas.mit.edu/pub/kerberos/telnet-patch/ beta4-3.patch is the patch versus the Beta 4 patchlevel 3 distribution of Kerberos v5. beta5.patch is the patch versus the Beta 5 distribution of Kerberos V5. Both patches have been PGP signed by Ted Ts'o using detached signatures (beta4-3.patch.sig and beta5.patch.sig). NetBSD - ------ NetBSD 1.0 (the last official release) is vulnerable; NetBSD 1.1 (due out in mid-November) will not be. NetBSD-current is not vulnerable, as of a week or so ago. Patches: A source form patch has been developed. A core team member will have to make source and binary patches available and provide a location for it. The login-wrapper given in the advisory can be compiled with NetBSD with: cc -o login-wrapper login-wrapper.c NEC Corporation - --------------- Some NEC systems are vulnerable. Here is their vulnerability matrix: OS Version Status - ------------------ ------------ ------------------------------------- EWS-UX/V(Rel4.0) R1.x - R6.x not vulnerable EWS-UX/V(Rel4.2) R7.x - R10.x not vulnerable EWS-UX/V(Rel4.2MP) R10.x vulnerable patch available by the end of Nov, 1995 UP-UX/V R2.x - R4.x not vulnerable UP-UX/V(Rel4.2MP) R5.x - R7.x vulnerable patch available by the end of Nov, 1995 UX/4800 R11.x vulnerable patch available by the end of Nov, 1995 - -------------------------------------------------------------------------- Contacts for further information: E-mail:UX48-security-support@nec.co.jp Open Software Foundation - ------------------------ OSF/1 version 1.3 is not vulnerable. OpenVision - ---------- This is from: Barry Jaspan : OpenVision has a patch for the telnetd in OpenV*Secure 1.2 and will contact its customers directly. SCO - --- Not believed to be vulnerable. Silicon Graphics - ---------------- IRIX 5.2, 5.3, 6.0.1, and 6.1 are vulnerable. SGI acknowledges the telnetd vulnerability reported by MIT and is currently investigating. No further information is available at this time. As further information becomes available, additional advisories will be issued. SGI Security Information/Contacts: For obtaining security information, patches or assistance, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com . For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com. Sony Corporation - ---------------- Sony's NEWS-OS 6.x is not vulnerable. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMLCH8dH6sbnW3Io9AQFBJAP/STM60gxFLMoatMcq42pjRqlyyX6cyqMx Nbxob0j/wNa2tGXRSg9aw8+lqPmLMmLp4sJFzggA0p7XyHFx6vWvUjA81mvbHjvQ vwZob5k6zDexH0dN2OIeFNnuKWXiF3Xq6JX5TDjdr16crcJ74P5KSDpG7l8uYWEY tZ9+pCklLwI= =vQgs -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.