CERT Vendor-Initiated Bulletin VB-97.11 - NEC Corp.

Aleph One (aleph1@DFW.NET)
Tue, 14 Oct 1997 14:37:28 -0500

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Vendor-Initiated Bulletin VB-97.11
October 14, 1997

Topic: Vulnerability in "nosuid" mount option.
Source: NEC Corporation

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from NEC
Corporation. NEC urges you to act on this information as soon as possible. NEC
contact information is included in the forwarded text below; please contact
them if you have any questions or need further information.

=======================FORWARDED TEXT STARTS HERE============================
______________________________________________________________________________
NEC Corporation Security Bulletin

Title: Vulnerability in "nosuid" mount option
Affects: EWS-UX/V(Rel4.2) R7.x - R10.x
EWS-UX/V(Rel4.2MP) R10.x
UP-UX/V(Rel4.2MP) R5.x - R7.x
UX/4800 R11.x - 12.1
Document ID: SB-19971010-01
Date Issued: October 10, 1997
______________________________________________________________________________

1. Description

NEC Corporation has identified and corrected a problem with the
"nosuid" mount(1) option. The "nosuid" mount(1) option nullifies
the effect of setuid and setgid bits for files on a particular file
system. This problem manifests itself by allowing setuid and setgid
program execution on file systems mounted with "nosuid".

The following NEC/UNIX platforms are affected:

EWS-UX/V(Rel4.2) R7.x - R10.x
EWS-UX/V(Rel4.2MP) R10.x
UP-UX/V(Rel4.2MP) R5.x - R7.x
UX/4800 R11.x - 12.1

NEC strongly recommends that administrators of affected systems
follow the instructions in section 3 of this bulletin.

2. Impact

By exploiting this vulnerability, local users can invoke commands
as other users and possibly achieve root privileges to execute
arbitrary commands.

3. Workarounds/Solution

The patches listed below change the way execution privileges are
calculated so that setuid and setgid bits are correctly ignored on
file systems mounted with the "nosuid" option.

Patches for platforms not listed in Section 3.2 are still in progress.
For these systems, we recommend either unmounting file systems mounted
"nosuid" or applying the workaround as described in Section 3.1 until
patches are made available.

3.1. Remove setuid/setgid permission (workaround)

To prevent possible exploitation of this vulnerability, until a patch
is made available for your platform, we recommend the following steps:

1) Make a local copy of each remote file system mounted with the
"nosuid" option.

# find <mountpoint> -depth -print | cpio -pdm <localcopy>

2) Unmount the remote file system and replace it with the local copy.

# umount <mountpoint>
# mount <localdev> <mountpoint>

3) Run the find(1) command below to remove all setuid and setgid bits
on files in the local copy of the remote hierarchy.

# find <mountpoint> -print -exec chmod ug-s {} \;

3.2. Install a patch

This vulnerability is corrected by the following patches:

OS version Patch ID
---------- --------
EWS-UX/V(Rel4.2) R7.x NECe70093
EWS-UX/V(Rel4.2) R8.x NECe80121
EWS-UX/V(Rel4.2) R9.x NECe90281, NECe90282(for 110N)
EWS-UX/V(Rel4.2) R10.x NECea0168
EWS-UX/V(Rel4.2MP) R10.x NECma0378
UP-UX/V(Rel4.2MP) R5.x NECu50078
UP-UX/V(Rel4.2MP) R6.x NECu60217
UP-UX/V(Rel4.2MP) R7.x NECu70541
UX/4800 R11.x NECmb0668
UX/4800 R12.x NECmc0054

See section 4 of this bulletin for checksum information.

These patches are available from:
ftp://ftp.meshnet.or.jp/pub/48pub/security

For a directory tree map, consult the README file.

For further information, please contact by e-mail:
UX48-security-support@nec.co.jp

4. Checksum and additional information for patches.

Patch ID: NECe70093

Patch : NECe70093.210.pkg.Z
Target Hardware: 210,120LT,215,130LT,210II
sum : 17018 22
md5 : 56CE37185FD7D5BCB6D28F6BD8DEFFBB

Patch : NECe70093.220.pkg.Z
Target Hardware: 220,260,230
sum : 16078 22
md5 : 251A0B2239B415A6F9324F68C99F8B14

Patch : NECe70093.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
sum : 18075 22
md5 : 54A7DA54894E470CC8F4C879E6283AD0

Patch : NECe70093.350.pkg.Z
Target Hardware: 350,350F,380
sum : 892 21
md5 : BCBB5A319A0AB471ECB8EE5F154ECDCE

Patch ID: NECe80121

Patch : NECe80121.210.pkg.Z
Target Hardware: 210,120LT,215,130LT,210II
sum : 35542 21
md5 : 6D33DCE306B41996CB671EB9DB3DADD3

Patch : NECe80121.220.pkg.Z
Target Hardware: 220,260,230
sum : 19176 21
md5 : 32F955A3DEA4B76D552ACE5C3125AA9B

Patch : NECe80121.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
140LT,150LT,360AD,360A,OM
sum : 6993 21
md5 : 9425197116B75C919B10DF0F2A948A78

Patch : NECe80121.350.pkg.Z
Target Hardware: 350,350F,380
sum : 4723 21
md5 : 5A86DA101711317C1DA87541155229CC

Patch ID: NECe90281

Patch : NECe90281.210.pkg.Z
Target Hardware: 210,120LT,215,130LT,210II
sum : 1426 20
md5 : 1BE96184A9C6645899DD6CFFC1C5E00D

Patch : NECe90281.220.pkg.Z
Target Hardware: 220,260,230
sum : 4671 20
md5 : CA002CF9C4B86880D044F320B80D9800

Patch : NECe90281.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
140LT,150LT,360AD,360A,OM
310LC,320EX,320SX,330EX,330AD
360EX,360ADII
sum : 49879 20
md5 : 2045FF5FC608600DBE87D8C2AF08F7AA

Patch : NECe90281.350.pkg.Z
Target Hardware: 350,350F,380
sum : 53666 20
md5 : D0722E3257CEADFA8E3B60D68EAA9C8C

Patch ID: NECe90282

Patch : NECe90282.110N.pkg.Z
Target Hardware: 110N
sum : 49054 20
md5 : A244594291D8A8E398105EF1786B5A2A

Patch ID: NECma0378

Patch : NECma0378.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
140LT,150LT,360AD,360A,OM
310LC,320EX,320SX,330EX,330AD
360EX,360ADII,320VX,360SX
sum : 62412 25
md5 : 0ABDB0D337474622A178B5A90010DF1F

Patch : NECma0378.360MP.pkg.Z
Target Hardware: 360MP
sum : 23244 25
md5 : 682AA6A8BC97E91DBC14253F8E9C6FFC

Patch ID: NECea0168
Patch : NECea0168.110N.pkg.Z
Target Hardware: 110N,310EC
sum : 13328 21
md5 : 21D6648E69158622AECAD8A1F1538511

Patch ID: NECmb0668

Patch : NECmb0668.110N.pkg.Z
Target Hardware: 110N,310EC,310LX,310ECII,110NII
sum : 61039 24
md5 : 066DBA2EBAAB87B10D3C55C4161232F1

Patch : NECmb0668.210.pkg.Z
Target Hardware: 210,120LT,215,130LT,210II
sum : 43893 24
md5 : D6A0A08C2008F11BF1D11D670910893F

Patch : NECmb0668.220.pkg.Z
Target Hardware: 220,260,230
sum : 47818 24
md5 : A93FA1EE90055120892BF96FED4071C9

Patch : NECmb0668.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
140LT,150LT,360AD,360A,OM
310LC,320EX,320SX,330EX,330AD
360EX,360ADII,320VX,360SX
sum : 63097 24
md5 : FBEEC273976D44E8593791CBC3006E94

Patch : NECmb0668.350.pkg.Z
Target Hardware: 350,350F,380
sum : 46118 24
md5 : 14AFB2F7CBE0FECE66C43E15D53A6959

Patch : NECmb0668.360MP.pkg.Z
Target Hardware: 360MP
sum : 34423 24
md5 : 04FFC169C0056C2E0E991C5593EC13EB

Patch : NECmb0668.FM.pkg.Z
Target Hardware: 760,660R
sum : 34722 24
md5 : 0E875E8E6677223C19EF92FFD8AAA17B

Patch : NECmb0668.ML.pkg.Z
Target Hardware: 610
sum : 31695 24
md5 : 43F48AE10F46DD5675F54C4171979B93

Patch : NECmb0668.RH.pkg.Z
Target Hardware: 660,680,690,670,675
675AD
sum : 42993 24
md5 : 84FCEF5034A0E5A430367A6F4F813839

Patch : NECmb0668.RH0.pkg.Z
Target Hardware: 640,650
sum : 26945 24
md5 : 5CC49D44154183D39DD18C51BA6D8BD9

Patch : NECmb0668.RL.pkg.Z
Target Hardware: 605,615,615AD,615A
sum : 2916 24
md5 : 0C88DA08FF160A1B132538E8A46E9E4B

Patch : NECmb0668.RM.pkg.Z
Target Hardware: 625,635,635AD
sum : 63205 24
md5 : 47D10396FC39C0FB7FE617D0B180DF08

Patch : NECmb0668.TH2.pkg.Z
Target Hardware: 310PX,320PX,330PX
sum : 56681 24
md5 : 12BC633B68667D8EC08E56B95CD1EC5B

Patch : NECmb0668.UD2.pkg.Z
Target Hardware: 360PX,360PXII
sum : 26095 24
md5 : 53251D6148665B16ADF3DF224485BA96

Patch ID: NECmc0054

Patch : NECmc0054.110N.pkg.Z
Target Hardware: 110N,310EC,310LX,310ECII,110NII
sum : 38080 23
md5 : B27726AA05A082079E951F00222D6E7D

Patch : NECmc0054.210.pkg.Z
Target Hardware: 210,120LT,215,130LT,210II
sum : 39082 23
md5 : 590586BE5E847BD34780D2A68A908495

Patch : NECmc0054.220.pkg.Z
Target Hardware: 220,260,230
sum : 37616 23
md5 : CA9AD4DB7476E6753C7E06F5835AC61B

Patch : NECmc0054.330.pkg.Z
Target Hardware: 330,110LT,310,320,360
140LT,150LT,360AD,360A,OM
310LC,320EX,320SX,330EX,330AD
360EX,360ADII,320VX,360SX
sum : 42500 23
md5 : 31F228CA399A16DCEC4C7641D63D2E54

Patch : NECmc0054.350.pkg.Z
Target Hardware: 350,350F,380
sum : 47172 23
md5 : 711FBF6BD131FFA6FB1AC2E82BDB863D

Patch : NECmc0054.360MP.pkg.Z
Target Hardware: 360MP
sum : 32933 23
md5 : 20C52796D74B8FE1CD7FEC7CEA116708

Patch : NECmc0054.EH3.pkg.Z
Target Hardware: 410,420
sum : 33478 23
md5 : 5DE177B5E0BA6517192A6CB6DB53E4E8

Patch : NECmc0054.EL.pkg.Z
Target Hardware: 710
sum : 2088 23
md5 : 35908F4C918DA2D164D8C9B27A71061A

Patch : NECmc0054.FL.pkg.Z
Target Hardware: 740
sum : 31787 23
md5 : A4DD978D309F37DA72151247770ECC0D

Patch : NECmc0054.FM.pkg.Z
Target Hardware: 760,660R,760R
sum : 31135 23
md5 : F5FC7DBA2CFAD595FE72B520268BA02B

Patch : NECmc0054.ML.pkg.Z
Target Hardware: 610
sum : 18801 23
md5 : AD5954BF0E57B1593B12BAEB5A0C7151

Patch : NECmc0054.RH.pkg.Z
Target Hardware: 660,680,690,670,675
675AD,770
sum : 18516 23
md5 : A84E91CE094441E55BC967F0A33129E5

Patch : NECmc0054.RH0.pkg.Z
Target Hardware: 640,650
sum : 27899 23
md5 : 5B47CABA685D0C428869CC300BB1E8DE

Patch : NECmc0054.RL.pkg.Z
Target Hardware: 605,615,615AD,615A
sum : 48090 23
md5 : 5AD2B54F85BF83EE934D10BA8ABA3637

Patch : NECmc0054.RM.pkg.Z
Target Hardware: 625,635,635AD
sum : 49278 23
md5 : 3EEEAB2D6B42B8EF58291F07F7986E0E

Patch : NECmc0054.TH2.pkg.Z
Target Hardware: 310PX,320PX,330PX
sum : 36503 23
md5 : 7F937DFCAC8A09E39CDFA3DB757C7529

Patch : NECmc0054.UD2.pkg.Z
Target Hardware: 360PX,360PXII
sum : 34087 23
md5 : 7BD3E3E1C0C44AC0FF96071F0D7E3B04

Patch : NECmc0054.UD3.pkg.Z
Target Hardware: 460
sum : 21713 23
md5 : 02850DACF247867594A999A9CF32E5C3

Patch ID: NECu50078

Patch : NECu50078.RH.pkg.Z
Target Hardware: 660,680
sum : 24590 23
md5 : A0CB7CE51889544BA00BA8600CA64068

Patch ID: NECu60217

Patch : NECu60217.RH.pkg.Z
Target Hardware: 660,680,690
sum : 12320 23
md5 : B2853692FDB387C7A132BF5AE5047B33

Patch : NECu60217.RH0.pkg.Z
Target Hardware: 640,650
sum : 18714 23
md5 : EB2AD3AD7F0AC59E0750491D19446115

Patch : NECu60217.RL.pkg.Z
Target Hardware: 605,615,615AD,615A
sum : 40312 24
md5 : 3EFBE0C6873017ABFA7D2632BB7F686D

Patch : NECu60217.RM.pkg.Z
Target Hardware: 625,635,635AD
sum : 21912 24
md5 : 6B5B2936D081D849DEBC649595F917DD

Patch ID: NECu70541

Patch : NECu70541.ML.pkg.Z
Target Hardware: 610
sum : 43559 25
md5 : E009D5CC456DDB3E5347038A584C724C

Patch : NECu70541.RH.pkg.Z
Target Hardware: 660,680,690
sum : 47473 25
md5 : 26A98C96AF71341961CC57CC5E55EB27

Patch : NECu70541.RH0.pkg.Z
Target Hardware: 640,650
sum : 36458 25
md5 : EAD7B3F4A48E97E4BCBAE83B298EE265

Patch : NECu70541.RL.pkg.Z
Target Hardware: 605,615,615AD,615A
sum : 56520 25
md5 : 593BD721536ABC1BC0694D757DD4387B

Patch : NECu70541.RM.pkg.Z
Target Hardware: 625,635,635AD
sum : 5840 25
md5 : 5D9AA821BE9D01AF39512E448E3F520E

============================================================================

========================FORWARDED TEXT ENDS HERE=============================

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST). See http://www.first.org/team-info/.

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.

Location of CERT PGP key
ftp://ftp.cert.org/pub/CERT_PGP.key

CERT Contact Information
- ------------------------
Email cert@cert.org

Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.

Fax +1 412-268-6989

Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA

CERT publications, information about FIRST representatives, and other
security-related information are available from
http://www.cert.org/
ftp://ftp.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address

* Registered U.S. Patent and Trademark Office.

The CERT Coordination Center is part of the Software Engineering
Institute (SEI). The SEI is sponsored by the U. S. Department of Defense.

This file: ftp://ftp.cert.org/pub/cert_bulletins/VB-97.11.nec

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNEKGrnVP+x0t4w7BAQEP4QQA2if0MNau8AvBwPPvy3lXnktztA2SNPSe
cDfu+Gb+xa1Wu79H4oX46G5UejW89nhoVVHPymMnulxQWpfCYmC/3f0PCCv5F5NY
RSStHuubAtvNEED19JsNKlw2vx5nbKHnVHdRF2/w9FsvML7dtCPwNDfLZ8CI/D5M
hViGxfndygw=
=Hv66
-----END PGP SIGNATURE-----