************************************************************************** Security Bulletin 9409 DISA Defense Communications System March 14, 1994 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 94-06 Release date: 14 March 1994, 09:00 AM EDT Subject: Vulnerability in cc:Mail 2.0 and 2.1 for Windows. SUMMARY: This bulletin contains information concerning a vulnerability that exists in cc:Mail 2.0 and 2.1 for Windows. To correct the problem, Lotus has made the software upgrade cc:Mail 2.02 for Windows available. This upgrade is contained in the file winfix.zip, which can be obtained from ASSIST, Lotus, or Compuserve. BACKGROUND: Passwords are vulnerable on local hard drives of systems running Lotus cc:Mail 2.0 and 2.1 for Windows. IMPACT: Accounts could be compromised if another person is allowed access to a cc:Mail user's personal computer. RECOMMENDED SOLUTION: Obtain and install winfix.zip on all affected systems as soon as possible, then have all users change passwords. winfix.zip can be acquired from any of the resources listed below. * ASSIST - Available from the ASSIST anonymous FTP system in the /pub/tools directory, and the ASSIST BBS in the Security Tools file area (See ASSIST INFORMATION RESOURCES below). * Lotus - Available through anonymous ftp from ftp.ccmail.com (IP 192.216.79.99) in the /pub/windows directory (file date Feb 19 00:53, length 279803). The upgrade can also be obtained from the Lotus cc:Mail bbs by connecting to the system with a modem at 415-691-0401, and downloading winfix.zip (file date 2/18/94 2:02a, length 279803). * Compuserve - After connecting to Compuserve, execute the following commands: a. Enter the Lotus forum by typing GO LOTUSC from any CompuServe prompt. b. Enter Section 10 when prompted for which section. c. From within Section 10, select "Download" and download the file winfix.zip. After unzipping winfix.zip the following files are available: ccmail.exe 628656 bytes readme.now 1062 bytes To install, change to the directory that contains the old version of ccmail.exe (probably m:\ccmailm:\ccmail), re-name ccmail.exe to ccmail.old, then copy the upgrade version of ccmail.exe into the directory. If cc:Mail for Windows has been installed on a network, the system administrator only needs to change the network copy of ccmail.exe. If cc:Mail for Windows has been installed locally, the upgrade must be installed in the proper directory of every workstation. After installation of the upgraded ccmail.exe, ASSIST STRONGLY RECOMMENDS THAT ALL USERS CHANGE PASSWORDS IMMEDIATELY. ASSIST would like to thank the Department of Energy CIAC for information contained in this bulletin. ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. If you are a constituent of the DoD and have any questions about ASSIST or computer security issues, contact ASSIST using one of the methods listed below. If your organization/institution is non-DoD, contact your Forum of Incident Response and Security Teams (FIRST) representative. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST INFORMATION RESOURCES: If you would like to be included in the distribution list for these bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.ims.disa.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-756-7993/ 1154 DSN 289, and through anonymous FTP from assist.ims.disa.mil (IP address 137.130.234.30). Note: assist.ims.disa.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. ASSIST contact information: PHONE: 703-756-7974, DSN 289, duty hours are 06:00 to 22:30 EST Monday through Friday. During off duty hours, weekends, and holidays, ASSIST can be reached via pager at 800-SKY-PAGE (800-759-7243) PIN 2133937. Your page will be answered within 30 minutes, however if a quicker response is required, prefix your phone number with "999". ELECTRONIC MAIL: assist@assist.ims.disa.mil. ASSIST BBS: Leave a message for the "sysop". Privacy Enhanced Mail (PEM): ASSIST uses PEM, a public key encryption tool, to digitally sign all bulletins that are distributed through e-mail. The section of seemingly random characters between the "BEGIN PRIVACY-ENHANCED MESSAGE" and "BEGIN ASSIST BULLETIN" contains machine-readable digital signature information generated by PEM, not corrupted data. PEM software for UNIX systems is available from Trusted Information Systems (TIS) at no cost, and can be obtained via anonymous FTP from ftp.tis.com (IP 192.94.214.100). Note: The TIS software is just one of several implementations of PEM currently available and additional versions are likely to be offered from other sources in the near future. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************