Security flaw found in Sun and IBM Unix login


Security flaw found in Sun and IBM Unix login

Attackers could get full access to servers running Unix versions supplied by Sun Microsystems and IBM because of a security hole in the operating system's login program.

Experts have warned that a buffer overflow flaw exists in the Unix login program, which authenticates access to the system by user names and passwords.

Because the login program is also used by two programs that are accessible remotely - telnet and rlogin (remote login) - the flaw can be exploited even by those who do not have direct access to the system, said experts at Internet Security Systems (ISS) and the Computer Emergency Response Team/Co-ordination Centre (CERT/CC).

Systems are only vulnerable if telnet, rlogin and other terminal connection services that use login for authentication are enabled, which they usually are by default, according to ISS.

Attackers can exploit the vulnerability to gain superuser privileges or root access to the server - the highest privilege level on Unix systems. This would allow the attacker to execute arbitrary commands.

A software tool, or exploit, to compromise systems running the affected operating systems has been made public, said ISS.

ISS and CERT/CC advise system administrators to install Secure Shell (SSH), a secure alternative to telnet and rlogin, and disable default terminal connection services until the software can be patched. Sun and IBM have released software fixes, said CERT/CC.

Sun's Solaris 8 and earlier versions, and IBM's AIX versions 4.3 and 5.1, are affected. Other systems derived from the same code base, Unix System V, could also be vulnerable, according to CERT/CC. Hewlett-Packard told CERT/CC that its HP-UX cannot be exploited.

Further information
The ISS security advisory:
The CERT/CC advisory:

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy