********************************************************************** DDN MGT Bulletin 46 DCA DDN Defense Communications System 1 Dec 88 Published by: DDN Network Info Center (NIC@SRI-NIC.ARPA) (800) 235-3155 DEFENSE DATA NETWORK MANAGEMENT BULLETIN The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network Information Center under DCA contract as a means of communicating official policy, procedures and other information of concern to management personnel at DDN facilities. Back issues may be read through the TACNEWS server ("@n" command at the TAC) or may be obtained by FTP (or Kermit) from the SRI-NIC host [26.0.0.73 or 10.0.0.51] using login="anonymous" and password="guest". The pathname for bulletins is DDN-NEWS:DDN-MGT-BULLETIN-nn.TXT (where "nn" is the bulletin number). ********************************************************************** CORRECTION FOR FTP RELATED SECURITY FLAW Vulnerabilities exist for sites using Berkeley UNIX software or software derived from Berkeley UNIX. If you don't know if your system uses Berkeley derived UNIX, contact your vendor. The following direction has been prepared with assistance from Berkeley and the Computer Emergency Reaction Team (CERT). The fix was independently validated. If you are running FTP service (with ftpd) then you will need to take the following steps: Steps (1), (2), and (3) below should be taken NOW. Follow up shortly afterward with the remaining steps. (1) Become root. (2) Remove the FTP server program (ftpd). One of the following will work. It is OK to do all four. rm /etc/ftpd rm /usr/etc/ftpd rm /etc/in.ftpd rm /usr/etc/in.ftpd (3) EITHER reboot your system OR kill the running ftpd process. (4) You are safe at this point, but your system is no longer providing an FTP server. (You have removed the FTP server program from your disk.) NOTE: You will still be able to use FTP to obtain the fix from the Network Information Center (NIC), but you will not be able to accept externally initiated file transfers. (5) Obtain the ftpd fix from the NIC, from Berkeley, from the CERT, or from your vendor. Install according to the instructions. NOTE: A version of the patch was disseminated about a month ago from Berkeley, and many sites will already have installed the fix. The fix that is now being released is a slight improvement to this earlier fix, and we suggest making this additional upgrade. The fix is available from the NIC through anonymous FTP. To get a copy: Open an FTP connection to SRI-NIC.ARPA Retrieve the contents of NETINFO:UNIX-FTPD.SHAR (NOTE! If you obtained a copy of the fix prior to receiving this bulletin you will need to retrieve a fresh copy of the fix.) For further information about the retrieval of the patch, call the NIC at (800) 235-3155. The fix is also available from the CERT; send computer mail to: CERT [at] SEI.CMU.EDU to get the fix via computer mail. (6) Once the fix is installed, you can resume providing an FTP server. For further information about the patch itself call the Computer Emergency Response Team Coordination Center at (412) 268-7090, Keith Bostic (Berkeley) at (415) 642-8524, or Phil Lapsley or Peter Yee (Berkeley) at (415) 642-7447. (7) Be sure you have installed the SENDMAIL and FINGERD fixes that were previously provided (see DDN Management Bulletin #43). It is important that these fixes be installed. The FINGERD hole is sufficiently dangerous that you should remove fingerd pending installation of the fix. Follow steps (1), (2), and (3) above substituting "fingerd" for "ftpd". The fixes for these problems are also available from the NIC. (8) If you are running an (obsolete) BSD 4.2 derived system, then it is strongly advised that you obtain an upgrade to 4.3 (or its descendants).