[ SOURCE: http://www.secureroot.com/security/advisories/9640254807.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== CA-91:17 Last Revised: September 18,1997 Attached copyright statement CERT Advisory September 26, 1991 DECnet-Internet Gateway Vulnerability - --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability in the configuration of the DECnet-Internet gateway software for Digital Equipment Corporation's (DEC) ULTRIX versions 4.0, 4.1, and 4.2 on all Digital architectures. Digital Equipment Corporation is aware of this problem and a resolution for this vulnerability will be included in a future release. Digital and the CERT/CC strongly recommend that sites exposed to this vulnerability immediately institute the workaround detailed in this advisory. - --------------------------------------------------------------------------- I. Description When installing the DECnet-Internet gateway software it is necessary to create a guest account on the ULTRIX gateway host. By default, this account has /bin/csh as its shell. By virtue of the guest account having a valid shell, the DECnet-Internet gateway software can be exploited to allow unauthorized root access. II. Impact Anyone using the DECnet-Internet gateway can gain unauthorized root privileges on the ULTRIX gateway host. III. Solution This section describes a workaround for this vulnerability. Disable the guest account by editing the /etc/passwd file and setting the shell field for the guest account to /bin/false. Also, ensure the guest account has the string "NoLogin" in the password field as detailed in the DECnet-Internet installation manual. Even if you have not installed or are not running the DECnet- Internet gateway software, Digital recommends that you implement the workaround solution stated above. - --------------------------------------------------------------------------- The CERT/CC wishes to thank R. Scott Butler of the Du Pont Company for bringing this vulnerability to our attention and for his further assistance with the temporary workaround. - --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.org Telephone: 412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EST/EDT, on call for emergencies during other hours. Past advisories and other computer security related information are available for anonymous ftp from the cert.org (192.88.209.5) system. - ------------------------------------------------------------------------- Copyright 1991 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff . If you do not have FTP or web access, send mail to cert@cert.org with "copyright" in the subject line. CERT is registered in the U.S. Patent and Trademark Office. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History September 18,1997 Attached Copyright Statement -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOBS9XFr9kb5qlZHQEQIrbQCfbiGRc8rYEIdP6FR+s2B0a+1mBIQAn1fq meEwwrGxNZEv4EiXytRVF2Gc =8/2b -----END PGP SIGNATURE-----