88 lines
3.0 KiB
Plaintext
88 lines
3.0 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
- ---------------------------------------------------------------------------
|
|
CA-91:08 CERT Advisory
|
|
May 23, 1991
|
|
AT&T System V Release 4 /bin/login Vulnerability
|
|
|
|
- ---------------------------------------------------------------------------
|
|
|
|
The Computer Emergency Response Team/Coordination Center (CERT/CC) has
|
|
received information concerning a security vulnerability in AT&T's UNIX(r)
|
|
System V Release 4 operating system. AT&T is providing a software upgrade
|
|
for Release 4 operating system vendors and a patch for AT&T Computer Systems
|
|
customers. AT&T has also provided a suggested fix for all Release 4
|
|
based systems.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
I. DESCRIPTION:
|
|
|
|
A security vulnerability exists in /bin/login in AT&T's System V
|
|
Release 4 operating system.
|
|
|
|
|
|
II. IMPACT:
|
|
|
|
System users can gain unauthorized privileges.
|
|
|
|
|
|
III. SOLUTION:
|
|
|
|
A. AT&T Computer Systems customers
|
|
|
|
Log into the root account. Change the execution permission on
|
|
the file /bin/login.
|
|
|
|
chmod 500 /bin/login
|
|
|
|
Contact AT&T Computer Systems at 800-922-0354 to obtain a fix.
|
|
The numbers associated with the fix are 156 (3.5" media) and
|
|
157 (5.25" media).
|
|
|
|
International customers should contact their local AT&T
|
|
Computer Systems representative.
|
|
|
|
B. All other System V Release 4 based systems
|
|
|
|
Log into the root account. Change the execution permission on
|
|
the file /bin/login.
|
|
|
|
chmod 500 /bin/login
|
|
|
|
Release 4 customers should contact their operating system
|
|
supplier for details on the availability of the software
|
|
update.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
The CERT/CC would like to thank AT&T for their timely response to our
|
|
report of this vulnerability.
|
|
- ---------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact CERT/CC via
|
|
telephone or e-mail.
|
|
|
|
Computer Emergency Response Team/Coordination Center (CERT/CC)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 24-hour hotline:
|
|
CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,
|
|
on call for emergencies during other hours.
|
|
|
|
Past advisories and other computer security related information are available
|
|
for anonymous ftp from the cert.org (192.88.209.5) system.
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMwrXVP+x0t4w7BAQGYzAP9F7+RPH7v/dQ0axiGySLPMcROsu+EZadS
|
|
3dGxIqVDEs0CzgLPw/seuTXfDhqhY8JwUX+dfga3DMS933RBIgbQ4Ebb0IQcxHF3
|
|
v1k5acQNNLZbFsSUIcMOI4f4wlfwQWftXt8jdsuY3m5+VQqDTdwWKYwU4501mUWP
|
|
YjlqM2msamM=
|
|
=0QmH
|
|
-----END PGP SIGNATURE-----
|
|
|