Name: | |
Email: | |
Security Portal Weekly Newsletter |
By Seán Boran. Your feedback is welcome.
Contents:
The Rundown
Advisories & Security
Bulletins
News
Mailing lists /Bugtraq
Tip of the Week
This article is the first in a weekly series on Sun Security. We welcome your feedback and suggestions.
We start off with a roundup of security issues over the last year and a list of relevant security resources. It has been pretty quiet for Solaris security in the last few months, until three weakness were discovered and discussed on Bugtraq in the last week of April, no patches are yet available from Sun. These weaknesses concern:
Xsun Buffer Overflow
lp -d option Buffer Overflow
lpstat -r option Buffer Overflow
See the Bugtraq section below for more details.
The following list security bulletins for Sun products and products likely to be run on Sun machines. Below is a list of relevant material for 1999 and 2000.
Advisories in 2000:
Apr. 26: CA-2000-03 Continuing Compromises of DNS servers
There are continuing compromises of machines running the DNS software that is part of BIND (named). A significant number of delegated DNS servers in the in-addr.apra tree are running outdated versions of DNS software.
Sun Security Bulletin 194.Mar. 31: CIAC DDOS Mediation Action List (K-032)
Distributed Denial of Service attacks have drawn attention to fundamental flaws in the present implementation of the TCP/IP stack.Jan. 3: CA-2000-01 Denial-of-Service Developments
In addition to continued reports of denial-of-service problems, a denial-of-service tool called "stacheldraht" has been discovered.
Sun Security Bulletin 193.
Advisories in 1999:
Dec 28: CA-99-17 Denial-of-Service Tools
A new denial-of-service tool known as Tribe FloodNet 2K was released; a weakness in certain versions of MacOS allows intruders to use MacOS 9 as a "traffic amplifier." Sun Security Bulletin 193.Dec. 14: CA-99-16 Buffer Overflow in Solstice AdminSuite Daemon sadmind
All versions of sadmind, part of Sun Microsystems' Solstice AdminSuite package, are vulnerable to a buffer overflow that can allow a remote user to execute arbitrary code with root privileges.
Sun Security Bulletin 191.Dec. 14: CA-99-15 Buffer Overflows in SSH daemon and RSAREF2 Library
Some [U.S.] versions of sshd are vulnerable to a buffer overflow that can allow an intruder to influence certain variables internal to the program. This vulnerability alone does not allow an intruder to execute code. However, a vulnerability in RSAREF2 can be used in conjunction to allow remote intruder to execute arbitrary code.Dec. 9: ISS Bulletin: Snoop Buffer Overflow
A buffer overflow vulnerability has been discovered which may be exploited by a remote attacker to execute arbitrary instructions and gain root access.
Sun Security Bulletin 190.Nov.10: CA-99-14 Multiple Vulnerabilities in BIND
Six vulnerabilities have been found in BIND, the popular domain name server from the Internet Software Consortium (ISC). One of these vulnerabilities may allow remote intruders to gain privileged access to name servers.
Sun Security Bulletin 194.Sep. 28: CIAC J-069: SunOS LC_MESSAGES Environment Variable Vulnerability
A buffer overflow vulnerability has been identified in the LC_MESSAGES Environment variable. PLATFORM: SunOS 5.7, 5.7_x86, 5.6, 5.6_x86. DAMAGE: A buffer overflow may be exploited to gain root access.
Sun Security Bulletin 189.Sep. 13: CA-99-11 Four Vulnerabilities in the Common Desktop Environment
Multiple vulnerabilities have been identified in some distributions of the Common Desktop Environment (CDE).
Sun Security Bulletin 192.Jul. 16: CA-99-08 Buffer overflow vulnerability in rpc.cmsd
There is a buffer overflow vulnerability in the Calendar Manager Service Daemon, rpc.cmsd. This vulnerability allows remote and local users to execute arbitrary code with the privileges of cmsd, typically root. A tool to exploit this vulnerability has been publicly released.
Sun Security Bulletin 188.Jun. 9 (updated Nov. 9): CA-99-05 Vulnerability in statd exposes vulnerability in automountd
This advisory describes two vulnerabilities, one in statd and one in automountd, that are being used together by intruders to gain access to vulnerable systems. By combining attacks exploiting these two vulnerabilities, a remote intruder is able to execute arbitrary commands with the privileges of the automountd service.
See also CIAC Bulletin: J-045: Vulnerability in statd exposes vulnerability in automountd
Note that the rpc.statd vulnerability described in this advisory is distinct from the vulnerabilities described in CERT Advisories CA-96.09 and CA-97.26.
Sun Security Bulletin 186.Feb. 12: CIAC J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)
Sun has identified three vulnerabilities. 1) sdtcm_convert, a setuid-root calendar data conversion utility. 2) man command displays reference manuals. catman utility creates preformatted versions of on-line manuals. 3) Common Desktop Environment (CDE). DAMAGE: If exploited, all these vulnerabilities could lead to root access or allow arbitrary files to be overwritten.
Sun Security Bulletin 183, 184, 185.Jan. 21: CA-99-01 Trojan TCP Wrappers
The CERT Coordination Center has received confirmation that some copies of the source code for the TCP Wrappers tool (tcpd) were modified by an intruder and contain a Trojan horse. An intruder can gain unauthorized root access to any host running this Trojan horse version of TCP Wrappers.
The major news recently was the release of Solaris 8, which contains some interesting new security features.
My favourite new feature is the bundling of "Sunscreen EFS 3.01 lite", a reduced version of the Sunscreen Firewall. Although it won't replace a firewall, it can be very useful in restricting network dataflow to and from a host, something which has been only possible with tools like IPfilter until now. An example of using the Sunscreen lite when hardening bastion hosts can be found in SecurityPortal's updated research paper "Hardening Solaris (UPDATE??)": www.securityportal.com/coverstory19991025.html
Bugtraq vulnerabilities so far this year - Solaris:
2000-04-24 Solaris lp -d Option Buffer Overflow Vulnerability
2000-04-24 Solaris lpset -r Buffer Overflow Vulnerability
2000-04-24 Solaris Xsun Buffer Overrun Vulnerability
Bugtraq vulnerabilities so far this year - Applications that run on Solaris:
2000-05-05 Netwin DNews News Server Buffer Overflow Vulnerability
2000-05-04 Netwin Dmailweb Server utoken Buffer Overflow Vulnerability
2000-05-03 L-Soft Listserv 1.8 Web Archives Buffer Overflow Vulnerability
2000-05-02 Sniffit '-L mail' Remote Buffer Overflow Vulnerability2000-04-16 Star Office 5.1 Buffer Overflow Vulnerabilities
2000-04-06 IBM ikeyman Java Class Creation Vulnerability2000-03-29 ICA Weak Encryption Vulnerability
2000-03-17 Netscape Enterprise Server Directory Indexing Vulnerability
2000-03-09 StarOffice StarScheduler Remote Buffer Overflow Vulnerability
2000-03-09 StarOffice StarScheduler Arbitrary File Read Vulnerability2000-02-21 Sun Licensing Manager Symlink Vulnerability
2000-02-19 Sun Internet Mail Server Cleartext Passwords During Installation Vulnerability
2000-02-15 Multiple Vendor SNMP World Writeable Community Vulnerability
Summary of FOCUS-Sun Discussions:
Buffer Overflows in lp/lpset/Xsun (Thread)
www.securityfocus.com/templates/archive.pike?list=92&date=2000-05-04&thread=20000428114448.2F01A1EE8F@lists.securityfocus.comNIS+ CIAC doc (Thread)
www.securityfocus.com/templates/archive.pike?list=92&date=2000-05-04&thread=3909D05C.702EB676@edlearning.comLatest Sun Vulns... (Thread)
www.securityfocus.com/templates/archive.pike?list=92&date=2000-05-04&thread=200004271050.LAA06697@otis.UK.Sun.COMSolaris password strength enforcement www.securityfocus.com/templates/archive.pike?list=92&date=2000-05-04&msg=000508064507GF.26738@weba7.iname.net
Can't find one of you Sun manual because you lent it to someone? Disappointed that the new software you ordered only comes with a simple install and user's guide?
Sun now publish all user manuals, administration manuals, reference guides etc. on docs.sun.com in several languages. Likewise iPlanet documents are available on docs.iPlanet.com.
Sun Security Resources:
Sun Security Coordination Team sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
Sun security bulletins are available at: sunsolve.sun.com/security
General Sun Security www.sun.com/security
Solaris Security Datasheets www.sun.com/software/solaris/ds/ds-security
Java Security java.sun.com/securityCERT: www.cert.org
Patches
If you have a maintenance contract, login to sunsolve and get both the PatchDiag tool and it's reference database. sunsolve.sun.com
SecurityFocus Solaris Patch Calculator: www.securityfocus.com/sun/vulncalc
Sun security patches: sunsolve.sun.com/securitypatch
Public sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access
Patch download tool WGET sunsite.auc.dk/ftp/pub/infosystems/wget
Web Publications & resources
SecurityFocus, Sun section: www.securityfocus.com/sun
Vulnerability database: www.securityfocus.com/vdbHardening Solaris: www.securityportal.com/coverstory19991025.html
Review of the Sunscreen EFS3 firewall: securityportal.com/direct.cgi?/research/sunscreenefs.htmlAll about SSH - PartI securityportal.com/direct.cgi?/research/ssh-part1.html,
All about SSH - Part II securityportal.com/direct.cgi?/research/ssh-part2.htmlSolaris Guide: www.solarisguide.com
Sunworld:
- sunwhere index of resources www.sunworld.com/sunworldonline/sunwhere.html
- Sunworld security columns
www.sunworld.com/sunworldonline/common/swol-backissues-columns.html- Solaris Security FAQ www.sunworld.com/common/security-faq.html
General discussion resources
News /personal interface to Sun resources: www.sun.com/MySun
BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html
Newsgroups:
comp.unix.solaris
comp.sys.sun.admin
comp.sys.sun.hardware
alt.solaris.x86Sun-managers Mailing list: This list has been around for many years and is an invaluable resource to Sun system administrators.
To have your mailing address added to or removed from the mailing list, send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".SecurityFocus "FOCUS-Sun" list: see www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help in securing Sun products, using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. Unsure how secure NIS is? Curious as to how to properly use ACL's? Does the latest and greatest Sun RPC bug affect you? Questions like these are all expected and encouraged. The Focus-Sun list is meant to address those questions which are inappropriate or off topic for Bugtraq. In addition, important announcements related to breaking vulnerabilities will be posted, with the details needed to ensure that you have the up to the minute information you need to keep your Sun's secure.
Add SecurityPortal.com Top News to your My Netscape page | |
Get SecurityPortal for your PalmPilot! | |
Home | Top News | Research Center | Search | Feedback | About SecurityPortal | |