From: John Young <jya@pipeline.com>
To: cypherpunks@toad.com
Message Hash: 91efeb829f79092ff6e27f09295fd4c829c51694708521c51a8759d9933fae4f
Message ID: <199502071758.MAA14611@pipe3.pipeline.com>
Reply To: N/A
UTC Datetime: 1995-02-07 17:58:40 UTC
Raw Date: Tue, 7 Feb 95 09:58:40 PST
From: John Young <jya@pipeline.com>
Date: Tue, 7 Feb 95 09:58:40 PST
To: cypherpunks@toad.com
Subject: CIAC Bulletin F-10: HP-UX Remote Watch
Message-ID: <199502071758.MAA14611@pipe3.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain
[Reformated for mailing by <jya@pipeline.com>.]
Sender: ciac-bulletin@cheetah.llnl.gov
Subject: CIAC Bulletin F-10: HP-UX Remote Watch
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________
INFORMATION BULLETIN
HP-UX Remote Watch
February 6, 1995 1200 PST Number F-10
_________________________________________________________
PROBLEM: Security vulnerabilities in HP-UX Remote
Watch can be used to increase access
privileges of users.
PLATFORMS: HP 9000 series 300/400s and 700/800s, for
HP-UX versions 8.x and 9.x
DAMAGE: User can increase their access privileges.
SOLUTION: Apply appropriate vendor patch as described
below.
_________________________________________________________
VULNERABILITY
ASSESSMENT: The security vulnerability in HP-UX Remote
Watch can be used to increase a user's
access privileges which may result in
system compromise. CIAC urges affected
sites to install install the appropriate
secuirty patch as soon as possible.
_________________________________________________________
Critical Information about HP-UX Remote Watch
CIAC has obtained information from Hewlett Packard
regarding a new security vulnerability in Remote Watch
contained in the WATCH-RUN fileset for releases of HP-UX.
Appendix I provides detailed patch information for the HP
Remote Watch vulnerability.
The document /pub/ciac/bulletin/f-fy95/hppatchs.txt has
been updated to reflect this bulletin. The hppatchs.txt
document contains the entire list of all HP Bulletins and
patches and is available on our FTP server ciac.llnl.gov.
HP has an automatic server to allow patches and other
security information to be retrieved over the Internet. To
utilize this server, send an e-mail message to
support@support.mayfield.hp.com. The subject line of the
message is ignored and the body (text) of the message
should contain the words
send XXXX
where XXXX is the identifier for the information you want
retrieved. For example, to retrieve the patch PHSS_4834,
the message would be "send PHSS_4834".
Other information that can be retrieved include the HP
SupportLine mail service user's guide (send guide.txt), the
readme file for a patch and the original HP bulletin (send
doc HPSBUX9501-020).
HP also has a World Wide Web server to browse and retrieve
bulletins and patches. To utilize this server, use a WWW
client and connect to http://support.mayfield.hp.com.
IMPORTANT NOTE: Hewlett Packard updates patches
periodically. These updates are not reflected in the text
of each HP bulletin. The overview presented here contains
current information on the patches available at the time of
the release of this CIAC bulletin. If you request an
updated patch, when you try to retrieve the patch you will
receive a message stating that the patch is obsolete and
the name of the patch which supersedes it.
Hewlett Packard has made sum and MD5 checksums available
for their patches and for their security bulletins. See
the detailed explanation for HPSBUX9408-016 in CIAC
bulletin F-02 for information on how to access and utilize
these checksums.
_________________________________________________________
CIAC wishes to thank Hewlett Packard for the information
contained in this bulletin.
_________________________________________________________
CIAC is the computer security incident response team for
the U.S. Department of Energy. Services are available free
of charge to DOE and DOE contractors.
DOE and DOE contractor sites can contact CIAC at:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov
Previous CIAC notices, anti-virus software, and other
information are available on the Internet via anonymous FTP
from ciac.llnl.gov (IP address 128.115.19.53).
CIAC has several self-subscribing mailing lists for
electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time
critical information, and Bulletins, important
computer security information;
2. CIAC-NOTES for Notes, a collection of computer
security articles;
3. SPI-ANNOUNCE for official news about Security Profile
Inspector (SPI) software updates, new features,
distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions
regarding the use of SPI products.
Our mailing lists are managed by a public domain software
package called ListProcessor, which ignores E-mail header
subject lines. To subscribe (add yourself) to one of our
mailing lists, send requests of the following form:
subscribe list-name LastName, FirstName PhoneNumber
as the E-mail message body, substituting CIAC-BULLETIN,
CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and
valid information for "LastName" "FirstName" and
"PhoneNumber." Send to: ciac-listproc@llnl.gov not to:
ciac@llnl.gov
e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36
You will receive an acknowledgment containing address and
initial PIN, and information on how to change either of
them, cancel your subscription, or get help.
_________________________________________________________
PLEASE NOTE: Many users outside of the DOE and ESnet
computing communities receive CIAC bulletins. If you are
not part of these communities, please contact your agency's
response team to report incidents. Your agency's team will
coordinate with CIAC. The Forum of Incident Response and
Security Teams (FIRST) is a world-wide organization. A list
of FIRST member organizations and their constituencies can
be obtained by sending E-mail to first-request@first.org
with an empty subject line and a message body containing
the line: send first-contacts.
This document was prepared as an account of work sponsored
by an agency of the United States Government. Neither the
United States Government nor the University of California
nor any of their employees, makes any warranty, expressed
or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or
usefulness of any information, product, or process
disclosed, or represents that its use would not infringe
privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University
of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the
United States Government nor the University of California,
and shall not be used for advertising or product
endorsement purposes.
_________________________________________________________
Appendix I: Details of HP-UX Remote Watch Bulletin
HPSBUX9510-020: HP-UX Remote Watch dated January 31, 1995
This vulnerability can allow users to increase their access
privileges which may result in system compromise. All HP
300/400 and 700/800 series machines running HP-UX 8.x or
9.x which have Remote Watch installed are affected.
The patch to install depends on which operating system
version and machine series you are currently using. Use
the following table to determine which patch to retrieve
and install:
Operating System Series Apply patch
HP-UX 8.x 800 PHSS_5185
HP-UX 9.x 800 PHSS_5136
HP-UX 8.x 700 PHSS_5180
HP-UX 9.x 700 PHSS_5107
HP-UX 8.x 300/400 PHSS_5168
HP-UX 9.x 300/400 PHSS_5120
Obtain necessary patches, and install per the installation
instructions included with the patches.
After the patch is installed, be sure to examine
/tmp/update.log for any relevant WARNINGs or ERRORs. This
can be done by typing "tail -60 /tmp/update.log | more",
then paging through the screens via the space bar, looking
for WARNING or ERROR messages.
[END]
Return to February 1995
Return to “John Young <jya@pipeline.com>”