************************************************************************** Security Bulletin 9118 DISA Defense Communications System 1 October 1991 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9118). ************************************************************************** Vulnerability of DECnet-Internet gateway software in (DEC) ULTRIX versions 4.0, 4.1, and 4.2. + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Communications Agency's Security Coordination ! ! Center distribution system as a means of providing DDN ! ! subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + CA-91:17 CERT Advisory September 26, 1991 DECnet-Internet Gateway Vulnerability --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability in the configuration of the DECnet-Internet gateway software for Digital Equipment Corporation's (DEC) ULTRIX versions 4.0, 4.1, and 4.2 on all Digital architectures. Digital Equipment Corporation is aware of this problem and a resolution for this vulnerability will be included in a future release. Digital and the CERT/CC strongly recommend that sites exposed to this vulnerability immediately institute the workaround detailed in this advisory. --------------------------------------------------------------------------- I. Description When installing the DECnet-Internet gateway software it is necessary to create a guest account on the ULTRIX gateway host. By default, this account has /bin/csh as its shell. By virtue of the guest account having a valid shell, the DECnet-Internet gateway software can be exploited to allow unauthorized root access. II. Impact Anyone using the DECnet-Internet gateway can gain unauthorized root privileges on the ULTRIX gateway host. III. Solution This section describes a workaround for this vulnerability. Disable the guest account by editing the /etc/passwd file and setting the shell field for the guest account to /bin/false. Also, ensure the guest account has the string "NoLogin" in the password field as detailed in the DECnet-Internet installation manual. Even if you have not installed or are not running the DECnet- Internet gateway software, Digital recommends that you implement the workaround solution stated above. --------------------------------------------------------------------------- The CERT/CC wishes to thank R. Scott Butler of the Du Pont Company for bringing this vulnerability to our attention and for his further assistance with the temporary workaround. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EST/EDT, on call for emergencies during other hours. Past advisories and other computer security related information are available for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.