[12265] in bugtraq
Re: Multiple vulnerabilities in CDE
daemon@ATHENA.MIT.EDU (Nick_)
Mon Oct 18 14:11:52 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <19991017165820.93BB11EE83@lists.securityfocus.com>
Date: Sun, 17 Oct 1999 12:57:57 -0500
Reply-To: nick@null.net
From: Nick_ <nickc@STAFFNET.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <m11R1Rz-0002a4C@utopia.csas.com>
Searching the achives, I've not seen any reply to this, have these
questions been answered yet? In regards to Sun, is there a patch
in the works, and if not how have other vendors fixed the problem?
-Nick
Date sent: Tue, 14 Sep 1999 18:53:23 -0400
Send reply to: Dan Astoorian <djast@PPP12.UTOPIA.CSAS.COM>
From: Dan Astoorian <djast@PPP12.UTOPIA.CSAS.COM>
Subject: Re: Multiple vulnerabilities in CDE
Originally to: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> On Mon, 13 Sep 1999 23:46:53 EDT, "Troy A. Bollinger" writes:
> >
> > Here's the CERT advisory that was released today. Of course, it's also
> > available at www.cert.org.
> >
> [...]
> > Sun Microsystems, Inc.
> >
> > Vulnerability #1:
> >
> > Systems running Solaris 7, 2.6, 2.5.1, 2.5, 2.4, and 2.3, and
> > SunOS 4.1.4 and 4.1.3_U1 are vulnerable if the UNIX
> > authentication mechanism (default) is used with ttsession.
> >
> > The use of DES authentication is recommended to resolve this
> > issue. To set the authentication mechanism to DES, use the
> [...]
>
> The way they've worded this very much makes it sound as though patches
> are not forthcoming.
>
> Is this a design flaw, or an oversight in the implementation?
>
> If the former, why is it that other vendors (e.g. IBM) are releasing
> patches claiming to fix the problem? And, if the latter, is Sun
> *really* saying "instead of fixing the problem, we're going to tell all
> of our customers to use DES authentication, and if they can't or won't,
> then to hell with them"?
>
> (Anyone know any decent references for setting up Secure RPC under
> Solaris, particularly if NIS or NIS+ is not in use?)
>
> -- People shouldn't think that it's better to have
> Dan Astoorian loved and lost than never loved at all. It's
> http://www.utopia.csas.com not, it's better to have loved and won. All
> djast@utopia.csas.com the other options really suck. --Dan Redican
>
--
Nicholas Crawford <nick@null.net> / ICQ: 2555860 / Nick_ers@UnderNet IRC
4096/1024 Diffie-Hellman/DSS PGP key ID: 0x738C4DB4 fingerprint:
54DF 09EC D2A0 0942 2A4C 3CDD 3438 FF7B 738C 4DB4
PGP keys via key server or http://paranoid.wolfspirit.org/~crawf/pgpkeys/
