From support@us.external.hp.com Wed Mar 13 01:01:06 1996 Date: Wed, 13 Mar 1996 01:08:58 -0800 From: HPSL Mail Service Reply to: support-feedback@us.external.hp.com To: Damien Sorder Subject: RE: send doc HPSBUX9404-007 -------- ## Regarding your request: Send Doc HPSBUX9404-007 The following are the results of your request from the HP SupportLine mail service. =============================================================================== Document Id: [HPSBUX9404-007] Date Loaded: [04-23-94] Description: HP-UX does not have ftpd SITE EXEC vulnerability =============================================================================== ----------------------------------------------------------------------- HEWLETT-PACKARD SECURITY BULLETIN: #00007, 22 April 94 ******** ADVISORY ONLY ******** ----------------------------------------------------------------------- _______________________________________________________________________ ISSUE: Ftpd SITE EXEC security problem announced by CIAC,CERT PLATFORM: All HP-UX systems STATUS: NOT present on HP-UX. ADVICE: Continue to use ftpd distributed with HP-UX. _______________________________________________________________________ I. ftpd A. Nature of the Problem Recent announcements by CIAC (E-17) and CERT (CA-94:08) warned of a potential danger caused by the SITE EXEC command used on ftpd programs. If the ftpd had improper permissions, this command could allow an intruder to execute commands on the system with unauthorized privileges. Such an intrusion could lead to super-user privileges. B. Status of HP-UX HP-UX ftpd does NOT currently allow a SITE EXEC command, so this security threat does NOT exist. Some HP-UX users may have chosen to run the non-HP version of ftpd available from source archives such as the wuarchive. These ftpds may be vulnerable and these users should heed the CIAC/CERT warnings. C. Recommended Actions HP-UX users should continue to use the ftpd distributed with the release tapes or provided in official HP-UX patches. Appendix A. Contacting CERT 1. For complete details on CERT, use anonymous ftp to retrieve ~pub/cert_faq from cert.org. The advisory mentioned above can be retreived using anonymous ftp to cert.org: it is kept in ~pub/cert_advisories/CA-94:08.ftpd.vulnerabilities. 2. Write to cert@cert.org. 3. Call 1 412-268-7090 (24-hour hotline) Appendix B. Contacting CIAC (US Dept of Energy) 1. Call 510-422-8193 2. Write to ciac@llnl.gov. 3. Subscribe to mailing lists, by sending body text containing: subscribe CIAC-BULLETIN Full_Name Phone_number to ciac-listproc@llnl.gov. ----------------------------------------------------------------------- To subscribe to automatically receive NEW future HP Security Bulletins from the HP SupportLine mail service via electronic mail, send the following in the TEXT PORTION OF THE MESSAGE to support@support.mayfield.hp.com (no Subject is required): subscribe security_info To retrieve the index of all HP Security Bulletins, send the following: send security_info_list To obtain a copy of the HP SupportLine mail service user's guide, send the following to support@support.mayfield.hp.com: send guide.txt For security concerns, write to: security-alert@hp.com -----------------------------------------------------------------------