Conference minotr::security_advisory

133.0. "CISG Security Advisory 1997-02, D/UNIX V4.0 DoP" by MINOTR::NOBLE (Your Data, Your Job...Protect Both) Tue Mar 11 1997 17:23

         DIGITAL INTERNAL USE ONLY
************************************************
*        CORPORATE SECURITY
*        CORPORATE INFORMATION SECURITY GROUP
*        Mar 10, 1997
*        SECURITY ADVISORY #1997-02
*
************************************************
[DO NOT DELETE THIS BANNER]


This security advisory is for immediate distribution to all DIGITAL
UNIX V4.0 system managers, internal support personnel and any other
appropriate internal organizations within DIGITAL.  Cost Center
managers hosting contract personnel are responsible for ensuring
appropriate forwarding of this advisory.


SUBJECT:	Potential Security Vulnerability with DoP in
		DIGITAL UNIX V4.0


IMPACT:

Digital has discovered a potential vulnerability with the Division
of Privilege (DoP), "/usr/sbin/dop" for DIGITAL UNIX V4.0, V4.0A and
V4.0B, where under certain circumstances, an unauthorized user may
gain unauthorized privileges.  


REQUIRED ACTIONS:  THIS IS A MANDATORY SECURITY UPDATE

All DIGITAL internal system managers running or supporting DIGITAL
UNIX V4.0, 4.0a, or 4.0b must obtain and install this security patch
on their systems.  Further, the appropriate patch kit must be
reinstalled following any future upgrade to your system beginning
with V4.0  up to and including V4.0b.


SECURITY KIT NAMES:

    SSRT0435U
	FILE NAMES:
	    SSRT0435U.README
	    SSRT0435U.tar

SECURITY KIT LOCATIONS:

This patch kit is internally available from the following Security
Patch Server location:

TCP-IP - anonymous ftp - NOTE - esrsrf is an OpenVMS Node/Host
    esrsrf.das.dec.com
	unix/v40/
	unix/v40a/
	unix/v40b/

DECnet -
    ESRSRF::DISK$ESRSRF_DAT01:[SECURITY.UNIX.V40]  
    ESRSRF::DISK$ESRSRF_DAT01:[SECURITY.UNIX.V40A]  
    ESRSRF::DISK$ESRSRF_DAT01:[SECURITY.UNIX.V40B]  


INSTALLATION INSTRUCTIONS:

1.  Obtain the patch kit and read the README information file.

2.  Follow the instructions in the README file.

3.  REMEMBER - the appropriate patch kit must be reinstalled
    following any future upgrade to your system beginning with V4.0
    up to and including V4.0b.


ADDITIONAL INFORMATION:

The DoP command is used to provide non-root users with the ability
to enter the root password to access the graphical system management
applications via the CDE application manager or the Host Manager. 
When a non-root user attempts to execute a system management
application through one of these applications, the user will be
prompted with a password dialog.  If the user enters the correct
root password, they will gain root privilege while running the given
application.


COMPLIANCE:

1.  Per Corporate Security Policy CP211-00, this mandatory
    security update must be installed, or put into functional
    qualification  testing if required, within one (1) week of
    receiving notification,  of the security update.

2.  Issues relating to the non-compliance of this mandatory
    security  update MUST be addressed with your geography
    information security  contact;  Please refer to the Contact
    Information section of this  advisory.

CONTACT INFORMATION:

Up-to-date reference information on local Information
Security contacts can be found at the following locations:

    INTERNAL WWW SERVERS
      Corporate Security
        http://corpsec.mso.dec.com/
      Information Services Security
        http://www-is-security.mso.dec.com/
      
    VIDEOTEXT SERVERS
      $ VTX SECURITY


NOTE:

    The only authorized source of computer/network security
related advisories and bulletins for Digital is the
Corporate Information Security Group.  Please advise your
system managers and users of Digital's computers and
networks that any security warnings, alerts, advisories, and
bulletins, especially those requiring responsive action on
their  part, are the explicit responsibility of the
Corporate Information Security Group.

    If an internal or external advisory or bulletin is received
from other sources and no information on the topic has been
received from CISG, please contact our group at DTN 223-8900.
This allows a single focus for all security advisory and 
bulletin information for our Company.

All security advisories and bulletins can be found via the 
Corporate Security WEB Page at URL http://CorpSec.mso.dec.com/  or 
via the Security Advisory Notefile at MINOTR::SECURITY_ADVISORY or
via VTX SECURITY.

DIGITAL INTERNAL USE ONLY