Privacy and Legal Notice
INFORMATION BULLETIN
E-23b: Vulnerability in HP-UX systems with HP Vue 3.0
May 18, 1994 1615 PDT
PROBLEM: A Vulnerability exists in HP-UX systems with HP Vue 3.0.
PLATFORM: HP 9000 series 300/400/700/800 at HP-UX revision 9.x, with
HP Vue 3.0.
DAMAGE: Local users can raise their privileges to superuser (root)
level.
SOLUTION: Apply appropriate patch for your system.
VULNERABILITY CIAC recommends that all systems which have
ASSESSMENT: HP Vue 3.0 on their systems, whether in use
or not, should install this patch.
Critical Information about vulnerability in HP-UX systems with HP Vue 3.0
CIAC has received information regarding a vulnerability in HP9000 computers at
revision 9.x which contain HP Vue 3.0. This vulnerability can allow a local
user to obtain root access.
CIAC recommends that if you have Vue 3.0 on your system you apply the following
patch appropriate to your system. For an HP 9000 series 300/400 computer,
apply patch PHSS_4055; for an HP 9000 series 700/800 computer, apply patch
PHSS_4066.
Patches can be obtained in one of three methods:
- Obtain the patch via E-mail from the HP SupportLine Mail Service. Send the
words, without quotes, "send PHSS_4055" (or "send PHSS_4066") in the TEXT
PORTION of a message addressed to support@support.mayfield.hp.com (no subject
line is required). The patch will be E-mailed back to you.
- Download the patch from support.mayfield.hp.com. To do this, follow the
instructions in the document located on irbis.llnl.gov:
~/pub/ciac/ciacdoc/e-fy94/HPACCESS.TXT-how-to-download-HP-patches.
- Contact your local HP Response Center. They will provide you with the patch.
The complete instructions for applying the patch are in the file
PHSS_40xx.text, supplied with the patch release. Checksums for the patch are
included with the release. After installing the patch, examine /tmp/update.log
for any relevant WARNING's or ERROR's. To accomplish this, from the shell
prompt type "tail -60 /tmp/update.log | more" and page through the screens via
the space bar, looking for WARNING or ERROR messages.
ATTENTION: This bulletin contains updated information received from
Hewlett-Packard after the electronic version was distributed. Patch PHSS_4066
supersedes PHSS_4038, and directions to download the patch have been included.
CIAC would like to thank the CERT-NL for first alerting us to the existance of
this vulnerability and for technical information about this vulnerability, and
John Morris of Hewlett-Packard for patch information and availability.
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]