101 lines
4.3 KiB
Plaintext
101 lines
4.3 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
===========================================================================
|
|
CA-93:11 CERT Advisory
|
|
August 9, 1993
|
|
UMN UNIX gopher and gopher+ Vulnerabilities
|
|
|
|
- ---------------------------------------------------------------------------
|
|
The CERT Coordination Center has received information concerning
|
|
vulnerabilities in versions of the UMN UNIX gopher and gopher+ server and
|
|
client available before August 6, 1993. Vulnerable versions were available on
|
|
boombox.micro.umn.edu:/pub/gopher/Unix/gopher1.12s.tar.Z,
|
|
boombox.micro.umn.edu:/pub/gopher/Unix/gopher2.03.tar.Z, and many other
|
|
anonymous FTP sites mirroring these software versions.
|
|
|
|
We strongly recommend that any site using versions of UMN UNIX gopher
|
|
and gopher+ dated prior to August 6, 1993 (including version 1.12, 1.12s,
|
|
2.0+, 2.03, and all earlier versions) immediately take corrective action.
|
|
|
|
If you have further questions regarding UMN UNIX gopher or gopher+ software,
|
|
send e-mail to: gopher@boombox.micro.umn.edu
|
|
- ---------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
Several vulnerabilities have been identified in UMN UNIX gopher and
|
|
gopher+ when configured as a server or public access client.
|
|
|
|
Intruders are known to have exploited these vulnerabilities to obtain
|
|
password files. Other actions may also have been taken by intruders
|
|
exploiting these vulnerabilities. CERT has already contacted those
|
|
sites currently known to have been victims of these activities. However,
|
|
sites may want to check for weak passwords, or consider changing
|
|
passwords, after installing the new gopher software.
|
|
|
|
II. Impact
|
|
|
|
Anyone (remote or local) can potentially gain unrestricted access
|
|
to the account running the public access client, thereby permitting
|
|
them to read any files accessible to this account (possibly including
|
|
/etc/passwd or other sensitive files).
|
|
|
|
In certain configurations, anyone (remote or local) can potentially
|
|
gain access to any account, including root, on a host configured as a
|
|
server running gopherd.
|
|
|
|
III. Solution
|
|
|
|
Affected sites should consider disabling gopherd service and public gopher
|
|
logins until they have installed the new software.
|
|
|
|
New versions of the UMN UNIX gopher and gopher+ software have been
|
|
released that provide bug fixes and correct these security problems.
|
|
Sites can obtain these new versions via anonymous FTP from
|
|
boombox.micro.umn.edu (134.84.132.2). The files are located in:
|
|
|
|
Filename Size Checksum
|
|
-------- ------ -----------
|
|
Gopher:
|
|
/pub/gopher/Unix/gopher1.12S.tar.Z 306872 46311 300
|
|
Gopher+:
|
|
/pub/gopher/Unix/gopher2.04.tar.Z 294872 29411 288
|
|
|
|
- ---------------------------------------------------------------------------
|
|
The CERT Coordination Center wishes to thank Matt Schroth, Williams College,
|
|
and others for informing us of these vulnerabilities. We would also like to
|
|
thank Paul Lindner, University of Minnesota, for his quick response to these
|
|
problems.
|
|
- ---------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact the CERT
|
|
Coordination Center or your representative in FIRST (Forum of Incident
|
|
Response and Security Teams).
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
|
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
|
|
and are on call for emergencies during other hours.
|
|
|
|
CERT Coordination Center
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Past advisories, information about FIRST representatives, and other information
|
|
related to computer security are available for anonymous FTP from cert.org
|
|
(192.88.209.5).
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMxPHVP+x0t4w7BAQEZNAP+JcOnkiuQbykZPPPvbSfsloezpGgmEVFL
|
|
kxEuo13HHCfwoHotvctsvU+UmEB9QAmrMRYdLpa995zvJ5++hMR7tCcIpmdNtWw1
|
|
y8kq+6E+pNnDDb2N1Y2Smdhdcj18/nzd6NWpjJTZVtKPMSWDmM8ximxRysO0351i
|
|
L/Qg89cABcQ=
|
|
=bN5u
|
|
-----END PGP SIGNATURE-----
|
|
|