Date: Tue, 29 Oct 1996 17:18:46 -0500 From: CERT Bulletin To: cert-advisory@cert.org Subject: CERT Vendor-Initiated Bulletin VB-96.17 - Linux Security FAQ Update ============================================================================ CERT(sm) Vendor-Initiated Bulletin VB-96.17 October 29, 1996 Topic: Linux Security FAQ Update Source: Alexander O. Yuriev To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Alexander Yuriev. He urges you to act on this information as soon as possible. His contact information is included in the forwarded text below; please contact him if you have any questions or need further information. ==============FORWARDED TEXT STARTS HERE=============== - -----BEGIN PGP SIGNED MESSAGE----- $Id: mount-umount,v 1.5 1996/10/24 21:17:29 alex Exp $ Linux Security FAQ Update mount/umount Vulnerability v1.5 Thu Oct 24 17:15:10 EDT 1996 Copyright (C) 1995,1996 Alexander O. Yuriev (alex@bach.cis.temple.edu) CIS Laboratories TEMPLE UNIVERSITY U.S.A. ============================================================================= This is an official Update of the Linux Security FAQ, and it is supposed to be signed by one of the following PGP keys: pub 1024/9ED505C5 1995/12/06 Jeffrey A. Uphoff Jeffrey A. Uphoff 1024/EFE347AD 1995/02/17 Olaf Kirch 1024/ADF3EE95 1995/06/08 Linux Security FAQ Primary Key Unless you are able to verify at least one of signatures, please be very careful when following instructions. Linux Security WWW: http://bach.cis.temple.edu/linux/linux-security linux-security & linux-alert mailing list archives: ftp://linux.nrao.edu/pub/linux/security/list-archive ============================================================================= LOG ( This section is maintained by Revision Control System ) $Log: mount-umount,v $ Revision 1.5 1996/10/24 21:17:29 alex Tarsier's URL fixed Revision 1.4 1996/10/24 00:32:42 alex Red Hat URLs updated per CERT's request ABSTRACT This update fixes several URLs of the Linux Security FAQ Update#13 "mount/umount vulnerability" dated Tue Sep Wed Oct 23 20:09:59 EDT 1996. There are no major updates to the text of the document. A vulnerability exists in the mount/umount programs of the util-linux 2.5 package. If installed suid-to-root, these programs allow local users to gain super-user privileges. RISK ASSESSMENT Local users can gain root privileges. The exploits that exercise this vulnerability were made available. VULNERABILITY ANALYSIS mount/umount utilities from the util-linux 2.5 suffer from the buffer overrun problem. Installing mount/umount as suid-to-root programs is necessary to allow local users to mount and unmount removable media without having super-user privileges. If this feature is not required, it is recommended that suid bit is removed from both mount and umount programs. If this feature is required, one might want to consider the other ways of implementing it. Such approaches include but are not limited to using auto-mounter or sudo mechanism. DISTRIBUTION FIXES Red Hat Commercial Linux RedHat 2.1, RedHat 3.0.3 (Picasso) and RedHat 3.0.4 (Rembrandt) contain vulnerable umount utilities. Red Hat Software advises users of Red Hat 2.1 to upgrade to Red Hat 3.0.3 (Picasso) The replacement RPMs are available from the following URLs: Red Hat Linux 3.0.3 (Picasso) i386 architecture ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/i386/updates/RPMS/util-linux-2.5- 11fix.i386.rpm ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/i386/updates/RPMS/mount-2.5k-1.i3 86.rpm ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix .i386.rpm ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.i386.rp m ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix .i386.rpm ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.i386.rp m RedHat Linux 3.0.3 (Picasso) Alpha architecture ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/axp/updates/RPMS/util-linux-2.5-1 1fix.axp.rpm ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/axp/updates/RPMS/mount-2.5k-1.axp .rpm ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix .axp.rpm ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.axp.rpm ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix .axp.rpm ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.axp.rpm RedHat Linux 3.0.4 Beta (Rembrandt) i386 architecture ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.i386.rp m ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.i386.rp m RedHat Linux 3.0.4 Beta (Rembrandt) SPARC architecture ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.sparc.r pm ftp://tarsier.cv.nrao.edu/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.sparc.r pm Please verify the MD5 fingerprint of the RPMs prior to installing them. ad9b0628b6af9957d7b5eb720bbe632b mount-2.5k-1.axp.rpm 12cb19ec4b3060f8d1cedff77bda7c05 util-linux-2.5-11fix.axp.rpm 26506a3c0066b8954d80deff152e0229 mount-2.5k-1.i386.rpm f48c6bf901dd5d2c476657d6b75b12a5 util-linux-2.5-11fix.i386.rpm 7337f8796318f3b13f2dccb4a8f10b1a mount-2.5k-2.i386.rpm e68ff642a7536f3be4da83eedc14dd76 mount-2.5k-2.sparc.rpm The Red Hat Software Inc notes that the only difference between mount-2.5k-1 and mount-2.5k-2 is in the packaging format. Please note that due to the release of Red Hat 4.0, the FTP site of Red Hat Software removed fixes for a beta release of Rembrandt. Caldera Network Desktop Caldera Network Desktop version 1.0 contains vulnerable mount and umount programs. Caldera Inc issued Caldera Security Advisory 96.04 where it recommends removing setuid bit from mount and umount commands using command chmod 755 /bin/mount /bin/umount. Users of Caldera Network Desktop 1.0 upgraded to RedHat 3.0.3 (Picasso) are advised to follow the instructions in the Red Hat Commercial Linux section of this LSF Update. Debian Debian/GNU Linux 1.1 contains the vulnerable mount/umount programs. The Debian Project provided the information that an updated package fixes this problem. The fix-kit can be obtained from the following URLs: ftp://ftp.debian.org/debian/stable/binary-i386/base/mount_2.5l-1.deb ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/mount_2.5l-1.deb ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/Debian/mount_2.5l-1.deb Please verify the MD5 signature of the RPM prior to installing the fix-kit 6672530030f9a6c42451ace74c7510ca mount_2.5l-1.deb WARNING: The message that contained information about MD5 hash of the mount_2.5l-1.deb package was not signed. We were unable to verify the integrity of the message. Slackware There is no official information available about vulnerability of Slackware 3.0 or Slackware 3.1 distributions from distribution maintainer. The testing indicates that both Slackware 3.0 and Slackware 3.1 distributions contains the vulnerable mount and umount programs. Until the official fix-kit for Slackware 3.0 and 3.1 becomes available system administrators are advised to follow the instructions in the Other Linux Distributions section of this LSF Update Yggdrasil Yggdrasil Computing Inc neither confirmed not denied vulnerability of Plug and Play Fall'95 Linux. The testing indicates that Plug and Play Fall'95 Linux distribution contains the vulnerable mount and umount program. Until the official fix-kit for Yggdrasil Plug and Play Linux becomes available system administrators are advised to follow the instructions in the Other Linux Distributions section of this LSF Update Other Linux Distributions It is believed at this moment that all Linux distributions using util-linux version 2.5 or prior to that contain the vulnerable mount and umount programs. Administrators of systems based on distributions not listed in this LSF Update or distributions that do not have fix-kits available at the moment are urged to contact their support centers requesting the fix-kits to be made available to them. In order to prevent the vulnerability from being exploited in the mean time, it is recommended that the suid bit is removed from mount and umount programs using command chmod u-s /bin/mount /bin/umount Until the official fix-kits are available for those systems, it is advised that system administrators obtain the source code of fixed mount program used in Debian/GNU Linux 1.1, compile it and replace the vulnerable binaries. The URLs for the source code of the Debian/GNU Linux 1.1 package which fixes the security problem of mount utility can be obtained from the following URLs: ftp://ftp.debian.org/debian/stable/source/base/mount_2.5l-1.tar.gz ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/mount_2.5l-1.tar.gz ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/OTHER/mount_2.5l-1.tar.gz Warning: We did not receive MD5 hash of the mount_2.5l-1.tar.gz file. CREDITS This LSF Update is based on the information originally posted to linux-alert. The information on the fix-kit for Red Hat commercial Linux was provided by Elliot Lee (sopwith@redhat.com) of Red Hat Software Inc,; for the Caldera Network Desktop by Ron Holt of Caldera Inc.; for Debian/GNU Linux 1.1 by Guy Maor (maor@ece.utexas.edu) - -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMm/dIIxFUz2t8+6VAQFAawP+PmYCYpOcX+bnG9Sh37Iq0mWHlPDaOzjB dPAr6kcAuP60jHd9jIwYKiTiGsWrr5h7L8G8+CrD8BjHBF2RCwII9q/KlWukk96v 3Mb0eJUoxf4xqDYXPqcsl54/xe8s3q0+JcKvQf2UKvHhEYshp+Z6oY2Eg3I7w85m oPLjd/SidQE= =CrbU - -----END PGP SIGNATURE----- ========================FORWARDED TEXT ENDS HERE============================= If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT is a service mark of Carnegie Mellon University. This file: ftp://info.cert.org/pub/cert_bulletins/VB-96.17.linux -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMnZrHHVP+x0t4w7BAQGnFAP+OoWtOA9jBGQEeM8uVqrsBvckhUzIiZpb hrz361KqeRdSNgqUg3UJLqIqJ+km3bdFPoB6zcelM8IU0xwc4tkUW9mCq+PVFcVR tchJa5OR5Uvy9ZEQO00thFBO+2/OP220ld+iaDoT37Jl5qUnqncD0dxWqKoq/CC4 tZHLvfSefo4= =d/UU -----END PGP SIGNATURE----- -------------------------------------------------------------------- This message is from the HappyHacker mailing list. To unsubscribe, send mail to majordomo@edm.net saying "unsubscribe happyhacker". The HappyHacker page is at http://www.feist.com/~tqdb/evis-unv.html. This mailing list is provided by The EDM Network (http://www.edm.net/) as a public service and is not responsible for its content. --------------------------------------------------------------------