__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN HP Tru64 UNIX Software Installation and Update Utilities Vulnerability [Hewkett-Packard Security Bulletin SSRT3471] April 30, 2003 16:00 GMT Number N-086 ______________________________________________________________________________ PROBLEM: HP Tru64 UNIX uses the dupatch and setld utilities to install operating system updates and patches, and to add new software kits to the system. When these scripts are run as root they are potentially vulnerable to symlink attacks. SOFTWARE: HP Tru64 UNIX: V5.1B PK1 and earlier V5.1A PK4 and earlier V5.1 PK6 and earlier V5.0A PK3 and earlier V4.0G PK3 and earlier V4.0F PK7 and earlier DAMAGE: A symlink attack typically results in a denial of service, but could potentially allow root penetration by a local user. SOLUTION: Apply workaround as listed in the HP bulletin. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. It is normal to be running as root when the ASSESSMENT: above mentioned utilities are run. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-086.shtml ORIGINAL BULLETIN: http://thenew.hp.com/country/us/eng/support.html ______________________________________________________________________________ [***** Start Hewkett-Packard Security Bulletin SSRT3471 *****] HP SECURITY BULLETIN TITLE: SSRT3471 - HP Tru64 UNIX Potential Security Vulnerability in Software Installation and Update Utilities REVISION: 0 NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact. RELEASE DATE: April 2003 SEVERITY: High SOURCE: HEWLETT-PACKARD COMPANY Software Security Response Team REFERENCE: SSRT3471 PROBLEM SUMMARY This bulletin will be posted to the support website within 24 hours of release to - http://thenew.hp.com/country/us/eng/support.html Use the SEARCH IN feature box, enter SSRT3471 in the search window. SSRT3471 dupatch and setld utilities (Severity High) HP Tru64 UNIX uses the dupatch and setld utilities to install operating system updates and patches, and to add new software kits to the system. When these scripts are run as root, the normal case, they are potentially vulnerable to symlink attacks. A symlink attack typically results in a denial of service, but could potentially allow root penetration by a local user. VERSIONS IMPACTED HP Tru64 UNIX: V5.1B PK1 and earlier V5.1A PK4 and earlier V5.1 PK6 and earlier V5.0A PK3 and earlier V4.0G PK3 and earlier V4.0F PK7 and earlier NOT IMPACTED HP-UX HP-MPE/ix HP NonStop Servers HP OpenVMS RESOLUTION HP Tru64 UNIX Recommended Workaround HP recommends that before applying patches, installing new software, or upgrading the operating system, the system should be shut down to single-user mode as outlined in the Tru64 UNIX Installation Guide or Patch Kit Installation Instructions. Once user processes are no longer active on the system, remove suspicious files from the temporary directories using the /usr/sbin/dirclean utility as shown in the example below. It is then safe to proceed with dupatch or setld. If the /usr/sbin/dirclean utility is not present on your system, follow the instructions at http://h30097.www3.hp.com/unix/security- download.html to download a version to your system. To apply patches or install new software on a TruCluster member, first shut the member down to single-user mode and change the protection on the temporary directories to allow write access only by root. This prevents malicious access from processes executing on other TruCluster members (any normal process uses the temporary directories of the member on which it executes). Then use the dirclean utility as in the example. After installing updates, patches or new software, restore world-write access to the temporary directories before continuing the system. Shut the system to single-user mode as described in the Tru64 UNIX Installation Guide or Patch Kit Installation Instructions Examine existing protection on temporary directories $ ls -dl /var/cluster/members/{memb}/tmp/ drwxrwxrwt 3 root system 8192 Feb 20 17:09 /var/cluster/members/{memb}/tmp// If you have a clustered system, change directory permissions to allow write access to root only $ chmod 700 /var/cluster/members/{memb}/tmp/ $ ls -dl /var/cluster/members/{memb}/tmp/ drwx------ 3 root system 8192 Feb 20 17:09 /var/cluster/members/{memb}/tmp// Verify the files to be removed by dirclean $ /usr/sbin/dirclean -k bcf -n /var/tmp/ Remove the files $ /usr/dirclean -k bcf /var/tmp/ At this point, it is safe to use dupatch or setld. When you are finished, restore normal protection to temporary directories $ chmod 1777 /var/cluster/members/{memb}/tmp/ $ ls -dl /var/cluster/members/{memb}/tmp/ drwxrwxrwt 3 root system 8192 Feb 20 17:09 /var/cluster/members/{memb}/tmp// SUPPORT: For further information, contact HP Services. SUBSCRIBE: To subscribe to automatically receive future Security Advisories from the Software Security Response Team via electronic mail: http://www.support.compaq.com/patches/mail-list.shtml REPORT: To report a potential security vulnerability with any HP supported product, send email to: security-alert@hp.com As always, HP urges you to periodically review your system management and security procedures. HP will continue to review and enhance the security features of its products and work with our customers to maintain and improve the security and integrity of their systems. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin." (c)Copyright 2001, 2003 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. [***** End Hewkett-Packard Security Bulletin SSRT3471 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Hewkett-Packard for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-076: SGI: Multiple Vulnerabilities in BSD LPR Subsystem N-077: Microsoft Buffer Overrun in Kernel Message Handling Vulnerability N-078: Snort Integer Overflow in Stream4 (TCP) Vulnerability N-079: Cisco Secure Access Control Server (ACS) for Windows Admin Buffer Overflow Vulnerability N-080: Red Hat Updated tcpdump Packages Fix Various Vulnerabilities N-081: Microsoft Cumulative Patch for Outlook Express N-082: Microsoft Cumulative Patch for Internet Explorer (IE) N-083: Cisco Catalyst Enable Password Bypass Vulnerability N-084: SGI nsd LDAP Implementation Vulnerability N-085: Oracle Buffer Overflow in Net Services for Oracle Database Server