__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN HP Tru64 Unix Multiple Vulnerabilities [Compaq Information Technologies Group #SSRT2275] September 3, 2002 18:00 GMT Number M-118 ______________________________________________________________________________ PROBLEM: Multiple local and remote buffer overflow vulnerabilities in various system utilities and core operating system components that ship with Tru64 Unix have been identified. PLATFORM: HP Tru64 Unix v4.0f, 4.0g, 5.0a, 5.1, and 5.1a. DAMAGE: Local and remote attacks could envoke a potential denial of service, could allow the execution of arbitrary code, and could allow gaining elevated privileges. SOLUTION: Apply the appropriate patches. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. With remote buffer overflows, successful ASSESSMENT: exploitation may allow an attacker to execute arbitrary code with the possibility of gaining elevated privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-118.shtml ORIGINAL BULLETIN: http://wwss1pro.compaq.com/support/reference_library/viewdocument.asp?source=SRB0039W.xml&dt=11 PATCHES: ftp://ftp1.support.compaq.com/public/unix/v5.1a/ ftp://ftp1.support.compaq.com/public/unix/v5.1/ ftp://ftp1.support.compaq.com/public/unix/v5.0a/ ftp://ftp1.support.compaq.com/public/unix/v4.0g/ ftp://ftp1.support.compaq.com/public/unix/v4.0f/ ______________________________________________________________________________ [***** Start Compaq Information Technologies Group #SSRT2275 *****] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SECURITY BULLETIN SSRT2275 HP Tru64 UNIX - Potential Buffer Overflows & SSRT2229 Potential Denial of Service NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact. RELEASE DATE: 30 August 2002 REVISION: 0 SEVERITY: HIGH SOURCE: Compaq Computer Corporation, a wholly owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services Software Security Response Team REFERENCE: SSRT2257, SSRT-541, CERT (CA-2002-19, CA-2002-20, CA-2002-23, CA-2002-25) PROBLEM SUMMARY This bulletin will be posted to the support website within 24 hours of release to - http://thenew.hp.com/country/us/eng/support.html Use the SEARCH IN feature box, enter SSRT2275 in the search window. SSRT2229 /usr/sbin/ping (Severity - Medium) A potential security vulnerability has been reported within HP Tru64 UNIX /ur/sbin/ping, which could potentially result in denial of service (DoS). This may be in the form of local security domain risks. SSRT2275 HP Tru64 UNIX Buffer Overflows (Severity - see specific list below) Potential buffer overflows have been reported for HP Tru64 UNIX where, under certain circumstances, a non-privileged user may gain unauthorized privileged access. This may be in the form of local and remote security domain risks. Basic Commands and Utilities (Severity - High) SSRT2277 /usr/bin/ypmatch SSRT2261 /usr/sbin/traceroute SSRT2260 /usr/sbin/lpc /usr/bin/lprm /usr/bin/lpq /usr/bin/lpr /usr/lbin/lpd SSRT0796U /usr/bin/binmail SSRT0794U /usr/bin/ipcs SSRT2191 /usr/sbin/quot SSRT2189 /usb/bin/at SSRT2256 /usr/bin/ps SSRT2275 /usr/bin/uux /usr/bin/uucp /usr/bin/csh /usr/bin/rdist /usr/bin/mh/inc /usr/bin/mh/msgchk /usr/sbin/imapd /usr/bin/deliver /sbin/.upd..loader CDE (Severity - High) SSRT2193 /usr/dt/bin/mailcv SSRT2280 /usr/dt/bin/dtterm SSRT2282 /usr/dt/bin/dtsession SSRT2274 /usr/dt/bin/rpc.ttdbserverd SSRT2251 X11 (Severity - High) SSRT2279 /usr/bin/X11/dxterm SSRT2275 /usr/bin/X11/dxconsole /usr/bin/X11/dxpause /usr/bin/X11/dxsysinfo Networking (Severity - High) SSRT2340 /usr/sbin/telnetd SSRT2270 BIND resolver glibc SSRT2309 rpc XDR_ARRAY VERSIONS IMPACTED HP Tru64 UNIX V5.1a HP Tru64 UNIX V5.1 HP Tru64 UNIX V5.0a HP Tru64 UNIX V4.0g HP Tru64 UNIX V4.0f NOT IMPACTED HP-UX HP-MPE/ix HP NonStop Servers HP OpenVMS RESOLUTION Early Release Patches (ERPs) are now available for all supported versions of HP Tru64 UNIX. The ERP kits use dupatch to install and will not install over any Customer-Specific-Patches (CSPs) which have file intersections with the ERPs. Contact your normal support channel and request HP Tru64 services elevate a case to Support Engineering if a CSP must be merged with one of the ERPs. Please review the README file for each patch prior to installation. NOTE: These ERPs supercede ERPs delivered with the release of SSRT2257 HP Tru64 UNIX /usr/bin/su buffer overflow potential exploit August 1, 2002. cross reference CERT VU#193347 HP Tru64 UNIX/TruCluster V5.1A: Prerequisite: V5.1A with PK2 (BL2) installed ERP Kit Name: T64V51AB2-C0041402-15271-ES-20020827 .tar Kit Location: ftp://ftp1.support.compaq.com/public/unix/v5.1a/ HP Tru64 UNIX V5.1A with PK1 (BL1) installed: update to a minimum of PK2 (BL2) then install ERP T64V51AB2-C0041402-15271-ES-20020827 .tar HP Tru64 UNIX/TruCluster V5.1: Prerequisite: V5.1 with PK5 (BL19) installed ERP Kit Name: T64V51B19-C0136901-15143-ES-20020817 .tar Kit Location: ftp://ftp1.support.compaq.com/public/unix/v5.1/ HP Tru64 UNIX V5.1 with PK4 (BL18) installed: Update to a minimum of PK5 (BL19) then install ERP T64V51B19-C0136901-15143-ES-20020817.tar HP Tru64 UNIX/TruCluster V5.0A: Prerequisite: V5.0A with PK3 (BL17) installed ERP Kit Name: T64V50AB17-C0018406-15268-ES-20020827 .tar Kit Location: ftp://ftp1.support.compaq.com/public/unix/v5.0a/ HP Tru64 UNIX/TruCluster V4.0G: Prerequisite: V4.0G with PK3 (BL17) installed ERP Kit Name: T64V40GB17-C0010410-15273-ES-20020827 .tar Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0g/ HP Tru64 UNIX/TruCluster V4.0F: Prerequisite: V4.0F with PK7 (BL18) installed ERP Kit Name: DUV40FB18-C0067405-15263-ES-20020827 .tar Kit Location: ftp://ftp1.support.compaq.com/public/unix/v4.0f/ HP Tru64 UNIX 4.0F PK6 (BL17) installed: Update to a minimum of PK7 (BL18) then install ERP DUV40FB18-C0067405-15263-ES-20020827.tar Information on how to verify MD5 and SHA1 checksums is available at: http://www.support.compaq.com/patches/whats-new.shtml After completing the update, HP and Compaq strongly recommend that you perform an immediate backup of the system disk so that any subsequent restore operations begin with updated software. Otherwise, the updates must be re-applied after a future restore operation. Also, if at some future time the system is upgraded to a later patch release or version release, reinstall the appropriate ERP. SUPPORT: For further information, contact HP Services. SUBSCRIBE: To subscribe to automatically receive future Security Advisories from the Software Security Response Team (SSRT) via electronic mail: http://www.support.compaq.com/patches/mailing-list.shtml REPORT: To report a potential security vulnerability with any HP or Compaq supported product, send email to: security-alert@hp.com HP and Compaq appreciate your cooperation and patience. As always, HP and Compaq urge you to periodically review your system management and security procedures. HP and Compaq will continue to review and enhance the security features of its products and work with our customers to maintain and improve the security and integrity of their systems. "HP and Compaq are broadly distributing this Security Bulletin in order to bring to the attention of users of the affected Compaq products the important security information contained in this Bulletin. HP and Compaq recommend that all users determine the applicability of this information to their individual situations and take appropriate action. Neither HP nor Compaq warrant that this information is necessarily accurate or complete for all user situations and, consequently, neither HP nor Compaq will be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin." Copyright 2002 Compaq Information Technologies Group, L.P. Compaq shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Compaq and the names of Compaq products referenced herein are trademarks of Compaq Information Technologies Group, L.P. in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPXS17DnTu2ckvbFuEQJ2nACg3zWkJd3upeAHElfAn6T+bG4nFKsAnj80 7wJy9FGw3WT+xeFSjpY+5ttj =GPuh -----END PGP SIGNATURE----- [***** End Compaq Information Technologies Group #SSRT2275 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Compaq Information Technologies Group, SecurityFocus for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-108: Vulnerability in HP Apache Server PHP M-109: Common Desktop Environment (CDE) ToolTalk Buffer Overflow M-110: Buffer Overflow in Multiple Domain Name System (DNS) Libraries M-111: Integer Overflow in External Data Representation (XDR) Library M-112: Microsoft Cumulative Patch for SQL Server M-113: Microsoft Network Connection Manager (NCM) Flaw Could Enable Privilege Elevation M-114: Apache 2.0 Path Disclosure Vulnerability M-115: Novell NetWare 6.0 RConsoleJ Authentication Bypass Vulnerability M-116: Microsoft Cumulative Patch for Internet Explorer M-117: Microsoft Office Web Components Vulnerabilities