Software Engineering Institute

Notified:  August 14, 2001 Updated: October 08, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

    NO RESTRICTION FOR DISTRIBUTION
PROVIDED THE ADVISORY REMAINS INTACT

  TITLE: SSRT0767U Potential rpc.ttdbserverd buffer overflow

  CASE ID: SSRT0767U
 (X-REF: CVE CAN-2001-0717, x-force 02-oct-2001,
         CERT CA-2001-27)

  SOURCE:  Compaq Computer Corporation
          Software Security Response Team
   DATE:  02-Oct-2001

(c) Copyright 2001 Compaq Computer Corporation. All rights reserved.


  "Compaq is broadly distributing this Security Advisory in order
 to bring to the attention of users of Compaq products the
 important security information contained in this Advisory.
 Compaq recommends that all users determine the applicability of
 this information to their individual situations and take
 appropriate action.

  Compaq does not warrant that this information is necessarily
 accurate or complete for all user situations and, consequently,
 Compaq will not be responsible for any damages resulting from
 user's use or disregard of the information provided in this
 Advisory."

  Severity: low

   This potential security vulnerability has not been
  reproduced for any release of Compaq Tru64 Unix.
  However with the information available, we are providing
  a patch that will further reduce any potential
  vulnerability.

   A patch has been made available for all supported
  versions of Tru64/ DIGITAL UNIX V4.0f, V4.0g, V5.0a,
  V5.1, and V5.1a. To obtain a patch for prior versions
  contact your normal Compaq Services support channel.

   *This solution will be included in a future distributed
  release of Compaq's Tru64 / DIGITAL UNIX.


  The patches identified are available from the Compaq FTP site
 http://ftp1.support.compaq.com/public/dunix/ then choose the
 version directory needed and search for the patch by name.

  The patch names are:

     DUV40F17-C0056200-11703-ER-20010928.tar
    T64V40G17-C0007000-11704-ER-20010928.tar
    T64V50A17-C0015500-11705-ER-20010928.tar
    T64V5117-C0065200-11706-ER-20010928.tar
    T64V51Assb-C0000800-11707-ER-20010928.tar


  To subscribe to automatically receive future NEW Security
 Advisories from the Software Security Response Team at
 Compaq via electronic mail,

  Use your browser to get to the
 http://www.support.compaq.com/patches/mailing-list.shtml
 and sign up.   Select "Security and Individual Notices" for
 immediate dispatch notifications.

  To report a potential security vulnerability for Compaq
 products, send email to security-ssrt@compaq.com

  If you need further information, please contact your normal
 Compaq Services support channel.

  Compaq appreciates your cooperation and patience. As always,
 Compaq urges you to periodically review your system management
 and security procedures.  Compaq will continue to review and
 enhance the security features of its products and work
 with customers to maintain and improve the security and
 integrity of their systems.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBO78nlDnTu2ckvbFuEQKetQCg4wWYlBghvodt3FcggpMWzoYYQNIAoOBu
59ftYye4zJnazHWnZHQqEPBY
=JKbN
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  August 14, 2001 Updated: December 06, 2001

Status

Affected

Vendor Statement

Document ID:  HPSBUX0110-168

Date Loaded:  20011205
      Title:  Sec. Vulnerability in rpc.ttdbserverd (rev.3)

---------------------------------------------------------------
    HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0168,
    Originally issued: 01 October '01
    **Revision 01**: 03 October '01
    **Revision 02**: 19 November '01
    **Revision 03**: 05 December '01
 ---------------------------------------------------------------

The information in the following Security Bulletin should be acted
upon as soon as possible.  Hewlett-Packard Company will not be
liable for any consequences to any customer resulting from customer's
failure to fully implement instructions in this Security Bulletin as
soon as possible.

 ---------------------------------------------------------------
PROBLEM:  Buffer overflow in rpc.ttdbserver

PLATFORM: HP9000 Series 700/800 running HP-UX releases 10.10,
          10.20, 10.24, 11.00, 11.04, and 11.11.

DAMAGE:   Unauthorized access, increased privileges.

SOLUTION: Install the appropriate patch:
                    10.10       PHSS_25136,
                    10.20       PHSS_25137,
                    10.24       PHSS_25419,
                    11.00       PHSS_25138,
                    11.04       PHSS_25420,
                    11.11       PHSS_25139.

MANUAL ACTIONS: none

AVAILABILITY:  All listed patches are available now.

CHANGE SUMMARY:  Rev.01 Updated patch information, deleted old
                        instructions.
                 Rev.02 Updated patch information again.
                 Rev.03 Updated instructions for disabling
                        rpc.ttdbserver
 ---------------------------------------------------------------
 A. Background
     A remotely exploitable buffer overflow in rpc.ttdbserver has
     been reported to HP.

 B. Fixing the problem

     Install the appropriate patch.  An alternative is to disable
     rpc.ttdbserver.  The rpc.ttdbserver process is not needed for
     the programs provided in HP's CDE product.  It may be needed
     by third party applications using ToolTalk.  If you are not
     using ToolTalk applications rpc.ttdbserver may be disabled.

**Rev.03**

     Edit /etc/inetd.conf and comment out the rpc.ttdbserver
     line as follows:

#rpc stream tcp swait root /usr/dt/bin/rpc.ttdbserver ...

     Restart inetd:

         /usr/sbin/inetd -c

     Kill any instances of rpc.ttdbserver that might be
     running.


 C. Recommended solution
    Install the appropriate patch:
                   10.10   PHSS_25136,
                   10.20   PHSS_25137,
                   10.24   PHSS_25419,
                   11.00   PHSS_25138,
                   11.04   PHSS_25420,
                   11.11   PHSS_25139.

 D. To subscribe to automatically receive future NEW HP Security
    Bulletins from the HP IT Resource Center via electronic
    mail, do the following:

    Use your browser to get to the HP IT Resource Center page
    at:

       http://itrc.hp.com

    Use the 'Login' tab at the left side of the screen to login
    using your ID and password.  Use your existing login or the
    "Register" button at the left to create a login, in order to
    gain access to many areas of the ITRC.  Remember to save the
    User ID assigned to you, and your password.

    In the left most frame select "Maintenance and Support".

    Under the "Notifications" section (near the bottom of
    the page), select "Support Information Digests".

    To -subscribe- to future HP Security Bulletins or other
    Technical Digests, click the check box (in the left column)
    for the appropriate digest and then click the "Update
    Subscriptions" button at the bottom of the page.

    or

    To -review- bulletins already released, select the link
    (in the middle column) for the appropriate digest.

    To -gain access- to the Security Patch Matrix, select
    the link for "The Security Bulletins Archive".  (near the
    bottom of the page)  Once in the archive the third link is
    to the current Security Patch Matrix. Updated daily, this
    matrix categorizes security patches by platform/OS release,
    and by bulletin topic.  Security Patch Check completely
    automates the process of reviewing the patch matrix for
    11.XX systems.

    For information on the Security Patch Check tool, see:
    http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
    displayProductInfo.pl?productNumber=B6834AA"

    The security patch matrix is also available via anonymous
    ftp:

    ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix

    On the "Support Information Digest Main" page:
    click on the "HP Security Bulletin Archive".


 E. To report new security vulnerabilities, send email to

    security-alert@hp.com

    Please encrypt any exploit information using the
    security-alert PGP key, available from your local key
    server, or by sending a message with a -subject- (not body)
    of 'get key' (no quotes) to security-alert@hp.com.

    Permission is granted for copying and circulating this
    Bulletin to Hewlett-Packard (HP) customers (or the Internet
    community) for the purpose of alerting them to problems,
    if and only if, the Bulletin is not edited or changed in
    any way, is attributed to HP, and provided such reproduction
    and/or distribution is performed for non-commercial purposes.

    Any other use of this information is prohibited. HP is not
    liable for any misuse of this information by any third party.
 ________________________________________________________________
-----End of Document ID:  HPSBUX0110-168--------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  August 14, 2001 Updated: October 31, 2001

Status

Affected

Vendor Statement

[from IBM Security Advisory contained in: ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z]

A. Official fix

IBM is working on the following fixes which will be available soon:

AIX 4.3:

Pending assignment - the Advisory copy in the efix download package will be updated as soon as the assignment is made. Also, the CERT Vulnerability Note will be updated and we will post a note to SecurityFocus BUGTRAQ. IBM's Managed Security Service will also distribute notification of when this happens.

AIX 5.1:

APAR #IY23846

The APARs for AIX 4.3 and 5.1 will not be available until late October - November 2001.

NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3.3 at the latest maintenance level, or to 5.1.

B. How to minimize the vulnerability

WORKAROUND

None, other than disabling the CDE Tooltalk RPC database server.

EMERGENCY FIX (efix):

Temporary fixes for AIX 4.3.x and 5.1 systems are available.

The temporary fixes can be downloaded via ftp from:



The name of the efix you want to download to close this vulnerability is tooltalk_efix.tar.Z.

The efix compressed tarball contains a copy of this Advisory and another tarfile, efix_binaries.tar. This latter tarfile will untar into two subdirectories, tooltalk_rpc_aix43_efix and tooltalk_rpc_aix51_efix, for AIX 4.3 and 5.1, respectively. Each subdirectory contains a patched rpc.ttdbserver and libtt.a binary, plus an INSTALL textfile that is a synopsis of the installation instructions given below. In the same directory level with the Advisory is a detached PGP signature file for the tarfile containing the fixes, efix_binaries.tar.asc.

These temporary fixes have not been fully regression tested; thus, IBM does not warrant the fully correct functioning of the efix. Customers install the efix and operate the modified version of AIX at their own risk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See also:

http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2001.425.1

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  August 14, 2001 Updated: November 14, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

________________________________________________________________________________
Sun Microsystems, Inc. Security Bulletin

Bulletin Number: #00212
Date: November 13, 2001
Cross-Ref: CERT Advisory CA-2001-27
Title: rpc.ttdbserverd
________________________________________________________________________________

The information contained in this Security Bulletin is provided "AS IS."
Sun makes no warranties of any kind whatsoever with respect to the information
contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR
IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE
HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW.

IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE,
PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL
OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY
ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN
THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF
THE POSSIBILITY OF SUCH DAMAGES.

If any of the above provisions are held to be in violation of applicable law,
void, or unenforceable in any jurisdiction, then such provisions are waived
to the extent necessary for this disclaimer to be otherwise enforceable in
such jurisdiction.
________________________________________________________________________________

1. Bulletins Topics

Sun announces the release of patches for Solaris(tm) 8, 7, 2.6,
2.5.1, and 2.5 (SunOS(tm) 5.8, 5.7, 5.6, 5.5.1, and 5.5) which
relate to a format string vulnerability in rpc.ttdbserverd.

Sun recommends that you install the patches listed in section 4
immediately on systems running the CDE ToolTalk database server,
rpc.ttdbserverd, on SunOS 5.8, 5.7, 5.6, 5.5.1 and 5.5.

2. Who is Affected

Vulnerable: SunOS 5.8, 5.8_x86, 5.7, 5.7_x86, 5.6,
5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and
5.5_x86

3. Understanding the Vulnerability

The RPC-based ToolTalk database server, rpc.ttdbserverd, manages
communication between ToolTalk applications. A format string
vulnerability has been discovered in rpc.ttdbserverd which may be
exploited by a local or a remote attacker to gain root access on the
affected system. Any system that does not run the ToolTalk RPC
database service is not vulnerable to this problem. This issue was
discovered by ISS X-Force who published an advisory at:

http://xforce.iss.net/alerts/advise98.php

CERT Advisory CA-2001-27 is available from:

http://www.cert.org/advisories/CA-2001-27.html

4. List of Patches

The following patches are available in relation to the above issue.

OS Version Patch ID
__________ _________
SunOS 5.8 110286-04
SunOS 5.8_x86 110287-04
SunOS 5.7 107893-15
SunOS 5.7_x86 107894-14
SunOS 5.6 105802-16
SunOS 5.6_x86 105803-18
SunOS 5.5.1 104489-14
SunOS 5.5.1_x86 105496-12
SunOS 5.5 104428-12
SunOS 5.5_x86 105495-10
_______________________________________________________________________________

APPENDICES

A. Patches listed in this bulletin are available to all Sun customers at:

http://sunsolve.sun.com/securitypatch

B. Checksums for the patches listed in this bulletin are available at:

ftp://sunsolve.sun.com/pub/patches/CHECKSUMS

C. Sun security bulletins are available at:

http://sunsolve.sun.com/security

D. Sun Security Coordination Team's PGP key is available at:

http://sunsolve.sun.com/pgpkey.txt

E. To report or inquire about a security problem with Sun software, contact
one or more of the following:

- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:

security-alert@sun.com

F. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:

security-alert@sun.com

with a subject line (not body) containing one of the following commands:

Command Information Returned/Action Taken
_______ _________________________________

help An explanation of how to get information

key Sun Security Coordination Team's PGP key

list A list of current security topics

query [topic] The email is treated as an inquiry and is forwarded to
the Security Coordination Team

report [topic] The email is treated as a security report and is
forwarded to the Security Coordination Team. Please
encrypt sensitive mail using Sun Security Coordination
Team's PGP key

send topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):

send #138

subscribe Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):

subscribe cws your-email-address

Note that your-email-address should be substituted
by your email address.

unsubscribe Sender is removed from the CWS mailing list.
________________________________________________________________________________

Copyright 2001 Sun Microsystems, Inc. All rights reserved. Sun,
Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks
of Sun Microsystems, Inc. in the United States and other countries. This
Security Bulletin may be reproduced and distributed, provided that this
Security Bulletin is not modified in any way and is attributed to
Sun Microsystems, Inc. and provided that such reproduction and distribution
is performed for non-commercial purposes.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBO/GUHbdzzzOFBFjJAQFqSwP+MIdnt8E9JYPubpxT9qmOiLZ64LuLEnKp
IZD2coi7rpObSoxwdLh3lZ0+7+wn/EBDPRLusiFTW5s0ycxDjsusRI9sRr2eywfs
BRaqZhQXCIAVpE4u+Jem+AJr3jFiXBzQILjRbnchErVpxt1QvsOFdwdK9M6+RjIL
BheyLWWC58E=
=7l7y
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  August 15, 2001 Updated: October 31, 2001

Status

Affected

Vendor Statement

Source licensees of The Open Group's CDE product can contact desktop@opengroup.org for advice and a source patch that address this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  August 15, 2001 Updated: September 13, 2002

Status

Affected

Vendor Statement

Caldera Open Unix and UnixWare are vulnerable. Caldera has released Security Advisory CSSA-2001-SCO.28.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Notified:  October 03, 2001 Updated: October 09, 2001

Status

Affected

Vendor Statement

Xi Graphics DeXtop 2.1 is vulnerable. Further information and a patch are available at the following locations:

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.txt

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.tar.gz

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.