DIA WASHINGTON, DC//DSM-4// AIG 7894 AIG 7005 USAISC FT SHERIDAN, IL//ASQNA-SHD-0// NAVWPNCEN CHINA LAKE, CA//CODE 2408// SECDEF WASHINGTON DC//C3I-T/C3I-IS/ JOINT STAFF WASHINGTON DC//J6T/DIRM:SCD/ HQ AFOSI BOLLING AFB DC//IVSC/SCX// AFCSC KELLY AFB TX//SR/SRE/SRM/SRMA// HQ ESC KELLY AFB TX//INAR// DA WASHINGTON DC//DAMI-AM/DAMI-CIC/SAIS-SS// DA WASHINGTON DC//OSA/DTSW// CDRINSCOM FORT BELVOIR VA//IAOPS-CI-TO/IAM-AUT-L/ CDRUSAOPSGP FT GEORGE G MEADE MD //IAGPC-TSE// CDR730THMIBN MUNICH GE//IAGPE-SCM// COMNAVINTCOM WASHINGTON DC//OOQ/OOJ// NAVINVSERV ERREG LONDON UK//60HQ// NAVINVSERVRA LONDON UK//60LN// AFOSI DET 7008 MUNICH GE//CC// CMC WASHINGTON DC//INTX// USCENTCOM MACDILL AFB FL//J2/J6// USCINCEUR VAHINGEN GE//ECJ2/ECJ2-P/ECJ6/EUCOM AIDES// USCINCLANT NORFOLK VA//J2/J6/J63// USCINCPAC HONOLULU HI//J2I/J6// CINCSAC OFFUTT AFB NE//INYSCC// USCINCSO QUARRY HEIGHTS PM//J2/J6// USCINCTRANS SCOTT AFB IL//J2/J6// USCINCFOR FT MCPHERSON GA//J2/J6// USSPACECOM PETERSON AFB CO//J2/J6// USNMR SHAPE BE//DACOS INTEL// NSACSS FT MEADE MD//C912/X43/ CDRINSCOM FORT BELVOIR VA//IAIM-AUT-L// NAVELEXSECCEN WASHINGTON DC//CODE 04/CODE 043// DCAA CAMERON STATION VA//OWN// CMC WASHINGTON DC//CODE CCIS// DIS WASHINGTON DC//V0060// DMATSC RESTON VA//IS// SECDEF WASHINGTON DC//USDP/DSAA// DLA CAMERON STATION VA//IA// SECDEF WASHINGTON DC//PHYSICAL SECURITY DIV// USUHS BETHESDA MD//UCC// SECDEF WASHINGTON DC//DARPA-ITSO/SQUIRES// SDIO WASHINGTON DC//POI// NCRLANT NORFOLK VA// DOE LIVERMORE CA//LLNL// SUBJECT: COMPUTER SECURITY ALERT FOR AIX TFTP DAEMON VULNERABILITY (ASSIST 91-15) 1. (U) SUMMARY: ASSIST HAS RECEIVED INFORMATION CONCERNING A VULNERABILITY IN THE TFTP DAEMON IN ALL VERSIONS OF AIX FOR IBM RS/6000 MACHINES. 2. (U) HARDWARE/SOFTWARE AFFECTED: ALL VERSIONS OF AIX FOR THE IBM RS/6000 FAMILY OF MACHINES. 3. (U) VULNERABILITY DESCRIPTION: IF TFTP IS ENABLED ANYONE USING THE TFTP DAEMON CAN GET OF YOUR WORLD READABLE FILES. 4. (U) ESTIMATE OF THE IMPACT: THIS HOLE COULD BE USED BY USERS ON THE NETWORK TO COPY FILES FROM YOUR HOST SYSTEM. THE MOST OFTEN EXPLOITED FILE IS THE \ETC\PASSWD FILE. THE PASSWD FILE CAN THEN BE RUN AGAINST A CRACKING PROGRAM TO REVEAL WEAK PASSWORDS. 5. (U) STATUS: IBM IS AWARE OF THIS PROBLEM AND A FIX IS AVAILABLE AS APAR NUMBER "IX22628". THE PATCH IS AVAILABLE FOR ALL AIX RELEASES FROM 'GOLD' TO THE CURRENT RELEASE. 6.(U) RECOMMENDATIONS: A. ASSIST STRONGLY RECOMMENDS THAT THE TFTP DAEMON BE DISABLED WHENEVER POSSIBLE. ANALYSIS OF THE TFTP FUNCTION INDICATES THAT OTHER THAN FOR SLAVE BOOTING OFF A DUMB TERMINAL, TFTP IS NOT NECESSARY AND PRESENTS A GREATER SECURITY RISK THAN IT'S FUNCTIONS PROVIDE. TO DISABLE THE TFTP ACCESS THE SYS ADMIN MUST EDIT THE /ETC/INETD.CONF FILE AND DELETE OR COMMENT OUT THE TFTPD LINE: #TFTP DGRAM UDP WAIT NOBODY /ETC/TFTPD TFTPD -N AND THEN, RESTART THE INETD USING THE 'REFRESH' COMMAND. B. USERS THAT MUST RUN TFTPD SHOULD OBTAIN AND INSTALL THE ABOVE PATCH AND CREATE A /ETC/TFTPACCESS.CTL FILE TO RESTRICT THE FILES THAT ARE ACCESSIBLE. THE /ETC/TFTPACCESS.CTL FILE SHOULD BE WRITABLE ONLY BY ROOT. ALTHOUGH THE /ETC/TFTFPACCESS.CTL MECHANISM PROVIDES A VERY GENERAL CAPABILITY, ASSIST STRONGLY RECOMMENDS THAT SITES KEEP THIS CONTROL FILE SIMPLE. 7. (U) POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS MIKE HIGGINS, COMM (703) 284-0182 / DSN 251-0182. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (202) 896-6863 (FROM A TOUCH TONE PHONE ENTER THE CALL BACK NUMBER AFTER THE TONE PROMPT) OR AUTOVON DIAL 243-8000 AND ASK TO HAVE THE ASSIST DUTY OFFICER PAGED.