home *** CD-ROM | disk | FTP | other *** search
- ========================================================================
-
- || THE COMPUTER INCIDENT ADVISORY CAPABILITY ||
-
- || ||
-
- || C I A C ||
-
- || ||
-
- || INFORMATION NOTICE ||
-
- ========================================================================
-
-
-
- HP-UX Trusted Systems 6.5 or 7.0, Authorization Problem
-
- -------------------------------------------------------
-
-
-
- Oct 24, 1990 1600 PST Number B-5
-
-
-
- Summary:: Critical HP-UX Trusted Systems Facts
-
- ----------------------------------------------------------------------------
-
- PROBLEM: May allow non-privileged users to gain root access.
-
- PLATFORM: Hewlett Packard, Trusted Systems 6.5/7.0
-
- DAMAGE: Allows unauthorized system modification.
-
- WORKAROUND: Ensure correct password files and use user names less than 8
-
- characters.
-
- PATCH: H.P. is aware of this problem and has released patch P025,
-
- available from the HP Response Center or your local HP
-
- representative.
-
- SYSTEM IMPACT: Inconvenience of temporarily changing some user names.
-
- ----------------------------------------------------------------------------
-
-
-
- CIAC has learned of a serious security problem with Hewlett Packard
-
- Trusted Systems 6.5/7.0, which may allow non-privileged users to gain
-
- root access. Two problems exist within the user authentication
-
- (login) system. Both problems only effect the secure C2 version of
-
- HP-UX. If you are running Trusted Systems 6.5 or 7.0, then the
-
- vulnerability exists on your system. The two related vulnerabilities
-
- are:
-
-
-
- Problem 1
-
- If you are running Trusted Systems HP-UX you must be absolutely sure
-
- that each entry in your /.secure/etc/passwd file matches an entry in
-
- your /etc/passwd file. If you have an entry in /.secure/etc/passwd,
-
- and not in /etc/passwd, the user will be authorized and given root
-
- privileges.
-
-
-
- Problem 2
-
- A related vulnerability has to do with users that have 8 character
-
- user names. If any users have user names of 8 characters, you should
-
- change them to 7 or less characters until you install the patch
-
- described below.
-
-
-
- Solution
-
- The above modifications should be considered a temporary workaround.
-
- A permanent solution to both, is to obtain patch P025 from the HP
-
- Response Center, or your local HP Representative.
-
-
-
- For additional information or assistance, please contact CIAC, or your
-
- local HP Representative.
-
-
-
- David Brown
-
- (415) 423-9878 or (FTS) 543-9878
-
-
-
- FAX: (415) 423-0913 or (FTS) 543-0913
-
-
-
- or send e-mail to:
-
-
-
- ciac@tiger.llnl.gov
-
-
-
- Neither the United States Government nor the University of California
-
- nor any of their employees, makes any warranty, expressed or implied,
-
- or assumes any legal liability or responsibility for the accuracy,
-
- completeness, or usefulness of any information, product, or process
-
- disclosed, or represents that its use would not infringe privately
-
- owned rights. Reference herein to any specific commercial products,
-
- process, or service by trade name, trademark manufacturer, or
-
- otherwise, does not necessarily constitute or imply its endorsement,
-
- recommendation, or favoring by the United States Government or the
-
- University of California. The views and opinions of authors expressed
-
- herein do not necessarily state or reflect those of the United States
-
- Government nor the University of California, and shall not be used for
-
- advertising or product endorsement purposes.
-
-
-
-
-
-
-
-
