From: John Young <jya@pipeline.com>
Date: Tue, 7 Feb 95 09:58:40 PST
To: cypherpunks@toad.com
Subject: CIAC Bulletin F-10:  HP-UX Remote Watch
Message-ID: <199502071758.MAA14611@pipe3.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   [Reformated for mailing by <jya@pipeline.com>.]


   Sender: ciac-bulletin@cheetah.llnl.gov
   Subject: CIAC Bulletin F-10: HP-UX Remote Watch


       _____________________________________________________
                   The U.S. Department of Energy
               Computer Incident Advisory Capability
                     ___  __ __    _     ___
                    /       |     /_\   /
                    \___  __|__  /   \  \___
       _____________________________________________________

                       INFORMATION BULLETIN

                        HP-UX Remote Watch


   February 6, 1995 1200 PST                     Number F-10
   _________________________________________________________

   PROBLEM:       Security vulnerabilities in HP-UX Remote
                  Watch can be used to increase access
                  privileges of users.

   PLATFORMS:     HP 9000 series 300/400s and 700/800s, for
                  HP-UX versions 8.x and 9.x

   DAMAGE:        User can increase their access privileges.

   SOLUTION:      Apply appropriate vendor patch as described
                  below.
   _________________________________________________________

   VULNERABILITY
   ASSESSMENT:    The security vulnerability in HP-UX Remote
                  Watch can be used to increase a user's
                  access privileges which may result in
                  system compromise.  CIAC urges affected
                  sites to install install the appropriate
                  secuirty patch as soon as possible.
   _________________________________________________________

        Critical Information about HP-UX Remote Watch

   CIAC has obtained information from Hewlett Packard
   regarding a new security vulnerability in Remote Watch
   contained in the WATCH-RUN fileset for releases of HP-UX. 
   Appendix I provides detailed patch information for the HP
   Remote Watch vulnerability.


   The document /pub/ciac/bulletin/f-fy95/hppatchs.txt has
   been updated to reflect this bulletin.  The hppatchs.txt
   document contains the entire list of all HP Bulletins and
   patches and is available on our FTP server ciac.llnl.gov.


   HP has an automatic server to allow patches and other
   security information to be retrieved over the Internet.  To
   utilize this server, send an e-mail message to
   support@support.mayfield.hp.com.  The subject line of the
   message is ignored and the body (text) of the message
   should contain the words


   send XXXX


   where XXXX is the identifier for the information you want
   retrieved.  For example, to retrieve the patch PHSS_4834,
   the message would be "send PHSS_4834".


   Other information that can be retrieved include the HP
   SupportLine mail service user's guide (send guide.txt), the
   readme file for a patch and the original HP bulletin (send
   doc HPSBUX9501-020).


   HP also has a World Wide Web server to browse and retrieve
   bulletins and patches.  To utilize this server, use a WWW
   client and connect to http://support.mayfield.hp.com.


   IMPORTANT NOTE: Hewlett Packard updates patches
   periodically.  These updates are not reflected in the text
   of each HP bulletin.  The overview presented here contains
   current information on the patches available at the time of
   the release of this CIAC bulletin.  If you request an
   updated patch, when you try to retrieve the patch you will
   receive a message stating that the patch is obsolete and
   the name of the patch which supersedes it.


   Hewlett Packard has made sum and MD5 checksums available
   for their patches and for their security bulletins.  See
   the detailed explanation for HPSBUX9408-016 in CIAC
   bulletin F-02 for information on how to access and utilize
   these checksums.

   _________________________________________________________

   CIAC wishes to thank Hewlett Packard for the information
   contained in this bulletin.
   _________________________________________________________

   CIAC is the computer security incident response team for
   the U.S. Department of Energy.  Services are available free
   of charge to DOE and DOE contractors.


   DOE and DOE contractor sites can contact CIAC at:

        Voice:   510-422-8193
        FAX:     510-423-8002
        STU-III: 510-423-2604
        E-mail:  ciac@llnl.gov


   Previous CIAC notices, anti-virus software, and other
   information are available on the Internet via anonymous FTP
   from ciac.llnl.gov (IP address 128.115.19.53).


   CIAC has several self-subscribing mailing lists for
   electronic publications:

   1.   CIAC-BULLETIN for Advisories, highest priority - time
        critical information, and Bulletins, important
        computer security information;

   2.   CIAC-NOTES for Notes, a collection of computer
        security articles;

   3.   SPI-ANNOUNCE for official news about Security Profile
        Inspector (SPI) software updates, new features,
        distribution and availability;

   4.   SPI-NOTES, for discussion of problems and solutions
        regarding the use of SPI products.


   Our mailing lists are managed by a public domain software
   package called ListProcessor, which ignores E-mail header
   subject lines. To subscribe (add yourself) to one of our
   mailing lists, send requests of the following form:


   subscribe list-name LastName, FirstName PhoneNumber


   as the E-mail message body, substituting CIAC-BULLETIN,
   CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and
   valid information for "LastName" "FirstName" and
   "PhoneNumber."  Send to: ciac-listproc@llnl.gov not to:
   ciac@llnl.gov


   e.g.,

   subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

   subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36


   You will receive an acknowledgment containing address and
   initial PIN, and information on how to change either of
   them, cancel your subscription, or get help.
   _________________________________________________________

   PLEASE NOTE: Many users outside of the DOE and ESnet
   computing communities receive CIAC bulletins. If you are
   not part of these communities, please contact your agency's
   response team to report incidents. Your agency's team will
   coordinate with CIAC. The Forum of Incident Response and
   Security Teams (FIRST) is a world-wide organization. A list
   of FIRST member organizations and their constituencies can
   be obtained by sending E-mail to first-request@first.org
   with an empty subject line and a message body containing
   the line: send first-contacts.


   This document was prepared as an account of work sponsored
   by an agency of the United States Government. Neither the
   United States Government nor the University of California
   nor any of their employees, makes any warranty, expressed
   or implied, or assumes any legal liability or
   responsibility for the accuracy, completeness, or
   usefulness of any information, product, or process
   disclosed, or represents that its use would not infringe
   privately owned rights. Reference herein to any specific
   commercial products, process, or service by trade name,
   trademark manufacturer, or otherwise, does not necessarily
   constitute or imply its endorsement, recommendation, or
   favoring by the United States Government or the University
   of California. The views and opinions of authors expressed
   herein do not necessarily state or reflect those of the
   United States Government nor the University of California,
   and shall not be used for advertising or product
   endorsement purposes.

   _________________________________________________________

        Appendix I:  Details of HP-UX Remote Watch Bulletin


   HPSBUX9510-020: HP-UX Remote Watch dated January 31, 1995


   This vulnerability can allow users to increase their access
   privileges which may result in system compromise.  All HP
   300/400 and 700/800 series machines running HP-UX 8.x or
   9.x which have Remote Watch installed are affected.


   The patch to install depends on which operating system
   version and machine series you are currently using.  Use
   the following table to determine which patch to retrieve
   and install:


   Operating System      Series    Apply patch

   HP-UX 8.x             800       PHSS_5185
   HP-UX 9.x             800       PHSS_5136
   HP-UX 8.x             700       PHSS_5180
   HP-UX 9.x             700       PHSS_5107
   HP-UX 8.x             300/400   PHSS_5168
   HP-UX 9.x             300/400   PHSS_5120


   Obtain necessary patches, and install per the installation
   instructions included with the patches.


   After the patch is installed, be sure to examine
   /tmp/update.log for any relevant WARNINGs or ERRORs.  This
   can be done by typing "tail -60 /tmp/update.log | more",
   then paging through the screens via the space bar, looking
   for WARNING or ERROR messages.


   [END]