1995-01-27 - CIAC Bulletin F-09: Unix /bin/mail Vulnerability (fwd)
Header Data
From: Mike Acklin <hroller@metronet.com>
To: cypherpunks@toad.com
Message Hash: eaaf4fe68b6eb4ce02c163ca3444b3fefdc230dd39d8b1ee3965702adf4b06ad
Message ID: <Pine.HPP.3.90.950127160855.15913A-100000@fohnix.metronet.com>
Reply To: N/A
UTC Datetime: 1995-01-27 22:09:24 UTC
Raw Date: Fri, 27 Jan 95 14:09:24 PST
Raw message
From: Mike Acklin <hroller@metronet.com>
Date: Fri, 27 Jan 95 14:09:24 PST
To: cypherpunks@toad.com
Subject: CIAC Bulletin F-09: Unix /bin/mail Vulnerability (fwd)
Message-ID: <Pine.HPP.3.90.950127160855.15913A-100000@fohnix.metronet.com>
MIME-Version: 1.0
Content-Type: text/plain
Just got this in the mail and thought I would share it with all of you...
---------- Forwarded message ----------
Date: Fri, 27 Jan 1995 11:16:55 -0800
From: Steve Weeber <weeber@eek.llnl.gov>
To: hroller@metronet.com
Subject: CIAC Bulletin F-09: Unix /bin/mail Vulnerability
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________
INFORMATION BULLETIN
Unix /bin/mail Vulnerabilities
January 27, 1995 1030 PST Number F-09
_____________________________________________________________________________
PROBLEM: The Unix /bin/mail utility contains security vulnerabilities.
PLATFORMS: DEC OSF/1 1.2, 1.3, and 2.0
DEC Ultrix 4.3, 4.3A, and 4.4
SCO Unix System V/386 Release 3.2 OS Version 4.2
SCO Open Desktop Lite Release 3.0
SCO Open Desktop Release 3.0
SCO Open Server Enterprise System Release 3.0
SCO Open Server Network System Release 3.0
Solbourne OS4.1x
SunOS 4.x
DAMAGE: Local users may gain privileged (root) access.
SOLUTION: Apply appropriate vendor patch as described below.
_____________________________________________________________________________
VULNERABILITY The vulnerabilities in the /bin/mail program have been openly
ASSESSMENT: discussed in several Internet forums, and automated scripts
exploiting the vulnerabilities have been widely distributed.
These tools have been used in many recent attacks. CIAC
recommends sites install these patches as soon as possible.
_____________________________________________________________________________
Critical Information about Unix /bin/mail Vulnerabilities
The /bin/mail utility on several Unix versions based on BSD 4.3 Unix contain
a security vulnerability. The vulnerability is the result of race conditions
that exist during the delivery of messages to local users. These race
conditions will allow intruders to create or modify files on the system,
resulting in privileged access to the system.
Below is a summary of systems known to be either vulnerable or not
vulnerable. If your vendor's name is not listed, please contact the vendor
or CIAC for more information.
Vendor or Source Status
---------------- ------------
Apple Computer, Inc. Not vulnerable
Berkeley SW Design, Inc. (BSDI) Not vulnerable
Cray Research, Inc. Not vulnerable
Data General Corp. Not vulnerable
Digital Equipment Corp. Vulnerable
FreeBSD Not vulnerable
Harris Not vulnerable
IBM Not vulnerable
NetBSD Not vulnerable
NeXT, Inc. Not vulnerable
Pyramid Not vulnerable
The Santa Cruz Operation (SCO) Vulnerable
Solbourne (Grumman) Vulnerable
Sun Microsystems, Inc. SunOS 4.x vulnerable
Solaris 2.x not vulnerable
Patch Information
-----------------
DEC The /bin/mail patch is a part of a comprehensive Security
Enhanced Kit that addresses other security problems as well.
This kit was released on May 17, 1994 and was described in
DEC Security Advisory #0505 and CIAC Notes 94-03.
OSF/1 users should upgrade to a minimum of version 2.0 and
install Security Enhanced Kit CSCPAT_4061 v1.0. Ultrix users
should upgrade to at least version 4.4 and install Security
Enhanced Kit CSCPAT_4060 v1.0.
Both kits are available from your Digital support channel or
electronically by request via DSNlink.
SCO Vulnerabilities in SCO's /bin/mail utility are removed by
applying SCO's Support Level Supplement (SLS) uod392a. It is
available via anonymous FTP from ftp.sco.com in the /SLS
directory:
Description Filename MD5 Checksum
------------ ------------- --------------------------------
Disk image uod392a.Z 2c26669d89f61174f751774115f367a5
Cover letter uod392a.ltr.Z 52db39424d5d23576e065af2b80aee49
Solbourne Grumman System Support Corporation now performs all Solbourne
software and hardware support. Please contact them for
further information:
E-mail: support@nts.gssc.com
Phone: 1-800-447-2861
FTP: ftp.nts.gssc.com
Sun Sun has made patches available to remove vulnerabilities in
/bin/mail. These patches address all vulnerabilities CIAC has
seen exploited to date, and CIAC recommends they be installed.
However, the patches will be updated again in the near future
to remove additional vulnerabilities that have recently come
to light. CIAC will announce the availability of the new
patches when they are released.
The patches may be obtained from your local Sun Answer Center
or through anonymous FTP from sunsolve1.sun.com in the
/pub/patches directory:
SunOS Filename MD5 Checksum
------- --------------- --------------------------------
4.1.x 100224-13.tar.Z 90a507017a1a40c4622b3f1f00ce5d2d
4.1.3U1 101436-08.tar.Z 0e64560edc61eb4b3da81a932e8b11e1
Alternative Solution
--------------------
For those sites unable to obtain a vendor patch for a vulnerable version of
/bin/mail, a replacement package called mail.local has been developed and
made freely available on the Internet. The /bin/mail program is relatively
complex software, serving both as a mail delivery agent and a user interface,
allowing users to send and read E-mail messages. Complex system software,
like /bin/mail, is more likely to exhibit security vulnerabilities.
The mail.local package was written to perform only one task: the delivery
of mail to local users. It is comparatively small, and the code has been
examined carefully by experts in the security community. While it has not
been formally evaluated, it is probable that mail.local addresses all
vulnerabilities currently being exploited in /bin/mail.
For more information, see the file README in the directory
ftp://coast.cs.purdue.edu/pub/tools/unix/mail.local/.
_____________________________________________________________________________
CIAC wishes to acknowledge the contributions of the CERT Coordination
Center in the construction of this bulletin.
_____________________________________________________________________________
For emergencies and off-hour assistance, DOE and DOE contractor sites can
contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number.
To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The
primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second
PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX number is
510-423-8002, and the STU-III number is 510-423-2604. Send E-mail to
ciac@llnl.gov.
Previous CIAC notices, anti-virus software, and other information are
available on the Internet via anonymous FTP from ciac.llnl.gov (IP address
128.115.19.53).
CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information, and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:
subscribe list-name LastName, FirstName PhoneNumber
as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov
e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36
You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
Thread
Return to January 1995
Return to “Mike Acklin <hroller@metronet.com>”
1995-01-27 (Fri, 27 Jan 95 14:09:24 PST) - CIAC Bulletin F-09: Unix /bin/mail Vulnerability (fwd) - Mike Acklin <hroller@metronet.com>