| Name: | |
| Email: | |
| Security Portal Weekly Newsletter |
Weekly Solaris Security Roundup Archive
By Seán Boran, sean AT boran.com, for Security Portal
Ufsrestore buffer overflow discovered that could give local root access. Tip of the week presents a script for mirroring the boot disk each night, as an alternative to using RAID.
none this week.
Solaris Default Processes and init.d Part II
This article is the second article of a series on Solaris init.d and default processes. It explain how the startup scripts work and give some examples, but does not delve into the detail of the many startup scripts themselves.
Sun Community Source License (SCSL): A discussion on the "free-ness" of Solaris 8.
OpenBSD 2.7 has been released, with lots updates to the Security tools (SSH, IPsec/IKE, swap space encryption, SSL, ipf), the OS (much better hardware support) and the ports collections. Several minor security problems have also been fixed.
I believe only the SPARC and not the Ultra architecture supported (unfortunately). Solaris 8 may be a little slow on your old Sparc 4/5/10/20, but OpenBSD is not. Buy the CD and try it out. www.OpenBSD.org/plus27.html
Bugtraq vulnerabilities this week - Solaris:
2000-06-14: Solaris ufsrestore Buffer Overflow Vulnerability
Ufsrestore is setuid root by default and vulnerable to a buffer overflow attack, which could allow a local attacker to gain root access. No patch is yet available, a workaround would be to remove the setuid bit (but then only root can make restores).
Bugtraq vulnerabilities this week - Applications that run on Solaris:
2000-06-14: Network Associates PGP Certificate Server Unresolveable IP Address DoS Vulnerability
2000-06-09: 3R Soft MailStudio 2000 Multiple Vulnerabilities
2000-06-08: Multiple Vendor JSP Source Code Disclosure Vulnerability (concerns BEA Systems Weblogic and IBM WebSphere Application Server).
FOCUS-Sun discussions were numerous this week:
06/14/00 sun support / linux ?
06/14/00 SunOS 5.8 upgrades
06/14/00 Solaris 2.8, was Locking down a Sun box
06/14/00 Locking down a Sun box (lots of discussion on this one)
06/14/00 Sunscreen vs ipf
06/14/00 Secure shell not working
06/13/00 Secured FTP server
06/09/00 solaris packages
Progress report on Yassp (the Solaris hardening tool), from the Developers' list:
Several bugs reported: /etc/default/passwd, root cron replaced instead of edited, /etc/skel/local.profile, Yassp doesn't work well with a custom jumpstart, removing the yassp package did NOT restore all files correctly. Development cycle/Version naming should be improved. Existing settings in /etc/system are ignored.
Changes discussed: Move tcpd to /usr/local/sbin? Move tripwire from /secure to /opt/local? Only change security settings in /etc/system? Reword /etc/motd? Why are accounts blocked in passwd and shadow? Do we really have to change the geos for root?
Edit vfstab and improve mount options? No - not so easy to edit and the options depend on server usage, so we should document it as a post-install step.Fixes implemented by Jean: The passwd file will be cleaned in future using commands like usermod/passwd/passmgmt, rather than sed (in the clean_passwd script). All files changed and moved should be backed up.
General discussions: coreadm(1) can be used to specify how cores are generated/managed, in Solaris7 11/99 and later. Are nettune settings OK for 32 and 64bit Solaris7/8? DNScache is a good alternative to BIND (but Jean notes that even if BIND or DNScache is installed, the patches for libresolv are still needed). It was suggested that the eeprom command "setenv security-password" should be documented as a subsequent step to Yassp installation - the list didn't sound convinced.
See also: Yassp site, Hardening Solaris (with Yassp)
Minimum downtime and prevention of data-loss is important for most servers. The traditional solution is to use a RAID box to cover for disk failures. However, if the root /usr /var filesystems are on RAID and the raid controller goes, you have a problem (unless you have a fully redundant raid). I've been caught out twice over the last years by failed fibre channels and controllers and I now use RAID for data disks, put system files a "normal" one disk and mirror to an identical disk each night. If the boot disk dies, boot from the second disk.
The script mirror_boot.sh has been developed to do just that. Sample out is in mirror_output.txt. Read carefully the comments at the top of the script before using it!
How it works: Each night the offline disk is mounted and synchronised with the primary disk. The script is called from the root cron nightly. It mounts the spare disk under /newroot, copies all filesystems, installs a boot block and copies over a new vfstab. This creates a fully updated bootable spare disk. The results of the script are send to the administrator via email.
Advantages: This solution is very simple (no complex hardware or software) and easy to understand in a crisis (when RAID complexity can be hell).
Disadvantages: Hot failover is not available, and a downtime of say 15 minutes has to be acceptable.
Comments/corrections/suggestions are welcome.
Sun Security Resources:
Sun Security Coordination Team sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
Sun security bulletins are available at: sunsolve.sun.com/security
General Sun Security www.sun.com/security
Solaris Security Datasheets www.sun.com/software/solaris/ds/ds-security
Java Security java.sun.com/security
Patches
If you have a maintenance contract, login to sunsolve and get both the PatchDiag tool and it's reference database, sunsolve.sun.com. If you don't, use the SecurityFocus Solaris Patch Calculator: www.securityfocus.com/sun/vulncalc
Sun security patches: sunsolve.sun.com/securitypatch
Public sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access Patch download tool WGET sunsite.auc.dk/ftp/pub/infosystems/wget
Web Publications, resources
SecurityFocus, Sun section: www.securityfocus.com/sun
Vulnerability database: www.securityfocus.com/vdbSecurity Portal papers:
Hardening Solaris
Review of the Sunscreen EFS3 firewall
All about SSH - Part I
All about SSH - Part IISANS Report: How To Eliminate The Ten Most Critical Internet Security Threats
BigAdmin SunFreeware Solaris Guide Freeware4sun Solaris Central Intrusion Detection: snort Solaris-System (x86) Forum Network scannesr: Nessus, Nmap Sunwhere index of resources Sunworld security columns The IT Security Cookbook Solaris Security FAQ BSD Today
General discussion resources
News /personal interface to Sun resources: www.sun.com/MySun
BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html Newsgroups:
comp.unix.solaris
comp.sys.sun.admin
comp.sys.sun.hardware
alt.solaris.x86Sun-managers Mailing list: This list has been around for many years and is an invaluable resource to Sun system administrators.
To have your mailing address added to or removed from the mailing list, send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".SecurityFocus "FOCUS-Sun" list: www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help ..., using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. ... In addition, important announcements related to breaking vulnerabilities will be posted.