PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER (ISSO), SPECIAL SECURITY OFFICER (SSO), INFORMATION RESOURCE MANAGER (IRM) AND AUTOMATED DATA PROCESSOR (ADP) COORDINATORS SUBJECT: UMN UNIX GOPHER AND GOPHER+ VULNERABILITIES (AUTOMATED SYSTEM SECURITY INCIDENT SUPPORT TEAM (ASSIST) BULLETIN 93-21). 1. ASSIST HAS RECEIVED INFORMATION CONCERNING VULNERABILITIES IN VERSIONS OF THE UMN UNIX GOPHER AND GOPHER+ SERVER AND CLIENT AVAILABLE BEFORE AUGUST 6, 1993. VULNERABLE VERSIONS WERE AVAILABLE ON BOOMBOX.MICRO.UMN.EDU:/PUB/GOPHER/UNIX/GOPHER1.12S.TAR.Z, BOOMBOX.MICRO.UMN.EDU:/PUB/GOPHER/UNIX/GOPHER2.03.TAR.Z, AND MANY OTHER ANONYMOUS FTP SITES MIRRORING THESE SOFTWARE VERSIONS. ASSIST STRONGLY RECOMMENDS THAT ANY DOD SITE USING VERSIONS OF UMN UNIX GOPHER AND GOPHER+ DATED PRIOR TO AUGUST 6, 1993 (INCLUDING VERSION 1.12, 1.12S, 2.0+, 2.03, AND ALL EARLIER VERSIONS) IMMEDIATELY TAKE CORRECTIVE ACTION. 2. SEVERAL VULNERABILITIES HAVE BEEN IDENTIFIED IN UMN UNIX GOPHER AND GOPHER+ WHEN CONFIGURED AS A SERVER OR PUBLIC ACCESS CLIENT. INTRUDERS ARE KNOWN TO HAVE EXPLOITED THESE VULNERABILITIES TO OBTAIN PASSWORD FILES. OTHER ACTIONS AFFECTING THE INTEGRITY OF THE SYSTEM MAY ALSO HAVE BEEN TAKEN BY INTRUDERS EXPLOITING THESE VULNERABILITIES. SITES USING THE ABOVE VERSIONS OF GOPHER OR GOPHER+ MAY WANT TO CHECK THEIR SYSTEMS FOR WEAK PASSWORDS, OR CONSIDER CHANGING PASSWORDS, AFTER INSTALLING THE NEW GOPHER SOFTWARE. 3. THE GOPHER AND GOPHER+ VULNERABILITIES CAN ALLOW ANY USER (REMOTE OR LOCAL) TO POTENTIALLY GAIN UNRESTRICTED ACCESS TO THE ACCOUNT RUNNING THE PUBLIC ACCESS CLIENT. THIS ACCESS COULD ENABLE A USER TO READ ANY FILES ACCESSIBLE TO THIS ACCOUNT, INCLUDING /ETC/PASSWD OR OTHER SENSITIVE FILES. ALSO, IN CERTAIN CONFIGURATIONS, ANYONE (REMOTE OR LOCAL) CAN POTENTIALLY GAIN ACCESS TO ANY ACCOUNT, INCLUDING ROOT, ON A HOST CONFIGURED AS A SERVER RUNNING GOPHERD. 4. AFFECTED SITES SHOULD INSTALL THE NEW GOPHERD SERVICE AND PUBLIC GOPHER SOFTWARE AS SOON AS POSSIBLE, AND DISABLE THE VULNERABLE VERSION AND PUBLIC GOPHER LOGINS UNTIL THE UPDATE IS INSTALLED. NEW VERSIONS OF THE UMN UNIX GOPHER AND GOPHER+ SOFTWARE HAVE BEEN RELEASED THAT PROVIDE BUG FIXES AND CORRECT THESE SECURITY PROBLEMS. SITES CAN OBTAIN THESE NEW VERSIONS VIA ANONYMOUS FTP FROM BOOMBOX.MICRO.UMN.EDU (134.84.132.2). THE FILES ARE LOCATED IN: FILENAME SIZE CHECKSUM -------- ------ ----------- GOPHER: /PUB/GOPHER/UNIX/GOPHER1.12S.TAR.Z 306872 46311 300 GOPHER+: /PUB/GOPHER/UNIX/GOPHER2.04.TAR.Z 294872 29411 288 5. POINT OF CONTACT: ASSIST POINT OF CONTACT FOR THIS MATTER IS PETE HAMMES, COMM (703) 756-7974 OR DSN 289-7974. ASSIST CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER (800) SKY-PAGE (800-759- 7243), PIN NUMBER 2133937. WHEN CALLING THE PAGER SERVICE, FOLLOW THE AUTOMATED VOICE INSTRUCTIONS AND ENTER THE CALL BACK NUMBER AFTER THE PROMPT. THE ASSIST DUTY OFFICER WILL CALL YOU BACK WITHIN 30 MINUTES. IF FASTER SERVICE IS REQUIRED, PREFIX YOUR TELEPHONE NUMBER WITH "999", AND THE ASSIST DUTY OFFICER WILL CALL BACK WITHIN 5 MINUTES. ASSIST CAN ALSO BE REACHED VIA E-MAIL AT "DOD-CERT(AT- SIGN)DDN-CONUS.DDN.MIL", BY DIALING INTO THE ASSIST ELECTRONIC BULLETIN BOARD AT (703) 756-7993, DSN 289, AND LEAVING A MESSAGE FOR THE SYSOP. BT