All;
The only intent of this "summary" is to make folks aware that while "it"
(/sbin/it) may not be doing anything on your systems right now and it may
seem a perfect candidate to disable, "it" plays a role in such key system
activities as OS upgrades, patch installations and subset installation.
Leaving "it" permanently disabled, as a response to the vulnerability, will
likely break something on your system in the future. If you have disabled
"it", or intend to, I would suggest that you make yourselves aware of the
potential ramifications of doing so and plan on not making many (if any)
system changes until the vulnerability has been reviewed by Compaq support
and a fix has been released and you've re-enabled "it". For example, to the
best of my knowledge, when you do a Tru64 OS *upgrade* after installing the
subsets from the distribution media, the system reboots and comes back up
and immediately starts to configure all the newly installed subsets and
then it proceeds to gen a new kernel (doconfig). /sbin/it is the mechanism
used to initiate those processes once the system comes back up. As far as I
can tell by disabling "it" (and leaving it disabled) you will probably
break any subsequent OS upgrades and you'd likely leave your system in a
less than desirable state after the upgrade attempt failed. Patch and/or
subset installations and/or configurations may also fail as well.
So, I am not suggesting that folks ignore the vulnerability, I'm just
suggesting that permanently disabling "it" may not be the right approach in
regard to dealing with it.
The original message from Paul Szabo is included below.
----------------------------------------------------------------------------
12 Dec 2000 11:39:05 +1100 (EST)
Date: Tue, 12 Dec 2000 11:39:05 +1100
From: Paul Szabo <psz_at_maths.usyd.edu.au>
Subject: DEC/Compaq /sbin/it: security vulnerability
To: tru64-unix-managers_at_ornl.gov
Cc: rich.boren_at_compaq.com
Message-id: <3A3573A9.167E_at_maths.usyd.edu.au>
Organization: School of Mathematics and Statistics, University of Sydney
MIME-version: 1.0
X-Mailer: Mozilla 3.01Gold (X11; I; OSF1 V4.0 alpha)
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7bit
Newsgroups: comp.unix.tru64,comp.security.unix
Content-Transfer-Encoding: 7bit
X-UIDL: RR<!!gc3"!2fS!!I/b!!
There is a vulnerability in the /sbin/it utility of DEC/Compaq Tru64 UNIX,
at least in versions V4.0D to V5.1 (probably all V4 and V5 versions, maybe
even V3 and older). The vulnerability may be exploited to gain root access.
To protect your machine, change the /etc/inittab file and disable /sbin/it.
You may remove the line, or place a '#' character at the beginning to leave
it something like
# it:23:wait:/sbin/it < /dev/console > /dev/console 2>&1
More details (possibly including a working exploit) may be posted in a week
or so to the BugTraq mailing list (see
http://www.securityfocus.com/).
Some history:
Sun 26 Nov 00 Notified rich.boren_at_compaq.com (including full exploit)
Mon 27 Nov 00 Received acknowledgement, promises "to update you ... by mid
week (29th or 30th)"
Mon 4 Dec 00 After prompting on 30 Nov, says "engineering ... have not
had the chance to get through with their review/analysis"
Tue 12 Dec 00 Workaround posted to tru64-unix-managers, comp.unix.tru64
and comp.security.unix (cc rich.boren_at_compaq.com)
--
Paul Szabo - psz_at_maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
----------------------------------------------------------------------------
David
mailto:sxdjd_at_ts.sois.alaska.edu
Received on Thu Dec 14 2000 - 19:12:07 NZDT