|
CIAC Advisory Notice
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
EDITOR'S NOTE: THIS REPORT HAS NOTHING TO DO WITH THE NATIONAL COMPUTER
SECURITY ASSOCIATION (NCSA).
________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
ADVISORY NOTICE
________________________________________________________________
NOTICE OF VULNERABILITY AFFECTING MACINTOSH
AND IBM PC'S RUNNING NCSA TELNET
The DOE Computer Incident Advisory Capability (CIAC) has learned of a serious
vulnerability in Telnet software made by NCSA that runs on both Macintosh and
IBM PCs. This vulnerability enables anyone on a system that has network access
to a Macintosh or IBM PC running NCSA Telnet to access that particular type of
computer without a password, and copy, change, or delete files on it. Please
note that the potential exists for any node on the network (i.e. the world) to
have this accessibility. Access to the Macintosh or IBM PC is via FTP on the
host. The Macintosh or IBM PC will then execute FTP commands if NCSA Telnet is
running on it, even if NCSA Telnet is running in the background (e.g., under
MultiFinder on the Macintosh). Once access is gained, files can be copied to
or from the Macintosh or IBM PC.
Whether Macintosh or IBM PCs at your site have this vulnerability depends on
how NCSA Telnet was installed. Your systems are vulnerable if you are missing
the line:
passfile="filename"
in your config.tel file. The line "ftp=no" can be used to disable ftp.
Even if this line is included, however, your system could still be vulnerable,
since this command is easily overridden while NCSA Telnet is running by
selecting "FTP Enable" in the File menu.
NCSA Telnet is delivered with the 'passfile="filename"' line commented out of
the config.tel file using the # sign as:
#passfile="filename".
When the passfile line is omitted or commented out, FTP transfers are enabled
without requiring the use of passwords. If the Macintosh or IBM PCs at your
site are subject to this vulnerability, CIAC recommends that you ensure the
passfile="filename" line is included in the configuration file, where
"filename" (quotes required) can either specify a dummy file name or a valid
password file. You should use a dummy file name when NCSA Telnet is not being
used to assure that users do not enable NCSA Telnet without first making a
password file. Using a dummy file name will turn on password checking which
effectively disables FTP. However, if you plan to use NCSA Telnet, you should:
1) make an encrypted password file using Telpass, and
2) use a complete pathname specification for the file name
(e.g., \etc\passwd).
By including the passfile line in config.tel, someone who wants to use FTP must
either delete the passfile line in the config.tel file or create a password
file.
For further information, please contact Gene Schultz, CIAC Manager, at
(415) 422-8193 or (FTS) 532-8193, or send e-mail to:
gschultz%[email protected]
EDITOR'S NOTE: THIS REPORT HAS NOTHING TO DO WITH THE NATIONAL COMPUTER
SECURITY ASSOCIATION (NCSA).
|
|
