Weekly Solaris Security Roundup

First Article: Week ending 12th May 2000 

Name:
Email:

Security Portal
Weekly Newsletter

By Seán Boran. Your feedback is welcome.

Contents:
  The Rundown
  Advisories & Security Bulletins
  News
  Mailing lists /Bugtraq
  Tip of the Week


The Rundown

This article is the first in a weekly series on Sun Security. We welcome your feedback and suggestions.

We start off with a roundup of security issues over the last year and a list of relevant security resources. It has been pretty quiet for Solaris security in the last few months, until three weakness were discovered and discussed on Bugtraq in the last week of April, no patches are yet available from Sun. These weaknesses concern:

Xsun Buffer Overflow
lp -d option Buffer Overflow
lpstat -r option Buffer Overflow

See the Bugtraq section below for more details.


CERT Advisories & Sun Security Bulletins

The following list security bulletins for Sun products and products likely to be run on Sun machines. Below is a list of relevant material for 1999 and 2000.

Advisories in 2000:

Apr. 26: CA-2000-03 Continuing Compromises of DNS servers
There are continuing compromises of machines running the DNS software that is part of BIND (named). A significant number of delegated DNS servers in the in-addr.apra tree are running outdated versions of DNS software.
Sun Security Bulletin 194.

Mar. 31: CIAC DDOS Mediation Action List (K-032)
Distributed Denial of Service attacks have drawn attention to fundamental flaws in the present implementation of the TCP/IP stack.

Jan. 3: CA-2000-01 Denial-of-Service Developments
In addition to continued reports of denial-of-service problems, a denial-of-service tool called "stacheldraht" has been discovered.
Sun Security Bulletin 193.

Advisories in 1999:

Dec 28: CA-99-17 Denial-of-Service Tools
A new denial-of-service tool known as Tribe FloodNet 2K was released; a weakness in certain versions of MacOS allows intruders to use MacOS 9 as a "traffic amplifier." Sun Security Bulletin 193.

Dec. 14: CA-99-16 Buffer Overflow in Solstice AdminSuite Daemon sadmind
All versions of sadmind, part of Sun Microsystems' Solstice AdminSuite package, are vulnerable to a buffer overflow that can allow a remote user to execute arbitrary code with root privileges.
Sun Security Bulletin 191.

Dec. 14: CA-99-15 Buffer Overflows in SSH daemon and RSAREF2 Library
Some [U.S.] versions of sshd are vulnerable to a buffer overflow that can allow an intruder to influence certain variables internal to the program. This vulnerability alone does not allow an intruder to execute code. However, a vulnerability in RSAREF2 can be used in conjunction to allow remote intruder to execute arbitrary code.

Dec. 9: ISS Bulletin: Snoop Buffer Overflow
A buffer overflow vulnerability has been discovered which may be exploited by a remote attacker to execute arbitrary instructions and gain root access.
Sun Security Bulletin 190.

Nov.10: CA-99-14 Multiple Vulnerabilities in BIND
Six vulnerabilities have been found in BIND, the popular domain name server from the Internet Software Consortium (ISC). One of these vulnerabilities may allow remote intruders to gain privileged access to name servers.
Sun Security Bulletin 194.

Sep. 28: CIAC J-069: SunOS LC_MESSAGES Environment Variable Vulnerability
A buffer overflow vulnerability has been identified in the LC_MESSAGES Environment variable. PLATFORM: SunOS 5.7, 5.7_x86, 5.6, 5.6_x86. DAMAGE: A buffer overflow may be exploited to gain root access.
Sun Security Bulletin 189.

Sep. 13: CA-99-11 Four Vulnerabilities in the Common Desktop Environment
Multiple vulnerabilities have been identified in some distributions of the Common Desktop Environment (CDE).
Sun Security Bulletin 192.

Jul. 16: CA-99-08 Buffer overflow vulnerability in rpc.cmsd
There is a buffer overflow vulnerability in the Calendar Manager Service Daemon, rpc.cmsd. This vulnerability allows remote and local users to execute arbitrary code with the privileges of cmsd, typically root. A tool to exploit this vulnerability has been publicly released.
Sun Security Bulletin 188.

Jun. 9 (updated Nov. 9): CA-99-05 Vulnerability in statd exposes vulnerability in automountd
This advisory describes two vulnerabilities, one in statd and one in automountd, that are being used together by intruders to gain access to vulnerable systems. By combining attacks exploiting these two vulnerabilities, a remote intruder is able to execute arbitrary commands with the privileges of the automountd service.
See also CIAC Bulletin: J-045: Vulnerability in statd exposes vulnerability in automountd
Note that the rpc.statd vulnerability described in this advisory is distinct from the vulnerabilities described in CERT Advisories CA-96.09 and CA-97.26.
Sun Security Bulletin 186.

Feb. 12: CIAC J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)
Sun has identified three vulnerabilities. 1) sdtcm_convert, a setuid-root calendar data conversion utility. 2) man command displays reference manuals. catman utility creates preformatted versions of on-line manuals. 3) Common Desktop Environment (CDE). DAMAGE: If exploited, all these vulnerabilities could lead to root access or allow arbitrary files to be overwritten.
Sun Security Bulletin 183, 184, 185.

Jan. 21: CA-99-01 Trojan TCP Wrappers
The CERT Coordination Center has received confirmation that some copies of the source code for the TCP Wrappers tool (tcpd) were modified by an intruder and contain a Trojan horse. An intruder can gain unauthorized root access to any host running this Trojan horse version of TCP Wrappers.


News

The major news recently was the release of Solaris 8, which contains some interesting new security features.

My favourite new feature is the bundling of "Sunscreen EFS 3.01 lite", a reduced version of the Sunscreen Firewall. Although it won't replace a firewall, it can be very useful in restricting network dataflow to and from a host, something which has been only possible with tools like IPfilter until now. An example of using the Sunscreen lite when hardening bastion hosts can be found in SecurityPortal's updated research paper "Hardening Solaris (UPDATE??)": www.securityportal.com/coverstory19991025.html


Mailing lists, Bugtraq

Bugtraq vulnerabilities so far this year - Solaris:

2000-04-24 Solaris lp -d Option Buffer Overflow Vulnerability
2000-04-24 Solaris lpset -r Buffer Overflow Vulnerability
2000-04-24 Solaris Xsun Buffer Overrun Vulnerability

2000-01-06 Solaris chkperm Buffer Overflow Vulnerability

Bugtraq vulnerabilities so far this year - Applications that run on Solaris:

2000-05-05 Netwin DNews News Server Buffer Overflow Vulnerability
2000-05-04 Netwin Dmailweb Server utoken Buffer Overflow Vulnerability
2000-05-03 L-Soft Listserv 1.8 Web Archives Buffer Overflow Vulnerability
2000-05-02 Sniffit '-L mail' Remote Buffer Overflow Vulnerability

2000-04-16 Star Office 5.1 Buffer Overflow Vulnerabilities
2000-04-06 IBM ikeyman Java Class Creation Vulnerability

2000-03-29 ICA Weak Encryption Vulnerability
2000-03-17 Netscape Enterprise Server Directory Indexing Vulnerability
2000-03-09 StarOffice StarScheduler Remote Buffer Overflow Vulnerability
2000-03-09 StarOffice StarScheduler Arbitrary File Read Vulnerability

2000-02-21 Sun Licensing Manager Symlink Vulnerability
2000-02-19 Sun Internet Mail Server Cleartext Passwords During Installation Vulnerability
2000-02-15 Multiple Vendor SNMP World Writeable Community Vulnerability

Summary of FOCUS-Sun Discussions:

Buffer Overflows in lp/lpset/Xsun (Thread)
www.securityfocus.com/templates/archive.pike?list=92&date=2000-05-04&thread=20000428114448.2F01A1EE8F@lists.securityfocus.com

NIS+ CIAC doc (Thread)
www.securityfocus.com/templates/archive.pike?list=92&date=2000-05-04&thread=3909D05C.702EB676@edlearning.com

Latest Sun Vulns... (Thread)
www.securityfocus.com/templates/archive.pike?list=92&date=2000-05-04&thread=200004271050.LAA06697@otis.UK.Sun.COM

Solaris password strength enforcement www.securityfocus.com/templates/archive.pike?list=92&date=2000-05-04&msg=000508064507GF.26738@weba7.iname.net


Tip of the Week

Can't find one of you Sun manual because you lent it to someone? Disappointed that the new software you ordered only comes with a simple install and user's guide?

Sun now publish all user manuals, administration manuals, reference guides etc. on docs.sun.com in several languages. Likewise iPlanet documents are available on docs.iPlanet.com.

 


References and Resources

Sun Security Resources:

Sun Security Coordination Team sunsolve.sun.com/pub-cgi/show.pl?target=security/sec

Sun security bulletins are available at: sunsolve.sun.com/security

General Sun Security www.sun.com/security
Solaris Security Datasheets www.sun.com/software/solaris/ds/ds-security
Java Security java.sun.com/security

CERT: www.cert.org 

Patches

If you have a maintenance contract, login to sunsolve and get both the PatchDiag tool and it's reference database. sunsolve.sun.com

SecurityFocus Solaris Patch Calculator: www.securityfocus.com/sun/vulncalc

Sun security patches: sunsolve.sun.com/securitypatch

Public  sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

Patch download tool WGET sunsite.auc.dk/ftp/pub/infosystems/wget

Web Publications & resources

SecurityFocus, Sun section: www.securityfocus.com/sun
Vulnerability database: www.securityfocus.com/vdb

Hardening Solaris: www.securityportal.com/coverstory19991025.html
Review of the Sunscreen EFS3 firewall:  securityportal.com/direct.cgi?/research/sunscreenefs.html

All about SSH - PartI securityportal.com/direct.cgi?/research/ssh-part1.html,
All about SSH - Part II securityportal.com/direct.cgi?/research/ssh-part2.html

Solaris Guide: www.solarisguide.com

Sunworld:

General discussion resources

News /personal interface to Sun resources: www.sun.com/MySun

BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html

Newsgroups:
  comp.unix.solaris
  comp.sys.sun.admin
  comp.sys.sun.hardware
  alt.solaris.x86

Sun-managers Mailing list: This list has been around for many years and is an invaluable resource to Sun system administrators.
To have your mailing address added to or removed from the mailing list, send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".

SecurityFocus "FOCUS-Sun" list: see www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help in securing Sun products, using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. Unsure how secure NIS is? Curious as to how to properly use ACL's? Does the latest and greatest Sun RPC bug affect you? Questions like these are all expected and encouraged. The Focus-Sun list is meant to address those questions which are inappropriate or off topic for Bugtraq. In addition, important announcements related to breaking vulnerabilities will be posted, with the details needed to ensure that you have the up to the minute information you need to keep your Sun's secure.


Add SecurityPortal.com Top News to your My Netscape page
Get SecurityPortal for your PalmPilot!
Home | Top News | Research Center | Search | Feedback | About SecurityPortal
Security Portal