Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CERT Vendor-Initiated Bulletin VB-96.17 - Linux Security FAQ Update



For those of you concerned by such things....

Steve Casmar

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT(sm) Vendor-Initiated Bulletin VB-96.17
October 29, 1996

Topic: Linux Security FAQ Update  
Source: Alexander O. Yuriev

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Alexander
Yuriev. He urges you to act on this information as soon as possible. His
contact information is included in the forwarded text below; please contact
him if you have any questions or need further information.


=======================FORWARDED TEXT STARTS HERE============================

- -----BEGIN PGP SIGNED MESSAGE-----

$Id: mount-umount,v 1.5 1996/10/24 21:17:29 alex Exp $

                          Linux Security FAQ Update
                       mount/umount Vulnerability v1.5
                        Thu Oct 24 17:15:10 EDT 1996
   Copyright (C) 1995,1996 Alexander O. Yuriev (alex@example.com)
                              CIS Laboratories
                             TEMPLE  UNIVERSITY
                                   U.S.A.

=============================================================================
 This is an official Update of the Linux Security FAQ, and it is supposed to
                be signed by one of the following PGP keys:

        
     pub  1024/9ED505C5 1995/12/06 Jeffrey A. Uphoff <juphoff@example.com>
                  Jeffrey A. Uphoff <jeff.uphoff@example.com>      
           1024/EFE347AD 1995/02/17 Olaf Kirch <okir@example.com>
 1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key <Alexander O. Yuriev>

    Unless you are able to verify at least one of signatures, please be very
                    careful when following instructions.

   Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security

             linux-security & linux-alert mailing list archives:
        
            ftp://linux.nrao.edu/pub/linux/security/list-archive

 =============================================================================

LOG ( This section is maintained by Revision Control System )

$Log: mount-umount,v $
Revision 1.5  1996/10/24 21:17:29  alex
Tarsier's URL fixed

Revision 1.4  1996/10/24 00:32:42  alex
Red Hat URLs updated per CERT's request


ABSTRACT

        
        This update fixes several URLs of the Linux Security FAQ Update#13
        "mount/umount vulnerability" dated Tue Sep Wed Oct 23 20:09:59 EDT
        1996. There are no major updates to the text of the document.
        
        A vulnerability exists in the mount/umount programs of the
        util-linux 2.5 package. If installed suid-to-root, these programs
        allow local users to gain super-user privileges.

RISK ASSESSMENT

        Local users can gain root privileges. The exploits that exercise
        this vulnerability were made available.

VULNERABILITY ANALYSIS

        mount/umount utilities from the util-linux 2.5 suffer from the
        buffer overrun problem. Installing mount/umount as suid-to-root
        programs is necessary to allow local users to mount and unmount
        removable media without having super-user privileges. If this
        feature is not required, it is recommended that suid bit is removed
        from both mount and umount programs. If this feature is required,
        one might want to consider the other ways of implementing it. Such
        approaches include but are not limited to using auto-mounter or sudo
        mechanism.

DISTRIBUTION FIXES

                Red Hat Commercial Linux

                        RedHat 2.1, RedHat 3.0.3 (Picasso) and RedHat 3.0.4
                        (Rembrandt) contain vulnerable umount utilities.

                        Red Hat Software advises users of Red Hat 2.1 to
                        upgrade to Red Hat 3.0.3 (Picasso)

                        The replacement RPMs are available from the
                        following URLs:

                        Red Hat Linux 3.0.3 (Picasso) i386 architecture

ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/i386/updates/RPMS/
util-linux-2.5-11fix.i386.rpm
ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/i386/updates/RPMS/
mount-2.5k-1.i386.rpm

ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/util-
linux-2.5-11fix.i386.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount
-2.5k-1.i386.rpm

ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/util-
linux-2.5-11fix.i386.rpm
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount
-2.5k-1.i386.rpm

                        RedHat Linux 3.0.3 (Picasso) Alpha architecture

ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/axp/updates/RPMS/u
til-linux-2.5-11fix.axp.rpm
ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/axp/updates/RPMS/m
ount-2.5k-1.axp.rpm

ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/util-
linux-2.5-11fix.axp.rpm
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount
-2.5k-1.axp.rpm

ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/util-
linux-2.5-11fix.axp.rpm
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount
-2.5k-1.axp.rpm

                        RedHat Linux 3.0.4 Beta (Rembrandt) i386 architecture 

ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount
-2.5k-2.i386.rpm
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount
-2.5k-2.i386.rpm

                        RedHat Linux 3.0.4 Beta (Rembrandt) SPARC architecture 

ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount
-2.5k-2.sparc.rpm
ftp://tarsier.cv.nrao.edu/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/mount
-2.5k-2.sparc.rpm

                        Please verify the MD5 fingerprint of the RPMs
                        prior to installing them.

ad9b0628b6af9957d7b5eb720bbe632b  mount-2.5k-1.axp.rpm
12cb19ec4b3060f8d1cedff77bda7c05  util-linux-2.5-11fix.axp.rpm

26506a3c0066b8954d80deff152e0229  mount-2.5k-1.i386.rpm
f48c6bf901dd5d2c476657d6b75b12a5  util-linux-2.5-11fix.i386.rpm

7337f8796318f3b13f2dccb4a8f10b1a  mount-2.5k-2.i386.rpm
e68ff642a7536f3be4da83eedc14dd76  mount-2.5k-2.sparc.rpm

                        The Red Hat Software Inc notes that the only
                        difference between mount-2.5k-1 and mount-2.5k-2 is
                        in the packaging format.

                        Please note that due to the release of Red Hat 4.0,
                        the FTP site of Red Hat Software removed fixes for
                        a beta release of Rembrandt.

                Caldera Network Desktop 

                        Caldera Network Desktop version 1.0 contains
                        vulnerable mount and umount programs.

                        Caldera Inc issued Caldera Security Advisory 96.04
                        where it recommends removing setuid bit from
                        mount and umount commands using command

                                chmod 755 /bin/mount /bin/umount.
                        
                        Users of Caldera Network Desktop 1.0 upgraded to
                        RedHat 3.0.3 (Picasso) are advised to follow the
                        instructions in the Red Hat Commercial Linux section
                        of this LSF Update.

                Debian

                        Debian/GNU Linux 1.1 contains the vulnerable
                        mount/umount programs. The Debian Project provided
                        the information that an updated package fixes this
                        problem.

                        The fix-kit can be obtained from the following URLs:

ftp://ftp.debian.org/debian/stable/binary-i386/base/mount_2.5l-1.deb
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/mount
_2.5l-1.deb
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/Debian/mount
_2.5l-1.deb

                        Please verify the MD5 signature of the RPM prior
                        to installing the fix-kit

                        6672530030f9a6c42451ace74c7510ca  mount_2.5l-1.deb

                        WARNING: The message that contained information
                        about MD5 hash of the mount_2.5l-1.deb package was
                        not signed. We were unable to verify the integrity
                        of the message.

                Slackware
        
                        There is no official information available about
                        vulnerability of Slackware 3.0 or Slackware 3.1
                        distributions from distribution maintainer.

                        The testing indicates that both Slackware 3.0 and
                        Slackware 3.1 distributions contains the vulnerable
                        mount and umount programs.

                        Until the official fix-kit for Slackware 3.0 and 3.1
                        becomes available system administrators are advised
                        to follow the instructions in the Other Linux
                        Distributions section of this LSF Update

                Yggdrasil

                        Yggdrasil Computing Inc neither confirmed not denied
                        vulnerability of Plug and Play Fall'95 Linux.

                        The testing indicates that Plug and Play Fall'95
                        Linux distribution contains the vulnerable mount
                        and umount program.

                        Until the official fix-kit for Yggdrasil Plug and
                        Play Linux becomes available system administrators
                        are advised to follow the instructions in the Other
                        Linux Distributions section of this LSF Update

                Other Linux Distributions

                        It is believed at this moment that all Linux
                        distributions using util-linux version 2.5 or prior
                        to that contain the vulnerable mount and umount 
                        programs.

                        Administrators of systems based on distributions
                        not listed in this LSF Update or distributions that
                        do not have fix-kits available at the moment are
                        urged to contact their support centers requesting
                        the fix-kits to be made available to them. 

                        In order to prevent the vulnerability from being
                        exploited in the mean time, it is recommended that
                        the suid bit is removed from mount and umount
                        programs using command

                                chmod u-s /bin/mount /bin/umount

                        Until the official fix-kits are available for those
                        systems, it is advised that system administrators
                        obtain the source code of fixed mount program used
                        in Debian/GNU Linux 1.1, compile it and replace the
                        vulnerable binaries.

                        The URLs for the source code of the Debian/GNU Linux
                        1.1 package which fixes the security problem of
                        mount utility can be obtained from the following
                        URLs:

ftp://ftp.debian.org/debian/stable/source/base/mount_2.5l-1.tar.gz
ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/mount_
2.5l-1.tar.gz
ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/OTHER/mount_
2.5l-1.tar.gz

                        Warning: We did not receive MD5 hash of the 
                        mount_2.5l-1.tar.gz file.

CREDITS

        This LSF Update is based on the information originally posted to
        linux-alert. The information on the fix-kit for Red Hat commercial
        Linux was provided by Elliot Lee (sopwith@example.com) of Red Hat
        Software Inc,; for the Caldera Network Desktop by Ron Holt of
        Caldera Inc.; for Debian/GNU Linux 1.1 by Guy Maor
        (maor@example.com) 

- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMm/dIIxFUz2t8+6VAQFAawP+PmYCYpOcX+bnG9Sh37Iq0mWHlPDaOzjB
dPAr6kcAuP60jHd9jIwYKiTiGsWrr5h7L8G8+CrD8BjHBF2RCwII9q/KlWukk96v
3Mb0eJUoxf4xqDYXPqcsl54/xe8s3q0+JcKvQf2UKvHhEYshp+Z6oY2Eg3I7w85m
oPLjd/SidQE=
=CrbU
- -----END PGP SIGNATURE-----



========================FORWARDED TEXT ENDS HERE=============================

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST).  

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact 
the CERT staff for more information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key


CERT Contact Information
- ------------------------
Email    cert@example.com

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@example.com


CERT is a service mark of Carnegie Mellon University.

This file: ftp://info.cert.org/pub/cert_bulletins/VB-96.17.linux



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMnZrHHVP+x0t4w7BAQGnFAP+OoWtOA9jBGQEeM8uVqrsBvckhUzIiZpb
hrz361KqeRdSNgqUg3UJLqIqJ+km3bdFPoB6zcelM8IU0xwc4tkUW9mCq+PVFcVR
tchJa5OR5Uvy9ZEQO00thFBO+2/OP220ld+iaDoT37Jl5qUnqncD0dxWqKoq/CC4
tZHLvfSefo4=
=d/UU
-----END PGP SIGNATURE-----


-----------------------------------------------------------------
a word from the sponsor will appear below
-----------------------------------------------------------------
The TLUG mailing list is proudly sponsored by TWICS - Japan's First
Public-Access Internet System.  Now offering 20,000 yen/year flat
rate Internet access with no time charges.  Full line of corporate
Internet and intranet products are available.   info@example.com
Tel: 03-3351-5977   Fax: 03-3353-6096


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links