News

Security flaw found in Sun and IBM Unix login

Attackers could get full access to servers running Unix versions supplied by Sun Microsystems and IBM because of a security hole in the operating system's login program.

Experts have warned that a buffer overflow flaw exists in the Unix login program, which authenticates access to the system by user names and passwords.

Because the login program is also used by two programs that are accessible remotely - telnet and rlogin (remote login) - the flaw can be exploited even by those who do not have direct access to the system, said experts at Internet Security Systems (ISS) and the Computer Emergency Response Team/Co-ordination Centre (CERT/CC).

Systems are only vulnerable if telnet, rlogin and other terminal connection services that use login for authentication are enabled, which they usually are by default, according to ISS.

Attackers can exploit the vulnerability to gain superuser privileges or root access to the server - the highest privilege level on Unix systems. This would allow the attacker to execute arbitrary commands.

A software tool, or exploit, to compromise systems running the affected operating systems has been made public, said ISS.

ISS and CERT/CC advise system administrators to install Secure Shell (SSH), a secure alternative to telnet and rlogin, and disable default terminal connection services until the software can be patched. Sun and IBM have released software fixes, said CERT/CC.

Sun's Solaris 8 and earlier versions, and IBM's AIX versions 4.3 and 5.1, are affected. Other systems derived from the same code base, Unix System V, could also be vulnerable, according to CERT/CC. Hewlett-Packard told CERT/CC that its HP-UX cannot be exploited.

Further information
The ISS security advisory: xforce.iss.net/alerts/advise105.php
The CERT/CC advisory: www.cert.org/advisories/CA-2001-34.html

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy