Published:
07 May 1998
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-98.070 -- Digital Advisory SSRT0505U Vulnerability in ftp for Digital UNIX 8th May 1998 =========================================================================== Digital Equipment Corporation has released the following advisory concerning a vulnerability in ftp for Digital UNIX software. This vulnerability may allow users to gain unauthorized file access. The following security bulletin is provided as a service to AusCERT's members. As AusCERT did not write this document, AusCERT has had no control over its content. As such, the decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It will not be updated when the original bulletin is. If downloading at a later date, it is recommended that the bulletin is retrieved from the original authors to ensure that the information is still current. Contact information for Digital is included in the Security Bulletin below. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Facsimile: (07) 3365 7031 - -----------------------------BEGIN INCLUDED TEXT-------------------- ______________________________________________________________ UPDATE: APR 30, 1998 TITLE: DIGITAL UNIX ftpd V3.2g, V4.0, V4.0a, V4.0b, V4.0c Potential Security Vulnerability Ref #: SSRT0505U SOURCE: Digital Equipment Corporation Software Security Response Team USA "Digital is broadly distributing this Security Advisory in order to bring to the attention of users of Digital's products the important security information contained in this Advisory. Digital recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Digital does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Digital will not be responsible for any damages resulting from user's use or disregard of the information provided in this Advisory." - ---------------------------------------------------------------------- IMPACT: Digital has discovered a potential vulnerability with ftp for DIGITAL UNIX software, where under certain circumstances, a user may gain unauthorized file access. Digital strongly recommends upgrading to a minimum of Digital UNIX V4.0b accordingly, and that the appropriate patch kit be installed immediately. - ---------------------------------------------------------------------- RESOLUTION: This potential security problem has been resolved in V4.0d and an official patch for this problem has been made available as an early release kit for DIGITAL UNIX V4.0a (duv40ass0000600039300-19980317.*) and included in the latest DIGITAL UNIX V4.0b aggregate DUPATCH Kit. The V3.2g aggregate BL 10 patch kit #5 is scheduled for release in late June 1998. The V4.0 aggregate BL 9 patch kit #6 is scheduled for release mid May 1998. The V4.0c aggregate BL10 patch kit #6 is scheduled for release mid May 1998. *This potential problem was included in the distributed release of DIGITAL UNIX V4.0d o the World Wide Web at the following FTP address: http://www.service.digital.com/html/patch_service.html Use the FTP access option, select DIGITAL_UNIX directory then choose the appropriate version directory and download the patch accordingly. Note: [1]The appropriate patch kit must be installed following any upgrade to V4.0a, V4.0b, or V4.0c [2] Please review the appropriate release notes prior to installation. If you need further information, please contact your normal DIGITAL support channel. DIGITAL appreciates your cooperation and patience. We regret any inconvenience applying this information may cause. As always, Digital urges you to periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ______________________________________________________________ Copyright (c) Digital Equipment Corporation, 1998 All Rights Reserved. Unpublished Rights Reserved Under The Copyright Laws Of The United States. ______________________________________________________________ - -----------------------------END INCLUDED TEXT---------------------- -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBNVLzhCh9+71yA2DNAQHvYwP/X+8CQMYHdDkkT9X+qjqFhuBvrrPAosXe UmuVgicCLvm5B7pnZ1qFatKJyqp4z3lGFZf8hgsHGZop6mIx6XE+7vA8EPOq3844 cwsDaq7D9I0/MFY+JmfqzmpHE/E0awWDHq3ob0O5TFzvyU8eiYr7syjwugVga15g tCxDViIcxrY= =KRgW -----END PGP SIGNATURE-----