LISTSERV 16.0 - MICHAEL-L Archives

Subscriber's Corner

Email Lists

MICHAEL-L Archives

MICHAEL-L@C7LSERV-DEV.NS.UTORONTO.CA

View:

Message:

[

First

Last

]

By Topic:

[

First

Last

]

By Author:

[

First

Last

]

Font:

Proportional Font

		LISTSERV Archives
		MICHAEL-L Home
		MICHAEL-L August 1996

Subject:

HP-UX 10.x security vulnerability in 'nettune'

From:

Mike Peterson <[log in to unmask]>

Date:

Fri, 9 Aug 1996 22:04:33 -0400

Content-Type:

text/plain

Parts/Attachments:

text/plain (124 lines)

Xref: utgpu comp.security.misc:31789
Path: utgpu!utcsri!rutgers!news.sgi.com!sdd.hp.com!hp-pcd!hpbs2500.boi.hp.com!hpax!secure
From: [log in to unmask] (Security Alert)
Newsgroups: comp.security.misc
Subject: Security Vulnerability in nettune executable
Date: 8 Aug 1996 21:36:10 GMT
Organization: Hewlett Packard Cupertino Site
Lines: 111
Message-ID: <[log in to unmask]>
NNTP-Posting-Host: hpcugsya.cup.hp.com
X-Newsreader: TIN [version 1.2 PL0.9]

-------------------------------------------------------------------------
HEWLETT-PACKARD SECURITY BULLETIN: HPSBUX9607-035, 22 July 1996
-------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

-------------------------------------------------------------------------
PROBLEM:  Incorrect permissions on nettune executable

PLATFORM: HP 9000/700 and 9000/800 systems running operating system
          version 10.0 or 10.01 of HP-UX.  

DAMAGE:   The configuration of various networking parameters could be 
          modified by non-root users.

SOLUTION: Login as root user and issue the following commands:

          chmod 555 /usr/contrib/bin/nettune
          chown bin /usr/contrib/bin/nettune

AVAILABILITY: Not applicable

-------------------------------------------------------------------------

I.    Nettune 

   A. Background

      The nettune program is a utility program that allows non-root 
      users to examine and root users to modify several items that 
      affect networking.  The nettune binary that ships with HP-UX 
      10.0 and 10.01 has incorrect permission attributes that allow 
      non-root users to modify networking parameters which only root 
      users should be able to modify.  Operating systems released 
      after 10.01, such as HP-UX 10.10, correctly set the permissions
      on this program file and are therefore not vulnerable. 

   B. Fixing the problem

      The fix for this problem is to modify the owner and execution 
      permissions of the nettune binary itself.  This can easily be
      accomplished using the chown and chmod commands listed below.

   C. Recommended solution

      Login as root user and issue the following commands:

          chmod 555 /usr/contrib/bin/nettune
          chown bin /usr/contrib/bin/nettune

   D. To subscribe to automatically receive future NEW HP Security
      Bulletins from the HP SupportLine mail service via electronic
      mail, send an email message to:

      [log in to unmask]   (no Subject is required)

      Multiple instructions are allowed in the TEXT PORTION OF THE
      MESSAGE, here are some basic instructions you may want to use:

      To add your name to the subscription list for new security
      bulletins, send the following in the TEXT PORTION OF THE MESSAGE:

                  subscribe security_info

      To retrieve the index of all HP Security Bulletins issued to
      date, send the following in the TEXT PORTION OF THE MESSAGE:

                  send security_info_list

      To get a patch matrix of current HP-UX and BLS security
      patches referenced by either Security Bulletin or Platform/OS,
      put the following in the text portion of your message:

                  send hp-ux_patch_matrix

       World Wide Web service for browsing of bulletins
       is available via our URL:
       (http://us.external.hp.com)

       Choose "Support news", then under Support news,
       choose "Security Bulletins"

   E. To report new security vulnerabilities, send email to

          [log in to unmask]

      Please encrypt exploit information using the security-alert PGP
      key, available from your local key server, or by sending a
      message with a -subject- (not body) of 'get key' (no quotes) to
      [log in to unmask]

     Permission is granted for copying and circulating this Bulletin to
     Hewlett-Packard (HP) customers (or the Internet community) for the
     purpose of alerting them to problems, if and only if, the Bulletin
     is not edited or changed in any way, is attributed to HP, and 
     provided such reproduction and/or distribution is performed for 
     non-commercial purposes.

     Any other use of this information is prohibited. HP is not liable
     for any misuse of this information by any third party.

________________________________________________________________________

Top of Message | Previous Page | Permalink

Search Archives

Advanced Options

Options

		Log In
		Get Password

		Search Archives

		Subscribe or Unsubscribe