Weekly Solaris Security Roundup - 2000/05/29 to 2000/06/04

Name:
Email:

Security Portal
Weekly Newsletter

Weekly Solaris Security Roundup Archive

By Seán Boran, sean AT boran.com, for Security Portal


The Rundown

A quiet week for Sun, no new advisories or weaknesses.
The Yassp tool is making progress, a new release will be ready soon.


CERT Advisories & Sun Security Bulletins


05/31/00 CS-2000-02 CERT Summary
Topics in this regularly scheduled CERT Summary include buffer overflows in Kerberos authenticated services, improper validation of SSL sessions in Netscape Navigator, the Love Letter Worm, denial-of-service attacks using nameservers, the exploitation of unprotected Windows shares, and continued reports of machines compromised by exploiting vulnerabilities in BIND.


News


Web Security: A discussion kicked-off at Sunworld contains some interesting comments on the UNIX vs. Linux vs. Microsoft security debate. Moderated by Carole Fennelly and Brian Martin.

Progress report on Yassp (the Solaris hardening tool):
Work on beta#6 is underway, with lots of activity on the developer list. A new release is very close.

Updates: some path problems have been corrected in /etc/profile and /etc/default/su, support for Solaris8 is under test, /opt/local and /usr/local will be supported for tools, /etc/rc.conf and /etc/yassp.conf have been merged, /etc/syslog.conf is improved.
Programs to be included: ssh (enhanced with SecurID support), tripwire, tcpd (wrapper), rpcbind (with access control), gzip, rcs. The installation script can allow the user to choose packages or have them installed "hands-off" by definition of the PKGLIST variable.
The Intel platform is not yet supported.

There was also some (inconclusive) discussion on adding 'ifstatus' to yassp.

See also:
Yassp site
Hardening Solaris (with Yassp)


Mailing lists, Bugtraq

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - Applications that run on Solaris:

none

Summary of FOCUS-Sun discussions this week:

06/02/00 No secure copy on Solaris 8?
06/02/00 solaris packages
A discussion of alternative methods of installing Solaris applications, such as RPM and NFS hacks.
05/30/00 sun's libkrb and the recent kerb vulns.
No answers so far.
05/29/00 LDAP authentication through nsswitch.conf
No answers so far.
05/25/00 Colliding Password Hashes
Solaris ignores password characters after the maximum 8 characters.
05/26/00 Solaris Backup Verification


Tip of the Week

Solaris Default Processes and init.d Part. I (SecurityFocus)
This Article's first part explains what each of the running processes are, in a typical new Solaris 8 installation.


References and Resources

Sun Security Resources:

Sun Security Coordination Team sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
Sun security bulletins are available at: sunsolve.sun.com/security
General Sun Security www.sun.com/security
Solaris Security Datasheets www.sun.com/software/solaris/ds/ds-security
Java Security java.sun.com/security

Patches

If you have a maintenance contract, login to sunsolve and get both the PatchDiag tool and it's reference database, sunsolve.sun.com. If you don't, use the SecurityFocus Solaris Patch Calculator: www.securityfocus.com/sun/vulncalc

Sun security patches: sunsolve.sun.com/securitypatch
Public  sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access Patch download tool WGET sunsite.auc.dk/ftp/pub/infosystems/wget

Web Publications & resources

SecurityFocus, Sun section: www.securityfocus.com/sun
Vulnerability database: www.securityfocus.com/vdb

Security Portal papers:

Hardening Solaris
Review of the Sunscreen EFS3 firewall
All about SSH - Part I 
All about SSH - Part II

Sunworld:

Sunwhere index of resources 
Sunworld security columns
Solaris Security FAQ

Solaris Guide, Solaris Central

General discussion resources

News /personal interface to Sun resources: www.sun.com/MySun

BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html

Newsgroups:
  comp.unix.solaris
  comp.sys.sun.admin
  comp.sys.sun.hardware
  alt.solaris.x86

Sun-managers Mailing list: This list has been around for many years and is an invaluable resource to Sun system administrators.
To have your mailing address added to or removed from the mailing list, send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".

SecurityFocus "FOCUS-Sun" list: see www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help in securing Sun products, using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. Unsure how secure NIS is? Curious as to how to properly use ACL's? Does the latest and greatest Sun RPC bug affect you? Questions like these are all expected and encouraged. The Focus-Sun list is meant to address those questions which are inappropriate or off topic for Bugtraq. In addition, important announcements related to breaking vulnerabilities will be posted, with the details needed to ensure that you have the up to the minute information you need to keep your Sun's secure.