[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : ULTRIX LAT/Telnet Gateway Vulnerability

Title: ULTRIX LAT/Telnet Gateway Vulnerability
Released by: CERT
Date: 14th August 1991
Printable version: Click here

Hash: SHA1


Last Revision: September 18,1997

                Attached copyright statement

                              CERT Advisory

                               August 14, 1991

                  ULTRIX LAT/Telnet Gateway Vulnerability

- ---------------------------------------------------------------------------

The Computer Emergency Response Team/Coordination Center (CERT/CC) has

received information concerning a vulnerability in LAT/Telnet gateway

software in Digital Equipment Corporation's (DEC) ULTRIX versions 4.1 

and 4.2 on all architectures.  Information regarding the exploitation

of this vulnerability has been publicly disclosed so we recommend

taking immediate action.  Until you are able to apply the patch we

recommend that sites disable the LAT/telnet service.  

DEC has made a patch available which consists of new /usr/ucb/telnet


The patch is available through DEC's Customer Support Centers.  Sites

within the USA should call 1-800-525-7100.  Sites in Europe and elsewhere

should contact DEC through their normal channels.

- ---------------------------------------------------------------------------


     A vulnerability exists such that ULTRIX 4.1 and 4.2 systems 

     running the LAT/Telnet gateway software can allow unauthorized 

     privileged access.  Although you may not be running the LAT/Telnet

     service at this time, the CERT/CC urges all sites to install 

     the patch.  This will ease any future installation of the

     gateway software.

     The LAT/Telnet software requires special installation and is

     NOT part of the default ULTRIX configuration.


     Anyone who can access a terminal or modem connected to

     the LAT server running the LAT/Telnet service can gain 

     unauthorized root privileges.



     Obtain the appropriate version of the patch kit for your 

     system architecture from your DEC Customer Support Center,

     and install according to the accompanying instructions.

- ---------------------------------------------------------------------------

The CERT/CC would like to thank George Michaelson of The Prentice Centre,

University of Queensland, Australia and John Annen of Davidson College for 

bringing this to our attention.  We would also like to thank DEC for their 

response to this vulnerability and CIAC for their assistance.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact CERT/CC via

telephone or e-mail.

Computer Emergency Response Team/Coordination Center (CERT/CC)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890

Internet E-mail: cert@cert.org

Telephone: 412-268-7090 24-hour hotline:

           CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,

           on call for emergencies during other hours.

Past advisories and other computer security related information are available

for anonymous ftp from the cert.org ( system.

- ----------------------------------------------------------------------------

Copyright 1991 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision History

September 18,1997  Attached Copyright Statment


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.