Compaq Computer Corporation Affected

Notified:  August 14, 2001 Updated: October 08, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NO RESTRICTION FOR DISTRIBUTION PROVIDED THE ADVISORY REMAINS INTACT TITLE: SSRT0767U Potential rpc.ttdbserverd buffer overflow CASE ID: SSRT0767U (X-REF: CVE CAN-2001-0717, x-force 02-oct-2001, CERT CA-2001-27) SOURCE: Compaq Computer Corporation Software Security Response Team DATE: 02-Oct-2001 (c) Copyright 2001 Compaq Computer Corporation. All rights reserved. "Compaq is broadly distributing this Security Advisory in order to bring to the attention of users of Compaq products the important security information contained in this Advisory. Compaq recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Compaq does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Compaq will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." Severity: low This potential security vulnerability has not been reproduced for any release of Compaq Tru64 Unix. However with the information available, we are providing a patch that will further reduce any potential vulnerability. A patch has been made available for all supported versions of Tru64/ DIGITAL UNIX V4.0f, V4.0g, V5.0a, V5.1, and V5.1a. To obtain a patch for prior versions contact your normal Compaq Services support channel. *This solution will be included in a future distributed release of Compaq's Tru64 / DIGITAL UNIX. The patches identified are available from the Compaq FTP site http://ftp1.support.compaq.com/public/dunix/ then choose the version directory needed and search for the patch by name. The patch names are: DUV40F17-C0056200-11703-ER-20010928.tar T64V40G17-C0007000-11704-ER-20010928.tar T64V50A17-C0015500-11705-ER-20010928.tar T64V5117-C0065200-11706-ER-20010928.tar T64V51Assb-C0000800-11707-ER-20010928.tar To subscribe to automatically receive future NEW Security Advisories from the Software Security Response Team at Compaq via electronic mail, Use your browser to get to the http://www.support.compaq.com/patches/mailing-list.shtml and sign up. Select "Security and Individual Notices" for immediate dispatch notifications. To report a potential security vulnerability for Compaq products, send email to security-ssrt@compaq.com If you need further information, please contact your normal Compaq Services support channel. Compaq appreciates your cooperation and patience. As always, Compaq urges you to periodically review your system management and security procedures. Compaq will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBO78nlDnTu2ckvbFuEQKetQCg4wWYlBghvodt3FcggpMWzoYYQNIAoOBu 59ftYye4zJnazHWnZHQqEPBY =JKbN -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Cray Inc. Not Affected

Notified:  August 20, 2001 Updated: October 09, 2001

Status

Not Affected

Vendor Statement

UNICOS and UNICOS/mk are not vulnerable to either of these two advisories. For further information see Cray SPR 721061. Cray, Inc. does include ToolTalk within the CrayTools product. However, this implementation does not use rpc.ttdbserverd. Therefore, Cray, Inc. is not vulnerable to this advisory.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Cray SPRs are available to licensed Cray customers.

Data General Unknown

Notified:  August 15, 2001 Updated: August 27, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Fujitsu Unknown

Notified:  August 15, 2001 Updated: August 27, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

Hewlett-Packard Company Affected

Notified:  August 14, 2001 Updated: December 06, 2001

Status

Affected

Vendor Statement

Document ID: HPSBUX0110-168 Date Loaded: 20011205 Title: Sec. Vulnerability in rpc.ttdbserverd (rev.3) HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #0168, Originally issued: 01 October '01 **Revision 01**: 03 October '01 **Revision 02**: 19 November '01 **Revision 03**: 05 December '01 The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible. PROBLEM: Buffer overflow in rpc.ttdbserver PLATFORM: HP9000 Series 700/800 running HP-UX releases 10.10, 10.20, 10.24, 11.00, 11.04, and 11.11. DAMAGE: Unauthorized access, increased privileges. SOLUTION: Install the appropriate patch: 10.10 PHSS_25136, 10.20 PHSS_25137, 10.24 PHSS_25419, 11.00 PHSS_25138, 11.04 PHSS_25420, 11.11 PHSS_25139. MANUAL ACTIONS: none AVAILABILITY: All listed patches are available now. CHANGE SUMMARY: Rev.01 Updated patch information, deleted old instructions. Rev.02 Updated patch information again. Rev.03 Updated instructions for disabling rpc.ttdbserver A. Background A remotely exploitable buffer overflow in rpc.ttdbserver has been reported to HP. B. Fixing the problem Install the appropriate patch. An alternative is to disable rpc.ttdbserver. The rpc.ttdbserver process is not needed for the programs provided in HP's CDE product. It may be needed by third party applications using ToolTalk. If you are not using ToolTalk applications rpc.ttdbserver may be disabled. **Rev.03** Edit /etc/inetd.conf and comment out the rpc.ttdbserver line as follows: #rpc stream tcp swait root /usr/dt/bin/rpc.ttdbserver ... Restart inetd: /usr/sbin/inetd -c Kill any instances of rpc.ttdbserver that might be running. C. Recommended solution Install the appropriate patch: 10.10 PHSS_25136, 10.20 PHSS_25137, 10.24 PHSS_25419, 11.00 PHSS_25138, 11.04 PHSS_25420, 11.11 PHSS_25139. D. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following: Use your browser to get to the HP IT Resource Center page at: http://itrc.hp.com Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login, in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password. In the left most frame select "Maintenance and Support". Under the "Notifications" section (near the bottom of the page), select "Support Information Digests". To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page. or To -review- bulletins already released, select the link (in the middle column) for the appropriate digest. To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". (near the bottom of the page) Once in the archive the third link is to the current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. Security Patch Check completely automates the process of reviewing the patch matrix for 11.XX systems. For information on the Security Patch Check tool, see: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=B6834AA" The security patch matrix is also available via anonymous ftp: ftp.itrc.hp.com:~ftp/export/patches/hp-ux_patch_matrix On the "Support Information Digest Main" page: click on the "HP Security Bulletin Archive". E. To report new security vulnerabilities, send email to security-alert@hp.com Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com. Permission is granted for copying and circulating this Bulletin to Hewlett-Packard (HP) customers (or the Internet community) for the purpose of alerting them to problems, if and only if, the Bulletin is not edited or changed in any way, is attributed to HP, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. HP is not liable for any misuse of this information by any third party. -----End of Document ID: HPSBUX0110-168--------------------------------------

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

IBM Affected

Notified:  August 14, 2001 Updated: October 31, 2001

Status

Affected

Vendor Statement

[from IBM Security Advisory contained in: ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z] A. Official fix IBM is working on the following fixes which will be available soon: AIX 4.3: Pending assignment - the Advisory copy in the efix download package will be updated as soon as the assignment is made. Also, the CERT Vulnerability Note will be updated and we will post a note to SecurityFocus BUGTRAQ. IBM's Managed Security Service will also distribute notification of when this happens. AIX 5.1: APAR #IY23846 The APARs for AIX 4.3 and 5.1 will not be available until late October - November 2001. NOTE: Fix will not be provided for versions prior to 4.3 as these are no longer supported by IBM. Affected customers are urged to upgrade to 4.3.3 at the latest maintenance level, or to 5.1. B. How to minimize the vulnerability WORKAROUND None, other than disabling the CDE Tooltalk RPC database server. EMERGENCY FIX (efix): Temporary fixes for AIX 4.3.x and 5.1 systems are available. The temporary fixes can be downloaded via ftp from: ftp://aix.software.ibm.com/aix/efixes/security The name of the efix you want to download to close this vulnerability is tooltalk_efix.tar.Z. The efix compressed tarball contains a copy of this Advisory and another tarfile, efix_binaries.tar. This latter tarfile will untar into two subdirectories, tooltalk_rpc_aix43_efix and tooltalk_rpc_aix51_efix, for AIX 4.3 and 5.1, respectively. Each subdirectory contains a patched rpc.ttdbserver and libtt.a binary, plus an INSTALL textfile that is a synopsis of the installation instructions given below. In the same directory level with the Advisory is a detached PGP signature file for the tarfile containing the fixes, efix_binaries.tar.asc. These temporary fixes have not been fully regression tested; thus, IBM does not warrant the fully correct functioning of the efix. Customers install the efix and operate the modified version of AIX at their own risk.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

See also: http://www-1.ibm.com/services/continuity/recover1.nsf/MSS/MSS-OAR-E01-2001.425.1

SGI Unknown

Notified:  August 14, 2001 Updated: April 03, 2002

Status

Unknown

Vendor Statement

SGI acknowledges the CDE vulnerabilities reported by CERT and is currently investigating. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SGI has released SGI Security Advisory 20020302-01-A which addresses a number of vulnerabilities in CDE and ToolTalk.

Sun Microsystems Inc. Affected

Notified:  August 14, 2001 Updated: November 14, 2001

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Sun Microsystems, Inc. Security Bulletin Bulletin Number: #00212 Date: November 13, 2001 Cross-Ref: CERT Advisory CA-2001-27 Title: rpc.ttdbserverd The information contained in this Security Bulletin is provided "AS IS." Sun makes no warranties of any kind whatsoever with respect to the information contained in this Security Bulletin. ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY WARRANTY OF NON-INFRINGEMENT OR IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE HEREBY DISCLAIMED AND EXCLUDED TO THE EXTENT ALLOWED BY APPLICABLE LAW. IN NO EVENT WILL SUN MICROSYSTEMS, INC. BE LIABLE FOR ANY LOST REVENUE, PROFIT OR DATA, OR FOR DIRECT, SPECIAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL OR PUNITIVE DAMAGES HOWEVER CAUSED AND REGARDLESS OF ANY THEORY OF LIABILITY ARISING OUT OF THE USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS SECURITY BULLETIN, EVEN IF SUN MICROSYSTEMS, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. If any of the above provisions are held to be in violation of applicable law, void, or unenforceable in any jurisdiction, then such provisions are waived to the extent necessary for this disclaimer to be otherwise enforceable in such jurisdiction. 1. Bulletins Topics Sun announces the release of patches for Solaris(tm) 8, 7, 2.6, 2.5.1, and 2.5 (SunOS(tm) 5.8, 5.7, 5.6, 5.5.1, and 5.5) which relate to a format string vulnerability in rpc.ttdbserverd. Sun recommends that you install the patches listed in section 4 immediately on systems running the CDE ToolTalk database server, rpc.ttdbserverd, on SunOS 5.8, 5.7, 5.6, 5.5.1 and 5.5. 2. Who is Affected Vulnerable: SunOS 5.8, 5.8_x86, 5.7, 5.7_x86, 5.6, 5.6_x86, 5.5.1, 5.5.1_x86, 5.5 and 5.5_x86 3. Understanding the Vulnerability The RPC-based ToolTalk database server, rpc.ttdbserverd, manages communication between ToolTalk applications. A format string vulnerability has been discovered in rpc.ttdbserverd which may be exploited by a local or a remote attacker to gain root access on the affected system. Any system that does not run the ToolTalk RPC database service is not vulnerable to this problem. This issue was discovered by ISS X-Force who published an advisory at: http://xforce.iss.net/alerts/advise98.php CERT Advisory CA-2001-27 is available from: http://www.cert.org/advisories/CA-2001-27.html 4. List of Patches The following patches are available in relation to the above issue. OS Version Patch ID SunOS 5.8 110286-04 SunOS 5.8_x86 110287-04 SunOS 5.7 107893-15 SunOS 5.7_x86 107894-14 SunOS 5.6 105802-16 SunOS 5.6_x86 105803-18 SunOS 5.5.1 104489-14 SunOS 5.5.1_x86 105496-12 SunOS 5.5 104428-12 SunOS 5.5_x86 105495-10 APPENDICES A. Patches listed in this bulletin are available to all Sun customers at: http://sunsolve.sun.com/securitypatch B. Checksums for the patches listed in this bulletin are available at: ftp://sunsolve.sun.com/pub/patches/CHECKSUMS C. Sun security bulletins are available at: http://sunsolve.sun.com/security D. Sun Security Coordination Team's PGP key is available at: http://sunsolve.sun.com/pgpkey.txt E. To report or inquire about a security problem with Sun software, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - Sun Security Coordination Team. Send email to: security-alert@sun.com F. To receive information or subscribe to our CWS (Customer Warning System) mailing list, send email to: security-alert@sun.com with a subject line (not body) containing one of the following commands: Command Information Returned/Action Taken help An explanation of how to get information key Sun Security Coordination Team's PGP key list A list of current security topics query [topic] The email is treated as an inquiry and is forwarded to the Security Coordination Team report [topic] The email is treated as a security report and is forwarded to the Security Coordination Team. Please encrypt sensitive mail using Sun Security Coordination Team's PGP key send topic A short status summary or bulletin. For example, to retrieve a Security Bulletin #00138, supply the following in the subject line (not body): send #138 subscribe Sender is added to our mailing list. To subscribe, supply the following in the subject line (not body): subscribe cws your-email-address Note that your-email-address should be substituted by your email address. unsubscribe Sender is removed from the CWS mailing list. Copyright 2001 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, Solaris and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. This Security Bulletin may be reproduced and distributed, provided that this Security Bulletin is not modified in any way and is attributed to Sun Microsystems, Inc. and provided that such reproduction and distribution is performed for non-commercial purposes. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBO/GUHbdzzzOFBFjJAQFqSwP+MIdnt8E9JYPubpxT9qmOiLZ64LuLEnKp IZD2coi7rpObSoxwdLh3lZ0+7+wn/EBDPRLusiFTW5s0ycxDjsusRI9sRr2eywfs BRaqZhQXCIAVpE4u+Jem+AJr3jFiXBzQILjRbnchErVpxt1QvsOFdwdK9M6+RjIL BheyLWWC58E= =7l7y -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The Open Group Affected

Notified:  August 15, 2001 Updated: October 31, 2001

Status

Affected

Vendor Statement

Source licensees of The Open Group's CDE product can contact desktop@opengroup.org for advice and a source patch that address this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

The SCO Group (SCO UnixWare) Affected

Notified:  August 15, 2001 Updated: September 13, 2002

Status

Affected

Vendor Statement

Caldera Open Unix and UnixWare are vulnerable. Caldera has released Security Advisory CSSA-2001-SCO.28.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

TriTeal Unknown

Updated:  November 12, 2001

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

TriTeal went bankrupt in December 1999. It is possible that TriTeal Enterprise Desktop (TED) and CDE distributions based on TriTeal code are vulnerable.

Xi Graphics Affected

Notified:  October 03, 2001 Updated: October 09, 2001

Status

Affected

Vendor Statement

Xi Graphics DeXtop 2.1 is vulnerable. Further information and a patch are available at the following locations:

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.txt

ftp://ftp.xig.com/pub/updates/dextop/2.1/DEX2100.010.tar.gz

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

View all 12 vendors View less vendors