________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC ADVISORY NOTICE ________________________________________________________________ NOTICE OF VULNERABILITY AFFECTING MACINTOSH AND IBM PC'S RUNNING NCSA TELNET The DOE Computer Incident Advisory Capability (CIAC) has learned of a serious vulnerability in Telnet software made by NCSA that runs on both Macintosh and IBM PCs. This vulnerability enables anyone on a system that has network access to a Macintosh or IBM PC running NCSA Telnet to access that particular type of computer without a password, and copy, change, or delete files on it. Please note that the potential exists for any node on the network (i.e. the world) to have this accessibility. Access to the Macintosh or IBM PC is via FTP on the host. The Macintosh or IBM PC will then execute FTP commands if NCSA Telnet is running on it, even if NCSA Telnet is running in the background (e.g., under MultiFinder on the Macintosh). Once access is gained, files can be copied to or from the Macintosh or IBM PC. Whether Macintosh or IBM PCs at your site have this vulnerability depends on how NCSA Telnet was installed. Your systems are vulnerable if you are missing the line: passfile="filename" in your config.tel file. The line "ftp=no" can be used to disable ftp. Even if this line is included, however, your system could still be vulnerable, since this command is easily overridden while NCSA Telnet is running by selecting "FTP Enable" in the File menu. NCSA Telnet is delivered with the 'passfile="filename"' line commented out of the config.tel file using the # sign as: #passfile="filename". When the passfile line is omitted or commented out, FTP transfers are enabled without requiring the use of passwords. If the Macintosh or IBM PCs at your site are subject to this vulnerability, CIAC recommends that you ensure the passfile="filename" line is included in the configuration file, where "filename" (quotes required) can either specify a dummy file name or a valid password file. You should use a dummy file name when NCSA Telnet is not being used to assure that users do not enable NCSA Telnet without first making a password file. Using a dummy file name will turn on password checking which effectively disables FTP. However, if you plan to use NCSA Telnet, you should: 1) make an encrypted password file using Telpass, and 2) use a complete pathname specification for the file name (e.g., \etc\passwd). By including the passfile line in config.tel, someone who wants to use FTP must either delete the passfile line in the config.tel file or create a password file. For further information, please contact Gene Schultz, CIAC Manager, at (415) 422-8193 or (FTS) 532-8193, or send e-mail to: gschultz%nsspa@icdc.llnl.gov