PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER {ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER {IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS SUBJECT: NOVELL ACCESS RIGHTS SECURITY WEAKNESS {AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM {ASSIST} BULLETIN 92-64}. 1. ASSIST HAS LEARNED ABOUT A SECURITY PROBLEM IN NOVELL NETWARE {ALL VERSIONS} INVOLVING ACCESS RIGHTS. THE PROBLEM LIES IN THE FACT THAT ANY USER LOGGED ONTO A SERVER CAN GAIN THE RIGHTS OF ANY OTHER USER LOGGED ONTO THE SAME SERVER, INCLUDING A SUPERVISOR. A BREAK- IN PROGRAM WAS DEMONSTRATED AT A RECENT MEETING OF THE "NOVELL GEBRUIKERSGROEP NEDERLAND" {NGN, DUTCH NOVELL USERS GROUP}, WHICH HAS ISSUED A PRESS RELEASE ON THIS VULNERABILITY, MAKING THE PROBLEM WIDELY KNOWN TO THE WORLD COMPUTER-USER COMMUNITY. THE BREAK-IN SOFTWARE WAS ABLE TO GIVE THE ACCESS RIGHTS OF ANOTHER USER TO THE USER RUNNING THE BREAK-IN PROGRAM. THE BREAK-IN PROGRAM DEMONSTRATED WAS A MOUSE DRIVEN PROGRAM AND VERY EASY TO USE. THE USER RUNNING THE HACK PROGRAM ONLY NEEDS A VALID {GUEST-TYPE} CONNECTION TO THE SERVER TO WORK. THIS COULD BE ON ANY NETWORK TOPOLOGY {ETHERNET, TOKEN RING, ARCNET}, INCLUDING THROUGH WAN LINKS. 2. THE BREAK-IN PROGRAM UTILIZES THE CAPABILITY TO SEND A COMMAND TO THE NOVELL FILE SERVER WHICH LOOKS LIKE A COMMAND COMING FROM ANOTHER WORKSTATION, THAT HAS A VALID USER LOGGED ON. BY EXPLOITING THIS WEAKNESS, A SYSTEM USER COULD ACQUIRE THE PRIVILEDGES OF ANOTHER USER LOGGED ON TO A DIFFERENT TERMINAL. NGN SUBMITTED THE PROGRAM AND ITS SOURCECODE TO NOVELL AND REQUESTED NOVELL DEVELOP AND DISTRIBUTE A SOLUTION TO THIS PROBLEM AS SOON AS POSSIBLE. ASSIST WILL ISSUE FOLLOW UP MESSAGES ON THIS TOPIC AS SOON AS NEW INFORMATION IS MADE AVAILABLE. 3. ASSIST RECOMMENDS ALL NOVELL SYSTEM MANAGERS FOLLOW THE SECURITY GUIDELINES LISTED BELOW. A. DO NOT LOG ON AS SUPERVISOR EQUIVALENT USER WHEN THERE ARE OTHER USERS ON THE FILE SERVER. IF A SITUATION ARISES IN WHICH YOU MUST LOGON AS SUPERVISOR EQUIVALENT WHILE OTHER USERS ARE ON THE SYSTEM, CHECK THE LOG FILE OF SHOWEVNT.NLM {INFO ON SHOWEVNT.NLM LISTED BELOW} FOR ANY ACTIONS THAT WERE NOT YOUR OWN. THE HACK PROGRAM CAN ONLY DO ACTIONS LIKE ACQUIRING RIGHTS IN A DIRECTORY OR MAKING ITSELF SUPERVISOR EQUIVALENT AT THE MOMENT THE SUPERVISOR (OR IT'S EQUIVALENT) IS LOGGED IN TO THE NETWORK AT ANOTHER WORKSTATION. B. REVOKE ALL ACCESS CONTROL RIGHTS FROM ALL USERS THAT DO NOT REALLY NEED THESE RIGHTS {PREFERABLY ALL USERS}. THE "ACCESS CONTROL RIGHT" IS NECESSARY TO CHANGE TRUSTEES, AND IS OFTEN HANDED OUT TO "NORMAL USERS", WHO DO NOT NEED THIS RIGHT TO RUN APPLICATIONS. THE HACK PROGRAM CAN ONLY GIVE TRUSTEE RIGHTS TO ITSELF OR ANY OTHER USER IN A DIRECTORY, AT THE MOMENT THERE IS A LOGGED IN USER THAT HAS ACCESS CONTROL RIGHTS IN A THAT DIRECTORY. REVOKING ACCESS CONTROL RIGHTS IS AN EFFECTIVE METHOD FOR IMPROVING NETWORK SECURITY. C. INSTALL "SHOWEVNT.NLM" IN ORDER TO BE ABLE TO MONITOR CHANGES IN NETWORK RIGHTS {BY MEANS OF "SHOWEVNT.NLM" THE SYSTEM MANAGER IS ABLE DETECT CHANGES IN TRUSTEES}. THE PROGRAM "SHOWEVNT.NLM" IS AVAILABLE FROM NOVELL, THE ANONYMOUS FTP-SERVER OF SURFNET {FTP.NIC.SURFNET.NL IN THE DIRECTORY "NETMAN/CERT-NL/NOVELL"}, AND ASSIST. THE FOLLOWING FILES CAN BE OBTAINED FROM NOVELL OR DOWNLOADED FROM THE NETMAN/CERT-NL/NOVELL DIRECTORY: SHOWEVNT.NLM - THE NLM ITSELF (6538 BYTES) SHOWEVNT.DOC - MANUAL PAGE OF THE NLM (4125 BYTES) SHOWEVNT.TXT - README FILE ( 286 BYTES) SHOWEVNT.ZIP - ZIP FILE, CONTAINS THE 3 FILES ABOVE (6050 BYTES) PLEASE READ THE "SHOWEVNT.DOC" FILE CAREFULLY BEFORE INSTALLING THE NLM. 4. SHOWEVNT.NLM IS A NLM FOR A NETWARE 3.11 SERVER THAT CAN BE USED TO TRACK A NUMBER OF CHANGES IN NETWARE SECURITY. SHOWEVNT WILL DISPLAY THOSE CHANGES ON SCREEN OR OPTIONALLY LOG THEM TO A FILE. THE FOLLOWING CHANGES IN SECURITY INFORMATION ARE TRACKED: A. ADDING AN OBJECT TO THE NOVELL BINDERY. THIS COVERS: - CREATING A USER, GROUP OR QUEUE (THOSE ARE STATIC CHANGES). - STARTING OR DOWNING A SERVER OR PRINTSERVER SOMEWHERE ON THE NETWORK (THOSE ARE DYNAMIC CHANGES). B. DELETING OBJECTS FROM THE BINDERY C. MAKING A BINDERY OBJECT SECURITY EQUIVALENT WITH ANOTHER OBJECT. THIS COVERS: - ADDING A USER TO A GROUP - MAKING A USER SUPERVISOR EQUIVALENT D. CHANGING A TRUSTEE ON A DIRECTORY (OR FILE). THIS COVERS GRANTING OR REVOKING RIGHTS TO USERS OR GROUPS ON A CERTAIN DIRECTORY. 5. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS MIKE HIGGINS, COMM {703} 696-1904 OR DSN 226-1904. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE {800-759- 7243}, PIN NUMBER 2133937. WHEN CALLING THE PAGER SERVICE, FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK NUMBER AFTER THE PROMPT. THE DUTY ASSIST OFFICER WILL CALL YOU BACK WITHIN 30 MINUTES. IF FASTER SERVICE IS REQUIRED, PREFIX YOUR TELEPHONE NUMBER WITH "999", AND THE ASSIST OFFICER WILL CALL BACK WITHIN 5 MINUTES. ASSIST CAN BE REACHED VIA E-MAIL AT "DOD-CERT{AT-SIGN}DDN- CONUS.DDN.MIL". BT