=========================================================================== SCO Security Bulletin 99.26b 24 February 2000 Multiple Vulnerabilities Found In SCO OpenServer --------------------------------------------------------------------------- I. Description This is an update to SB 99.26a ( 24th December 1999) describing a replacement SSE for sse050 (sse050b) SSE050b corrects an error with sse050 where the userOsa binary was wired to an SSO path not available on OpenServer 5.0.5. (many thanks to Glen for the error report). This and the original SSE address the following. Several security holes have been found in SCO OpenServer: 1. Buffer overflows in: /usr/mmdf/chans/smtpsrvr /etc/killall /etc/popper /usr/bin/mscreen /usr/bin/rlogin /bin/su /usr/lib/sysadm/termsh /usr/lib/libX11.so.5.0 /usr/lib/libXt.so.5.0 /usr/lib/libXmu.so.5.0 /usr/lib/libXaw.so.5.0 /usr/lib/libX11.a /usr/lib/libXt.a /usr/lib/libXmu.a /usr/lib/libXaw.a /usr/bin/X11/xterm /usr/bin/X11/xload /usr/bin/X11/scoterm /usr/bin/X11/scolock /usr/bin/X11/scosession /usr/bin/X11/scologin /usr/lpd/remote/rlpstat /usr/lpd/remote/cancel /usr/lpd/remote/lpmove 2. Algorithmic vulnerabilities in: /etc/sysadm.d/bin/userOsa: Can improperly write to privileged files /usr/bin/X11/Xsco: Can improperly read privileged files (also buffer overflows) /bin/hello: Can improperly acess privileged devices Allows transmission of dangerous characters /bin/write: Allows transmission of dangerous characters /bin/login: Corrupt /etc/dialups causes login failure Insufficient error checking II. Impact Unprivileged users can gain administrative privileges on unpatched servers. III. Releases SCO products that require patching include OpenServer version 5.0.5. IV. Solution SCO is providing an interim patch to address this issue in the form of a System Security Enhancement (SSE) package. SSE050b contains replacement binaries for each system type, and is available for Internet download via anonymous ftp You can download the SSE package as follows: Anonymous ftp (World Wide Web URL): ftp://ftp.sco.COM/SSE/sse050b.ltr (cover letter, ASCII text) ftp://ftp.sco.COM/SSE/sse050b.tar.Z (new binaries, compressed tar file) Checksums (sum -r): 35167 7 sse050b.ltr 14132 5352 sse050b.tar.Z V. Updates This bulletin is available for anonymous ftp download from ftp://ftp.sco.COM/SSE/security_bulletins/SB-99.26b and updates ftp://ftp.sco.COM/SSE/security_bulletins/SB-99.26a This will be updated as new information becomes available. The latest information on security vulnerabilities and fixes from SCO is available on the world-wide web at http://www.sco.com/security/ VI. Further Information: If you have further questions, contact your support provider. If you need to contact SCO, please send electronic mail to support@sco.COM, or contact SCO as follows. USA/Canada: 6am-5pm Pacific Time (PST/PDT) ----------- 1-800-347-4381 (voice) 1-408-427-5443 (fax) Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific ------------------------------------------------ Time (PST/PDT) 1-408-425-4726 (voice) 1-408-427-5443 (fax) Europe, Middle East, Africa: 9am-5:30pm UK Time (GMT/BST) ---------------------------- +44 (0)1923 816344 (voice) +44 (0)1923 817781 (fax)