*********************************************************************** DDN Security Bulletin 9114 DCA DDN Defense Communications System 27 Aug 91 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) (800) 235-3155 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DCA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.67.67.20] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001). ********************************************************************** SGI "IRIX" /usr/sbin/fmt Vulnerability + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Communications Agency's Security Coordination ! ! Center distribution system as a means of providing DDN ! ! subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + CA-91:14 CERT Advisory August 26, 1991 SGI "IRIX" /usr/sbin/fmt Vulnerability --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability of mail messages in Silicon Graphics Computer Systems' IRIX versions prior to 4.0 (this includes all 3.2 and 3.3.* versions). This problem has been fixed in version 4.0. Information regarding the exploitation of this vulnerability is inherently disclosed by any discussion of the problem (including this Advisory) so we recommend taking immediate action. Until you are able to apply the patch, mail at your site is vulnerable to being read by any ordinary user logged in at that site. Silicon Graphics has provided the enclosed patch instructions. --------------------------------------------------------------------------- I. DESCRIPTION: A vulnerability exists such that IRIX pre-4.0 (e.g., 3.3.3) systems with the basic system software ("eoe1.sw.unix") installed can allow unauthorized read access to users' mail messages, by exploiting a configuration error in a standard system utility. Due to the ease of exploiting this vulnerability and the simplicity of the corrective action, the CERT/CC urges all sites to install the patch given below. II. IMPACT: Anyone who can log in on a given IRIX pre-4.0 (3.2, 3.3, 3.3.*) system can read mail messages which have been delivered to any other user on that same system. III. SOLUTION: As "root", execute the following commands: chmod 755 /usr/sbin/fmt chown root.sys /usr/sbin/fmt If system software should ever be reloaded from a 3.2 or 3.3.* installation tape or from a backup tape created before the patch was applied, repeat the above procedure immediately after the software has been reloaded, before enabling logins by normal users. [Fixed in IRIX 4.0.] --------------------------------------------------------------------------- The CERT/CC would like to thank Silicon Graphics for bringing this vulnerability and solution to our attention. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies during other hours. Past advisories and other computer security related information are available for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.