_______________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Novell NetWare LOGIN.EXE Security Patch September 7, 1993 1140 PDT Number D-21 ________________________________________________________________________ PROBLEM: A security vulnerability has been discovered in the login procedure of NetWare 4.x PLATFORM: PC/MS-DOS with Novell NetWare 4.x DAMAGE: User accounts may be readily compromised SOLUTION: Obtain and install replacement LOGIN.EXE v4.02 ________________________________________________________________________ Critical Facts about the LOGIN.EXE vulnerability CIAC has learned of a vulnerability within Novell's LOGIN.EXE program which can allow compromise of user accounts. This vulnerability affects NetWare 4.x only, and does not affect NetWare 2.x, 3.x, nor Netware for Unix. Operation of the vulnerable LOGIN.EXE may cause the inadvertant compromise of a user's name and password. Further details of this vulnerability are contained in the text file included with the patch. The patch (LOGIN.EXE) and text file (SECLOG.TXT) are created by executing the distribution file SECLOG.EXE, a self-extracting archive. After extracting the files, the dir command should produce the following output. SECLOG EXE 166276 xx-xx-xx xx:xxx LOGIN EXE 354859 08-25-93 11:43a SECLOG TXT 5299 09-02-93 11:16a To install the patch, follow the directions contained in the text file SECLOG.TXT, and then instruct all your users to change their passwords. CIAC recommends that you replace your current LOGIN.EXE with the security enhanced version as soon as possible. This patch is available via anonymous FTP as SECLOG.EXE on irbis.llnl.gov in the ~pub/ciac/pcvirus directory, and on CIAC's bulletin board Felicia. It can also be retrieved via anonymous FTP from first.org in the ~pub/software directory. This file is also available at no charge through NetWare resellers, on NetWire in Library 14 of the NOVLIB forum, or by calling 1-800-NETWARE. NetWare customers outside the U.S. may call Novell at 303-339-7027 or 31-55-384279 or fax a request for LOGIN.EXE v4.02 to Novell at 303-330-7655 or 31-55-434455. Include company name, contact name, mailing address and phone number in the fax request. CIAC would like to acknowledge the efforts of Richard Colby of Chem Nuclear Geotech, Inc. for discovering this vulnerability, and the efforts of Novell in the resolution of this issue. For additional information or assistance, please contact CIAC at (510) 422-8193 or send e-mail to ciac@llnl.gov. FAX messages to: (510) 423-8002. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.