HP3000-L Archives

June 2000, Week 5

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Security Vulnerability in DBUTIL
From:
Patrick Santucci <[log in to unmask]>
Reply To:
Patrick Santucci <[log in to unmask]>
Date:
Thu, 29 Jun 2000 14:33:19 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (128 lines) 
Haven't seen anything on the list about this, so I thought I'd better post
it. Please forgive the length, but I thought it important to share.

** Please reply off-list due to the security implications in this post. **
I promise to keep everyone in the loop as to what I learn.

We received an HP Security Bulletin, Document ID HPSBMP0006-007 titled
"Sec. Vulnerability in TurboIMAGE DBUTIL." It states in part:

--------------------------------------------------------------------------

Document ID:  HPSBMP0006-007
Date Loaded:  20000626
      Title:  Sec. Vulnerability in TurboIMAGE DBUTIL

-------------------------------------------------------------------------
    HEWLETT-PACKARD COMPANY SECURITY ADVISORY: #0007, 26 June 2000
-------------------------------------------------------------------------

The information in the following Security Advisory should be acted upon
as soon as possible.  Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Advisory as soon as possible.

-----------------------------------------------------------------
PROBLEM:  Given a specific setup, users with ordinary database
          privileges can gain additional privileges.

PLATFORM: HP3000 running MPE/iX release 4.5 and newer.

DAMAGE:   Unauthorized access.

TEMPORARY SOLUTION: Secure DBUTIL.PUB.SYS and your database schemas
          with a lockword.

AVAILABILITY: This advisory will be updated when patches are available.
-----------------------------------------------------------------------
   A. Background

      Hewlett-Packard Company has learned of a procedure by which a user
      can gain additional privileges using DBUTIL.PUB.SYS.

   B. Recommended solution

      Until the patch is available, the recommended solution is to
      secure DBUTIL program and your database schemas with a lockword.

      For example, in CI prompt

        :RENAME DBUTIL.PUB.SYS, DBUTIL/LOCK.PUB.SYS
                                    /<lockword>

      A temporary fix in the DBUTIL program is also available for download
      on the JAZZ web server at:

             http://jazz.external.hp.com/src/

      It is under the DBUTIL.PUB.SYS program.

      NOTE: For more information on versions, download please read the
            security notice in the link

             http://jazz.external.hp.com/src/misc/dbutilsec.txt

     Download DBUTIL06 for TurboIMAGE version C.06.xx,
              DBUTIL07 for TurboIMAGE version C.07.xx, and
              DBUTIL08 for TurboIMAGE version C.08.xx.

     Also available for download is the corresponding program to replace
     the DBUTIL.PUB.SYS on your system.

     You will need to save the your system's old DBUTIL program and
     later on swap it back when you install TurboIMAGE patch, to
     avoid PATCH/iX from complaining about the checksum mismatch.

-----------------------------------------------------------------------
<snip HP bulletin>

The info on the Jazz link above states in part:

> Recently, a security hole has been found in DBUTIL program.  By a
special
> setup, certain user who only has 'READ' capability to a database will be
> able to perform tasks which only the database creator should be able to
do.
> The problem has existed since 4.5 of MPE release.
>
> We are in the process of creating a fix for this problem.  TurboIMAGE
> patch TIXLX74 will include the fix.  This patch updates the TurboIMAGE
> version to C.08.01 and is for MPE 5.5, 6.0 and 6.5.  Since the problem
> only occurs in the DBUTIL program, if you don't want to change other
> parts of the product, you can download only the DBUTIL program from
> JAZZ (http://jazz.external.hp.com/src/misc/dbutil.tar.Z) and replace
> DBUTIL.PUB.SYS on your system with the correct version of DBUTIL contained
> in this tar archive.

Before we can put an updated (or patched) program on the system, our
company policy dictates that we have to go through system acceptance
testing. This means it will take about two weeks to get the okay to put
the *temporary* DBUTIL program onto our production systems.

In the meantime, we want to be as secure as we can. However, some of our
applications use DBUTIL in batch jobs, so we can't just put a lockword on
it (as the Security Bulletin suggests) without causing production jobs to
abend. About the only thing we can do is remove interactive (IA)
capability from the program, which would disallow its use by anyone except
in batch jobs. This would at least provide us with an audit trail.

However, before we start making these kinds of changes we need to know how
serious this problem really is. I sent a message to the ITRC but haven't
heard anything back yet.

So does anyone know what capabilities this actually gives someone? How
easy is it to take advantage of? Is it something you could do accidentally
without realizing you were violating security (e.g. using an ERASE command
without being the DB creator), or is it some kind of hack?

Once again,

** Please reply off-list due to the security implications in this post. **

Thanks,
Patrick
--
Patrick Santucci
Technical Services Analyst
Seabury & Smith, Inc.

ATOM RSS1 RSS2