|
|
Home : Advisories : Linux Security FAQ Update
| Title: |
Linux Security FAQ Update |
| Released by: |
|
| Date: |
24th October 1996 |
| Printable version: |
Click here |
- -----BEGIN PGP SIGNED MESSAGE-----
$Id: mount-umount,v 1.5 1996/10/24 21:17:29 alex Exp $
Linux Security FAQ Update
mount/umount Vulnerability v1.5
Thu Oct 24 17:15:10 EDT 1996
Copyright (C) 1995,1996 Alexander O. Yuriev (alex@bach.cis.temple.edu)
CIS Laboratories
TEMPLE UNIVERSITY
U.S.A.
=============================================================================
This is an official Update of the Linux Security FAQ, and it is supposed to
be signed by one of the following PGP keys:
pub 1024/9ED505C5 1995/12/06 Jeffrey A. Uphoff
Jeffrey A. Uphoff
1024/EFE347AD 1995/02/17 Olaf Kirch
1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key
Unless you are able to verify at least one of signatures, please be very
careful when following instructions.
Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security
linux-security & linux-alert mailing list archives:
http://linux.nrao.edu/pub/linux/security/list-archive
=============================================================================
LOG ( This section is maintained by Revision Control System )
$Log: mount-umount,v $
Revision 1.5 1996/10/24 21:17:29 alex
Tarsier's URL fixed
Revision 1.4 1996/10/24 00:32:42 alex
Red Hat URLs updated per CERT's request
ABSTRACT
This update fixes several URLs of the Linux Security FAQ Update#13
"mount/umount vulnerability" dated Tue Sep Wed Oct 23 20:09:59 EDT
1996. There are no major updates to the text of the document.
A vulnerability exists in the mount/umount programs of the
util-linux 2.5 package. If installed suid-to-root, these programs
allow local users to gain super-user privileges.
RISK ASSESSMENT
Local users can gain root privileges. The exploits that exercise
this vulnerability were made available.
VULNERABILITY ANALYSIS
mount/umount utilities from the util-linux 2.5 suffer from the
buffer overrun problem. Installing mount/umount as suid-to-root
programs is necessary to allow local users to mount and unmount
removable media without having super-user privileges. If this
feature is not required, it is recommended that suid bit is removed
from both mount and umount programs. If this feature is required,
one might want to consider the other ways of implementing it. Such
approaches include but are not limited to using auto-mounter or sudo
mechanism.
DISTRIBUTION FIXES
Red Hat Commercial Linux
RedHat 2.1, RedHat 3.0.3 (Picasso) and RedHat 3.0.4
(Rembrandt) contain vulnerable umount utilities.
Red Hat Software advises users of Red Hat 2.1 to
upgrade to Red Hat 3.0.3 (Picasso)
The replacement RPMs are available from the
following URLs:
Red Hat Linux 3.0.3 (Picasso) i386 architecture
http://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/i386/updates/RPMS/util-linux-2.5-11fix.i386.rpm
http://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/i386/updates/RPMS/mount-2.5k-1.i386.rpm
http://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix.i386.rpm
http://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.i386.rpm
http://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix.i386.rpm
http://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.i386.rpm
RedHat Linux 3.0.3 (Picasso) Alpha architecture
http://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/axp/updates/RPMS/util-linux-2.5-11fix.axp.rpm
http://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/axp/updates/RPMS/mount-2.5k-1.axp.rpm
http://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix.axp.rpm
http://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.axp.rpm
http://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix.axp.rpm
http://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.axp.rpm
RedHat Linux 3.0.4 Beta (Rembrandt) i386 architecture
http://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.i386.rpm
http://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.i386.rpm
RedHat Linux 3.0.4 Beta (Rembrandt) SPARC architecture
http://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.sparc.rpm
http://tarsier.cv.nrao.edu/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.sparc.rpm
Please verify the MD5 fingerprint of the RPMs
prior to installing them.
ad9b0628b6af9957d7b5eb720bbe632b mount-2.5k-1.axp.rpm
12cb19ec4b3060f8d1cedff77bda7c05 util-linux-2.5-11fix.axp.rpm
26506a3c0066b8954d80deff152e0229 mount-2.5k-1.i386.rpm
f48c6bf901dd5d2c476657d6b75b12a5 util-linux-2.5-11fix.i386.rpm
7337f8796318f3b13f2dccb4a8f10b1a mount-2.5k-2.i386.rpm
e68ff642a7536f3be4da83eedc14dd76 mount-2.5k-2.sparc.rpm
The Red Hat Software Inc notes that the only
difference between mount-2.5k-1 and mount-2.5k-2 is
in the packaging format.
Please note that due to the release of Red Hat 4.0,
the FTP site of Red Hat Software removed fixes for
a beta release of Rembrandt.
Caldera Network Desktop
Caldera Network Desktop version 1.0 contains
vulnerable mount and umount programs.
Caldera Inc issued Caldera Security Advisory 96.04
where it recommends removing setuid bit from
mount and umount commands using command
chmod 755 /bin/mount /bin/umount.
Users of Caldera Network Desktop 1.0 upgraded to
RedHat 3.0.3 (Picasso) are advised to follow the
instructions in the Red Hat Commercial Linux section
of this LSF Update.
Debian
Debian/GNU Linux 1.1 contains the vulnerable
mount/umount programs. The Debian Project provided
the information that an updated package fixes this
problem.
The fix-kit can be obtained from the following URLs:
http://ftp.debian.org/debian/stable/binary-i386/base/mount_2.5l-1.deb
http://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/mount_2.5l-1.deb
http://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/Debian/mount_2.5l-1.deb
Please verify the MD5 signature of the RPM prior
to installing the fix-kit
6672530030f9a6c42451ace74c7510ca mount_2.5l-1.deb
WARNING: The message that contained information
about MD5 hash of the mount_2.5l-1.deb package was
not signed. We were unable to verify the integrity
of the message.
Slackware
There is no official information available about
vulnerability of Slackware 3.0 or Slackware 3.1
distributions from distribution maintainer.
The testing indicates that both Slackware 3.0 and
Slackware 3.1 distributions contains the vulnerable
mount and umount programs.
Until the official fix-kit for Slackware 3.0 and 3.1
becomes available system administrators are advised
to follow the instructions in the Other Linux
Distributions section of this LSF Update
Yggdrasil
Yggdrasil Computing Inc neither confirmed not denied
vulnerability of Plug and Play Fall'95 Linux.
The testing indicates that Plug and Play Fall'95
Linux distribution contains the vulnerable mount
and umount program.
Until the official fix-kit for Yggdrasil Plug and
Play Linux becomes available system administrators
are advised to follow the instructions in the Other
Linux Distributions section of this LSF Update
Other Linux Distributions
It is believed at this moment that all Linux
distributions using util-linux version 2.5 or prior
to that contain the vulnerable mount and umount
programs.
Administrators of systems based on distributions
not listed in this LSF Update or distributions that
do not have fix-kits available at the moment are
urged to contact their support centers requesting
the fix-kits to be made available to them.
In order to prevent the vulnerability from being
exploited in the mean time, it is recommended that
the suid bit is removed from mount and umount
programs using command
chmod u-s /bin/mount /bin/umount
Until the official fix-kits are available for those
systems, it is advised that system administrators
obtain the source code of fixed mount program used
in Debian/GNU Linux 1.1, compile it and replace the
vulnerable binaries.
The URLs for the source code of the Debian/GNU Linux
1.1 package which fixes the security problem of
mount utility can be obtained from the following
URLs:
http://ftp.debian.org/debian/stable/source/base/mount_2.5l-1.tar.gz
http://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/mount_2.5l-1.tar.gz
http://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/OTHER/mount_2.5l-1.tar.gz
Warning: We did not receive MD5 hash of the
mount_2.5l-1.tar.gz file.
CREDITS
This LSF Update is based on the information originally posted to
linux-alert. The information on the fix-kit for Red Hat commercial
Linux was provided by Elliot Lee (sopwith@redhat.com) of Red Hat
Software Inc,; for the Caldera Network Desktop by Ron Holt of
Caldera Inc.; for Debian/GNU Linux 1.1 by Guy Maor
(maor@ece.utexas.edu)
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMm/dIIxFUz2t8+6VAQFAawP+PmYCYpOcX+bnG9Sh37Iq0mWHlPDaOzjB
dPAr6kcAuP60jHd9jIwYKiTiGsWrr5h7L8G8+CrD8BjHBF2RCwII9q/KlWukk96v
3Mb0eJUoxf4xqDYXPqcsl54/xe8s3q0+JcKvQf2UKvHhEYshp+Z6oY2Eg3I7w85m
oPLjd/SidQE=
=CrbU
- -----END PGP SIGNATURE-----
|
