[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CIAC Bulletin F-09: Unix /bin/mail Vulnerability (fwd)



Just got this in the mail and thought I would share it with all of you...

---------- Forwarded message ----------
Date: Fri, 27 Jan 1995 11:16:55 -0800
From: Steve Weeber <[email protected]>
To: [email protected]
Subject: CIAC Bulletin F-09: Unix /bin/mail Vulnerability

            _____________________________________________________
                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
            _____________________________________________________

                            INFORMATION BULLETIN

                       Unix /bin/mail Vulnerabilities

January 27, 1995 1030 PST                                        Number F-09
_____________________________________________________________________________

PROBLEM:       The Unix /bin/mail utility contains security vulnerabilities.
PLATFORMS:     DEC OSF/1 1.2, 1.3, and 2.0
               DEC Ultrix 4.3, 4.3A, and 4.4
               SCO Unix System V/386 Release 3.2 OS Version 4.2
               SCO Open Desktop Lite Release 3.0
               SCO Open Desktop Release 3.0
               SCO Open Server Enterprise System Release 3.0
               SCO Open Server Network System Release 3.0
               Solbourne OS4.1x
               SunOS 4.x
DAMAGE:        Local users may gain privileged (root) access.
SOLUTION:      Apply appropriate vendor patch as described below.
_____________________________________________________________________________

VULNERABILITY  The vulnerabilities in the /bin/mail program have been openly
ASSESSMENT:    discussed in several Internet forums, and automated scripts
               exploiting the vulnerabilities have been widely distributed.
               These tools have been used in many recent attacks.  CIAC
               recommends sites install these patches as soon as possible.
_____________________________________________________________________________

          Critical Information about Unix /bin/mail Vulnerabilities

The /bin/mail utility on several Unix versions based on BSD 4.3 Unix contain
a security vulnerability.  The vulnerability is the result of race conditions
that exist during the delivery of messages to local users.  These race
conditions will allow intruders to create or modify files on the system,
resulting in privileged access to the system.

Below is a summary of systems known to be either vulnerable or not
vulnerable.  If your vendor's name is not listed, please contact the vendor
or CIAC for more information.

   Vendor or Source                   Status
   ----------------                   ------------
   Apple Computer, Inc.               Not vulnerable
   Berkeley SW Design, Inc. (BSDI)    Not vulnerable
   Cray Research, Inc.                Not vulnerable
   Data General Corp.                 Not vulnerable      
   Digital Equipment Corp.            Vulnerable
   FreeBSD                            Not vulnerable
   Harris                             Not vulnerable
   IBM                                Not vulnerable 
   NetBSD                             Not vulnerable
   NeXT, Inc.                         Not vulnerable 
   Pyramid                            Not vulnerable
   The Santa Cruz Operation (SCO)     Vulnerable
   Solbourne (Grumman)                Vulnerable
   Sun Microsystems, Inc.             SunOS 4.x vulnerable
                                      Solaris 2.x not vulnerable

Patch Information
-----------------

DEC          The /bin/mail patch is a part of a comprehensive Security
             Enhanced Kit that addresses other security problems as well.
             This kit was released on May 17, 1994 and was described in
             DEC Security Advisory #0505 and CIAC Notes 94-03.

             OSF/1 users should upgrade to a minimum of version 2.0 and
             install Security Enhanced Kit CSCPAT_4061 v1.0.  Ultrix users
             should upgrade to at least version 4.4 and install Security
             Enhanced Kit CSCPAT_4060 v1.0.

             Both kits are available from your Digital support channel or
             electronically by request via DSNlink.


SCO          Vulnerabilities in SCO's /bin/mail utility are removed by
             applying SCO's Support Level Supplement (SLS) uod392a. It is
             available via anonymous FTP from ftp.sco.com in the /SLS
             directory:

             Description   Filename       MD5 Checksum
             ------------  -------------  --------------------------------
             Disk image    uod392a.Z      2c26669d89f61174f751774115f367a5
             Cover letter  uod392a.ltr.Z  52db39424d5d23576e065af2b80aee49


Solbourne    Grumman System Support Corporation now performs all Solbourne
             software and hardware support.  Please contact them for
             further information:

                E-mail: [email protected]
                Phone:  1-800-447-2861
                FTP:    ftp.nts.gssc.com


Sun          Sun has made patches available to remove vulnerabilities in
             /bin/mail.  These patches address all vulnerabilities CIAC has
             seen exploited to date, and CIAC recommends they be installed.
             However, the patches will be updated again in the near future
             to remove additional vulnerabilities that have recently come
             to light.  CIAC will announce the availability of the new
             patches when they are released.

             The patches may be obtained from your local Sun Answer Center
             or through anonymous FTP from sunsolve1.sun.com in the
             /pub/patches directory:

             SunOS    Filename         MD5 Checksum
             -------  ---------------  --------------------------------
             4.1.x    100224-13.tar.Z  90a507017a1a40c4622b3f1f00ce5d2d
             4.1.3U1  101436-08.tar.Z  0e64560edc61eb4b3da81a932e8b11e1
                 

Alternative Solution
--------------------

For those sites unable to obtain a vendor patch for a vulnerable version of
/bin/mail, a replacement package called mail.local has been developed and
made freely available on the Internet.  The /bin/mail program is relatively
complex software, serving both as a mail delivery agent and a user interface,
allowing users to send and read E-mail messages.  Complex system software,
like /bin/mail, is more likely to exhibit security vulnerabilities.

The mail.local package was written to perform only one task: the delivery
of mail to local users.  It is comparatively small, and the code has been
examined carefully by experts in the security community.  While it has not
been formally evaluated, it is probable that mail.local addresses all
vulnerabilities currently being exploited in /bin/mail.

For more information, see the file README in the directory
ftp://coast.cs.purdue.edu/pub/tools/unix/mail.local/.

_____________________________________________________________________________

CIAC wishes to acknowledge the contributions of the CERT Coordination
Center in the construction of this bulletin.
_____________________________________________________________________________

For emergencies and off-hour assistance, DOE and DOE contractor sites can
contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number.
To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The
primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second
PIN, 8550074 is for the CIAC Project Leader.  CIAC's FAX number is
510-423-8002, and the STU-III number is 510-423-2604.  Send E-mail to
[email protected].

Previous CIAC notices, anti-virus software, and other information are
available on the Internet via anonymous FTP from ciac.llnl.gov (IP address
128.115.19.53).

CIAC has several self-subscribing mailing lists for electronic publications:
1.  CIAC-BULLETIN for Advisories, highest priority - time critical
    information, and Bulletins, important computer security information;
2.  CIAC-NOTES for Notes, a collection of computer security articles;
3.  SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
    software updates, new features, distribution and availability;
4.  SPI-NOTES, for discussion of problems and solutions regarding the use of
    SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:

subscribe list-name LastName, FirstName PhoneNumber

as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber."  Send to: [email protected]
not to: [email protected]

e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
[email protected] with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.