July 2000

HP issued a rare security alert for the HP 3000

Every month heralds several new security holes to close for HP’s Unix servers, but near the end of June the company issued an uncommon alert about an HP 3000 security breach — one that administrators will need to plug with lockwords. HP’s alert reported that given a specific setup, users with ordinary read-only IMAGE/SQL database privileges can gain additional privileges. HP’s security experts, as well as the user community online, were vague about what the setup might be to protect from hackers, but reported that the temporary solution was to secure DBUTIL.PUB.SYS and database schemas with a lockword. The exposure will turn up in most of the HP 3000 installed base, since HP identified the range of MPE/iX releases affected as versions 4.5 and higher. If a site doesn’t secure its database resources with lockwords, users authorized for lower-level database access can gain much wider access — those equal to a creator of a database. The problem is isolated to the DBUTIL program.

Tien-You Chen of the HP 3000 database lab reported on an HP Web site that “We are in the process of creating a fix for this problem. TurboIMAGE patch TIXLX74 will include the fix. This patch updates the TurboIMAGE version to C.08.01 and is for MPE 5.5, 6.0 and 6.5.” Chen said that since the problem only occurs in the DBUTIL program, if you don't want to change other parts of TurboIMAGE, you can download only the DBUTIL program from the division’s Jazz Web server at jazz.external.hp.com/src/misc/dbutil.std or jazz.external.hp.com/src/misc/dbutil.tar.Z and replace DBUTIL.PUB.SYS on your system with the correct version of DBUTIL contained in one of these archives. Chen noted that customers need to be sure to save the old DBUTIL program and swap back when you install the TurboIMAGE patch later on, because PATCH/iX may complain the checksum mismatch. Depending on the TurboIMAGE version on your system (which you can discover by running QUERY and using the VERSION command), three matching DBUTIL programs are provided in the releases on the Jazz Web site: DBUTIL06 for TurboIMAGE version C.06.xx, DBUTIL07 for TurboIMAGE version C.07.xx and DBUTIL08 for TurboIMAGE version C.08.xx.

Ken Sletten, chairman of the SIGIMAGE special interest group, noted that implementing lockwords will mean some extra work for sites that rely on jobstreams. “If you implement HP's recommended "temporary solution" of lockwords pending availability of a patch that will fix the problem, and if any of your in-house or vendor job streams run DBUTIL” he said, “remember that you will have to handle the lockword.” Sletten also commented on whether the security breech could be triggered accidentally. “In the real world I cannot imagine how one person would ever unintentionally stumble all the way through this. That does not mean it is hard to do; but I can say that it requires a series of actions separate from and in addition to running DBUTIL,” System managers who want more details can call the HP Response Center to learn how DBUTIL could be a security culprit.


Copyright The 3000 NewsWire. All rights reserved