Haven't seen anything on the list about this, so I thought I'd better post
it. Please forgive the length, but I thought it important to share.
** Please reply off-list due to the security implications in this post. **
I promise to keep everyone in the loop as to what I learn.
We received an HP Security Bulletin, Document ID HPSBMP0006-007 titled
"Sec. Vulnerability in TurboIMAGE DBUTIL." It states in part:
--------------------------------------------------------------------------
Document ID: HPSBMP0006-007
Date Loaded: 20000626
Title: Sec. Vulnerability in TurboIMAGE DBUTIL
-------------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY ADVISORY: #0007, 26 June 2000
-------------------------------------------------------------------------
The information in the following Security Advisory should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Advisory as soon as possible.
-----------------------------------------------------------------
PROBLEM: Given a specific setup, users with ordinary database
privileges can gain additional privileges.
PLATFORM: HP3000 running MPE/iX release 4.5 and newer.
DAMAGE: Unauthorized access.
TEMPORARY SOLUTION: Secure DBUTIL.PUB.SYS and your database schemas
with a lockword.
AVAILABILITY: This advisory will be updated when patches are available.
-----------------------------------------------------------------------
A. Background
Hewlett-Packard Company has learned of a procedure by which a user
can gain additional privileges using DBUTIL.PUB.SYS.
B. Recommended solution
Until the patch is available, the recommended solution is to
secure DBUTIL program and your database schemas with a lockword.
For example, in CI prompt
:RENAME DBUTIL.PUB.SYS, DBUTIL/LOCK.PUB.SYS
/<lockword>
A temporary fix in the DBUTIL program is also available for download
on the JAZZ web server at:
http://jazz.external.hp.com/src/
It is under the DBUTIL.PUB.SYS program.
NOTE: For more information on versions, download please read the
security notice in the link
http://jazz.external.hp.com/src/misc/dbutilsec.txt
Download DBUTIL06 for TurboIMAGE version C.06.xx,
DBUTIL07 for TurboIMAGE version C.07.xx, and
DBUTIL08 for TurboIMAGE version C.08.xx.
Also available for download is the corresponding program to replace
the DBUTIL.PUB.SYS on your system.
You will need to save the your system's old DBUTIL program and
later on swap it back when you install TurboIMAGE patch, to
avoid PATCH/iX from complaining about the checksum mismatch.
-----------------------------------------------------------------------
<snip HP bulletin>
The info on the Jazz link above states in part:
> Recently, a security hole has been found in DBUTIL program. By a
special
> setup, certain user who only has 'READ' capability to a database will be
> able to perform tasks which only the database creator should be able to
do.
> The problem has existed since 4.5 of MPE release.
>
> We are in the process of creating a fix for this problem. TurboIMAGE
> patch TIXLX74 will include the fix. This patch updates the TurboIMAGE
> version to C.08.01 and is for MPE 5.5, 6.0 and 6.5. Since the problem
> only occurs in the DBUTIL program, if you don't want to change other
> parts of the product, you can download only the DBUTIL program from
> JAZZ (http://jazz.external.hp.com/src/misc/dbutil.tar.Z) and replace
> DBUTIL.PUB.SYS on your system with the correct version of DBUTIL contained
> in this tar archive.
Before we can put an updated (or patched) program on the system, our
company policy dictates that we have to go through system acceptance
testing. This means it will take about two weeks to get the okay to put
the *temporary* DBUTIL program onto our production systems.
In the meantime, we want to be as secure as we can. However, some of our
applications use DBUTIL in batch jobs, so we can't just put a lockword on
it (as the Security Bulletin suggests) without causing production jobs to
abend. About the only thing we can do is remove interactive (IA)
capability from the program, which would disallow its use by anyone except
in batch jobs. This would at least provide us with an audit trail.
However, before we start making these kinds of changes we need to know how
serious this problem really is. I sent a message to the ITRC but haven't
heard anything back yet.
So does anyone know what capabilities this actually gives someone? How
easy is it to take advantage of? Is it something you could do accidentally
without realizing you were violating security (e.g. using an ERASE command
without being the DB creator), or is it some kind of hack?
Once again,
** Please reply off-list due to the security implications in this post. **
Thanks,
Patrick
--
Patrick Santucci
Technical Services Analyst
Seabury & Smith, Inc.
|