Copy Link
Add to Bookmark
Report
CIAC B-19
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
Vulnerability in UNIX System V on 386/486 Platforms
Critical UNIX System V on 386/486 Vulnerability Information
--------------------------------------------------------------------------
PROBLEM: UNIX System V security problem on 386/486 platforms (UAREA bug).
PLATFORM: UNIX System V for the Intel 80386/80486 based computers.
DAMAGE: Allows privileged access to files by non-privileged users.
SOLUTIONS: Patch/update available from various vendors.
IMPACT OF PATCH: Vulnerability eliminated. No other side-effects reported.
--------------------------------------------------------------------------
March 21, 1991, 1200 PST Number B-19
CIAC has learned of a vulnerability that allows privileged access to
files on some versions of UNIX System V running on an Intel
80386/80486 based computer. This problem known as the UAREA bug, has
been corrected by AT&T. Most vendors of UNIX System V based on the
AT&T software have recently released patches specifically designed for
their products. This bulletin provides a partial list of vendors that
are providing patches for this problem, as well as vendors whose
product never had the vulnerability in a specified release.
The following vulnerability matrix table lists each of vendor/version
combination for which CIAC has received information. For each vendor,
the listed versions were tested for this vulnerability, and a patch
was developed for those versions found to be vulnerable. If the
vendor/version combination does not exhibit the vulnerability,
"No" appears in the third column.
Vendor Version Exhibits vulnerability
------------------------ --------- ---------------------
Dell SVR3.2/1.0.6 Yes - patch available
Dell SVR3.2/1.1 No
Dell SVR4.0/2.0 No
Interactive 2.0.2 Yes - patch available
Interactive 2.2 Yes - patch available
Interactive 2.2.1 Yes - patch available
Everex (ESIX) Rev. D Yes - patch available
AT&T SVR3.2.0 Yes - patch available
AT&T SVR3.2.1 No
SCO all versions No
Microport 2.2 No
Most vendors are aware of this bug, and have taken steps to correct
the problem. If your vendor/version of UNIX is not listed, or is
listed as one of those that exhibits the vulnerability, you should
contact your UNIX System V vendor for the patch.
For additional information or assistance, please contact CIAC:
Hal Brand
(415) 422-6312 or (FTS) 532-6312
During working hours call CIAC at (415) 422-8193 or (FTS)
532-8193 or send e-mail to ciac@cheetah.llnl.gov.
Send FAX messages to: (415) 423-0913 or (FTS) 543-0913
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.