80 lines
3.2 KiB
Plaintext
80 lines
3.2 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
|
|
CA-90:03 CERT Advisory
|
|
May 7, 1990
|
|
Unisys U5000 /etc/passwd problem
|
|
|
|
- -----------------------------------------------------------------------------
|
|
|
|
The CERT/CC has recently verified several reports of unauthorized access
|
|
to Internet connected Unisys systems. The intruder(s) gained access to
|
|
these systems by logging into vendor supplied default accounts; accounts
|
|
that had not been given passwords by the systems' owners.
|
|
|
|
Gary Garb, Corporate Computer Security Officer for Unisys Corporation,
|
|
states:
|
|
|
|
"The Unisys U5000 series UNIX systems are delivered with a number of
|
|
system logins. The logins are NOT password protected when the
|
|
customer receives the system. Unless the customer secures these logins,
|
|
the system is vulnerable to unauthorized access."
|
|
|
|
"A complete list of these logins can be found in the /etc/passwd file.
|
|
Each login is described by one record in /etc/passwd which contains a
|
|
number of fields separated by colons. The second field normally would
|
|
contain the encrypted password. The system logins will initially have
|
|
a null second field (indicated by two adjacent colons) in their descriptive
|
|
records in /etc/passwd."
|
|
|
|
"The U5000/80/85/90/95 System V Administration Guide, Volume 1 (UP13679)
|
|
begins with a chapter on "System Identification and Security". On page 1-2
|
|
it states, "All logins should have passwords ... Logins that are not needed
|
|
should be either removed (by deleting from /etc/passwd) or blocked (by
|
|
locking the login as described in the section "Locking Unused Logins" on
|
|
page 1-8). The Guide contains complete instructions on controlling logins
|
|
and passwords."
|
|
|
|
"It is the user's (system administrator's) responsibility to thoroughly
|
|
read the Guide and to ensure the security of the system. *Securing the
|
|
login entries should be of the highest priority and should be accomplished
|
|
before anyone else has access to the system.*"
|
|
|
|
The CERT/CC urges administrators of Unisys systems, as well as administrators
|
|
of systems provided by other vendors, to check their systems and insure all
|
|
accounts are protected by passwords; passwords that are different from the
|
|
default passwords provided by the vendor.
|
|
|
|
Questions regarding the security aspects of Unisys systems should be directed
|
|
to:
|
|
Gary Garb, Corporate Security Officer
|
|
Unisys Corporation
|
|
(215) 986-4038
|
|
- --------------------------------------------------------------
|
|
|
|
Computer Emergency Response Team (CERT)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Internet: cert@cert.org
|
|
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
|
|
7:30a.m.-6:00p.m. EST, on call for
|
|
emergencies other hours.
|
|
|
|
Past advisories and other information are available for anonymous ftp
|
|
from cert.org (192.88.209.5).
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMwfHVP+x0t4w7BAQFkcwP+PzUFMYJZQiNDdFyqvuPSjNAFUOfvMbHW
|
|
47kbVP3bRgimxrtvkz0FCK0mJfLGDeN5VjIqiukaMX2+AbIK9dtRRSKtxWpwMMCq
|
|
OWt6fBhQlkPc8zmURepZ0nbZcNZ+cgLwLNG0EwhWtpnKW1dYJZSBPnnoRyb96NcL
|
|
YZbvlVIDpNo=
|
|
=1U7p
|
|
-----END PGP SIGNATURE-----
|
|
|