Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciacb19.txt

Vulnerability in Unix System V on 386/486 Platforms






        _____________________________________________________

             The Computer Incident Advisory Capability

                         ___  __ __    _     ___

                        /       |     / \   /

                        \___  __|__  /___\  \___

        _____________________________________________________

                         Information Bulletin



         Vulnerability in UNIX System V on 386/486 Platforms

                                   

     Critical UNIX System V on 386/486  Vulnerability Information

--------------------------------------------------------------------------

PROBLEM:   UNIX System V security problem on 386/486 platforms (UAREA bug).

PLATFORM: UNIX System V for the Intel 80386/80486 based computers.

DAMAGE:   Allows privileged access to files by non-privileged users.

SOLUTIONS: Patch/update available from various vendors.

IMPACT OF PATCH:  Vulnerability eliminated.  No other side-effects reported.

--------------------------------------------------------------------------

March 21, 1991, 1200 PST                                Number B-19



CIAC has learned of a vulnerability that allows privileged access to

files on some versions of UNIX System V running on an Intel

80386/80486 based computer. This problem known as the UAREA bug, has

been corrected by AT&T.  Most vendors of UNIX System V based on the

AT&T software have recently released patches specifically designed for

their products.  This bulletin provides a partial list of vendors that

are providing patches for this problem, as well as vendors whose

product never had the vulnerability in a specified release.



The following vulnerability matrix table lists each of vendor/version

combination for which CIAC has received information.  For each vendor,

the listed versions were tested for this vulnerability, and a patch

was developed for those versions found to be vulnerable.  If the

vendor/version combination does not exhibit the vulnerability,

"No" appears in the third column.



 Vendor                    Version       Exhibits vulnerability

 ------------------------  ---------     ---------------------

 Dell                      SVR3.2/1.0.6  Yes - patch available

 Dell                      SVR3.2/1.1    No

 Dell                      SVR4.0/2.0    No

 Interactive               2.0.2         Yes - patch available

 Interactive               2.2           Yes - patch available

 Interactive               2.2.1         Yes - patch available

 Everex (ESIX)             Rev. D        Yes - patch available

 AT&T                      SVR3.2.0      Yes - patch available

 AT&T                      SVR3.2.1      No

 SCO                       all versions  No

 Microport                 2.2           No



Most vendors are aware of this bug, and have taken steps to correct

the problem.  If your vendor/version of UNIX is not listed, or is

listed as one of those that exhibits the vulnerability, you should

contact your UNIX System V vendor for the patch.





 For additional information or assistance, please contact CIAC:   

 

        Hal Brand

        (415) 422-6312 or (FTS) 532-6312



        During working hours call CIAC at (415) 422-8193 or (FTS)

532-8193 or send e-mail to ciac@cheetah.llnl.gov.

    

        Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913



This document was prepared as an account of work sponsored by an

agency of the United States Government. Neither the United States

Government nor the University of California nor any of their

employees, makes any warranty, express or implied, or assumes any

legal liability or responsibility for the accuracy, completeness, or

usefulness of any information, apparatus, product, or process

disclosed, or represents that its use would not infringe privately

owned rights. Reference herein to any specific commercial products,

process, or service by trade name, trademark, manufacturer, or

otherwise, does not necessarily constitute or imply its endorsement,

recommendation or favoring by the United States Government or the

University of California. The views and opinions of authors expressed

herein do not necessarily state or reflect those of the United States

Government or the University of California, and shall not be used for

advertising or product endorsement purposes.







TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH