[11907] in bugtraq
Re: Multiple vulnerabilities in CDE
daemon@ATHENA.MIT.EDU (Dan Astoorian)
Wed Sep 15 02:00:59 1999
Message-Id: <m11R1Rz-0002a4C@utopia.csas.com>
Date: Tue, 14 Sep 1999 18:53:23 -0400
Reply-To: Dan Astoorian <djast@PPP12.UTOPIA.CSAS.COM>
From: Dan Astoorian <djast@PPP12.UTOPIA.CSAS.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Mon, 13 Sep 1999 23:46:53 EDT."
<19990913224652.A28280@austin.ibm.com>
On Mon, 13 Sep 1999 23:46:53 EDT, "Troy A. Bollinger" writes:
>
> Here's the CERT advisory that was released today. Of course, it's also
> available at www.cert.org.
>
[...]
> Sun Microsystems, Inc.
>
> Vulnerability #1:
>
> Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and
> SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX
> authentication mechanism (default) is used with ttsession.
>
> The use of DES authentication is recommended to resolve this
> issue. To set the authentication mechanism to DES, use the
[...]
The way they've worded this very much makes it sound as though patches
are not forthcoming.
Is this a design flaw, or an oversight in the implementation?
If the former, why is it that other vendors (e.g. IBM) are releasing
patches claiming to fix the problem? And, if the latter, is Sun
*really* saying "instead of fixing the problem, we're going to tell all
of our customers to use DES authentication, and if they can't or won't,
then to hell with them"?
(Anyone know any decent references for setting up Secure RPC under
Solaris, particularly if NIS or NIS+ is not in use?)
-- People shouldn't think that it's better to have
Dan Astoorian loved and lost than never loved at all. It's
http://www.utopia.csas.com not, it's better to have loved and won. All
djast@utopia.csas.com the other options really suck. --Dan Redican
