TUCoPS :: Unix :: General :: ciacb037.txt

Rutil Databases 

From longstaf Mon Aug 26 10:18:37 1991
Return-Path: <longstaf>
Received: by  (4.1/SMI-4.1)
	id AA03143; Mon, 26 Aug 91 10:17:13 PDT
Date: Mon, 26 Aug 91 10:17:13 PDT
From: longstaf (Tom Longstaff)
Message-Id: <9108261717.AA03143@>
To: external
Cc: cert@cert.sei.cmu.edu, first-reps@nist.gov, ciac
Subject: CIAC Bulletin B-37: Security Problem with UNIX Trusted System Files
Status: RO

         _____________________________________________________
	      The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                          Information Bulletin

       Security Problems with /etc/hosts.equiv, /etc/hosts.lpd,
		  and .rhosts files on UNIX Systems
				   
August 26, 1991, 1000 PDT	 				Number B-37
				   
				   
Critical Facts about the Security Problem with UNIX Trusted System Files
-------------------------------------------------------------------------------
PROBLEM:  Some configurations of files providing trusted access to the host 
	including the /etc/hosts.equiv, /etc/hosts.lpd, and .rhosts files may 
	allow unauthorized access to the system.
PLATFORM:  Many UNIX-based operating systems and platforms including System V 
	and BSD based UNIX systems.
DAMAGE:    Potentially severe due to unauthorized access to the system.
SOLUTIONS:  Assure that a character other than '-' is the first character of 
	these files.
-------------------------------------------------------------------------------

CIAC has learned of a security problem with files supporting the
trusted access on many UNIX-based computers.  If your system uses the
/etc/hosts.equiv, /etc/hosts.lpd, or .rhosts files (in each user's
home directory) for trusted access from other systems, your system may
be vulnerable to unauthorized access.  This information has recently
been posted to a large mailing list and news group on the Internet, so
it is important that you check your systems for this vulnerability.

To assure that your system does not contain this vulnerability, check
for a '-' sign as the first character of any file providing trusted
access to the system.  These trusted access files include
/etc/hosts.equiv , /etc/hosts.lpd, and each user's .rhosts file.  Any
files containing a '-' as the first character should be rearranged
(using a file editor such as 'vi') so that some other entry (without a
'-' as the first character) is listed as the first entry of the file.
If all entries in one of these files contain a '-' as the first
character, the file should be removed.

The use of these trusted access files allows access to the system
without authentication, and for security reasons, these trusted access
files should be removed if not absolutely required.  In addition, as
mentioned in CIAC Bulletin A-1, the inclusion of a '+' sign alone on a
line in any of these files will allow trusted access from *any* system
that may connect to the machine.  Also note that users may modify
their local .rhosts file so as to re-introduce this vulnerability at a
later time.  CIAC recommends that any system that allows the use of
individual .rhosts files inform users of these problems and
periodically check to assure that these vulnerabilities have not been
re-introduced in an individual's .rhosts file.

CIAC has prepared a shell script that may assist system managers in
finding files containing this vulnerability on SunOS and some BSD
based platforms.  For details on obtaining this tool, please send
electronic mail to CIAC.

For additional information or assistance, please contact CIAC:

	Tom Longstaff
	(415) 423-4416 or send e-mail to longstaf@llnl.gov
 
During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or
send e-mail to ciac@llnl.gov.
 
The assistance of the Computer Emergency Response Team/Coordination
Center (CERT/CC) and Sun Microsystems in drafting this bulletin is
gratefully acknowledged.  This document was prepared as an account of
work sponsored by an agency of the United States Government. Neither
the United States Government nor the University of California nor any
of their employees, makes any warranty, express or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH