Weekly Solaris Security Roundup -  2000/06/12 to 2000/06/19

Name:
Email:

Security Portal
Weekly Newsletter

Weekly Solaris Security Roundup Archive

By Seán Boran, sean AT boran.com, for Security Portal


The Rundown

Ufsrestore buffer overflow discovered that could give local root access. Tip of the week presents a script for mirroring the boot disk each night, as an alternative to using RAID.


CERT Advisories & Sun Security Bulletins

none this week.


News

SecurityFocus

Solaris Default Processes and init.d Part II
This article is the second article of a series on Solaris init.d and default processes. It explain how the startup scripts work and give some examples, but does not delve into the detail of the many startup scripts themselves.

Solarisguide:

Sun Community Source License (SCSL): A discussion on the "free-ness" of Solaris 8.

OpenBSD

OpenBSD 2.7 has been released, with lots updates to the Security tools (SSH, IPsec/IKE, swap space encryption, SSL, ipf), the OS (much better hardware support) and the ports collections. Several minor security problems have also been fixed.
I believe only the SPARC and not the Ultra architecture supported (unfortunately). Solaris 8 may be a little slow on your old Sparc 4/5/10/20, but OpenBSD is not. Buy the CD and try it out.  www.OpenBSD.org/plus27.html


Mailing lists, Bugtraq

Bugtraq vulnerabilities this week - Solaris:

2000-06-14: Solaris ufsrestore Buffer Overflow Vulnerability
Ufsrestore is setuid root by default and vulnerable to a buffer overflow attack, which could allow a local attacker to gain root access. No patch is yet available, a workaround would be to remove the setuid bit (but then only root can make restores).

Bugtraq vulnerabilities this week - Applications that run on Solaris:

2000-06-14: Network Associates PGP Certificate Server Unresolveable IP Address DoS Vulnerability
2000-06-09: 3R Soft MailStudio 2000 Multiple Vulnerabilities
2000-06-08: Multiple Vendor JSP Source Code Disclosure Vulnerability (concerns BEA Systems Weblogic and IBM WebSphere Application Server).

FOCUS-Sun discussions were numerous this week:

06/14/00 sun support / linux ?
06/14/00 SunOS 5.8 upgrades
06/14/00 Solaris 2.8, was Locking down a Sun box
06/14/00 Locking down a Sun box (lots of discussion on this one)
06/14/00 Sunscreen vs ipf
06/14/00 Secure shell not working
06/13/00 Secured FTP server
06/09/00 solaris packages

Progress report on Yassp (the Solaris hardening tool), from the Developers' list:

Several bugs reported: /etc/default/passwd, root cron replaced instead of edited, /etc/skel/local.profile, Yassp doesn't work well with a custom jumpstart, removing the yassp package did NOT restore all files correctly. Development cycle/Version naming should be improved. Existing settings in /etc/system are ignored.

Changes discussed: Move tcpd to /usr/local/sbin? Move tripwire from /secure to /opt/local? Only change security settings in /etc/system? Reword /etc/motd? Why are accounts blocked in passwd and shadow? Do we really have to change the geos for root?
Edit vfstab and improve mount options? No - not so easy to edit and the options depend on server usage, so we should document it as a post-install step.

Fixes implemented by Jean: The passwd file will be cleaned in future using commands like usermod/passwd/passmgmt, rather than sed (in the clean_passwd script). All files changed and moved should be backed up.

General discussions: coreadm(1) can be used to specify how cores are generated/managed, in Solaris7 11/99 and later. Are nettune settings OK for 32 and 64bit Solaris7/8? DNScache is a good alternative to BIND (but Jean notes that even if BIND or DNScache is installed, the patches for libresolv are still needed). It was suggested that the eeprom command "setenv security-password" should be documented as a subsequent step to Yassp installation - the list didn't sound convinced.

See also: Yassp siteHardening Solaris (with Yassp)


Tip of the Week

Minimum downtime and prevention of data-loss is important for most servers. The traditional solution is to use a RAID box to cover for disk failures. However, if the root /usr /var filesystems are on RAID and the raid controller goes, you have a problem (unless you have a fully redundant raid). I've been caught out twice over the last years by failed fibre channels and controllers and I now use RAID for data disks, put system files a "normal" one disk and mirror to an identical disk each night. If the boot disk dies, boot from the second disk.

The script mirror_boot.sh has been developed to do just that. Sample out is in mirror_output.txt. Read carefully the comments at the top of the script before using it!

How it works: Each night the offline disk is mounted and synchronised with the primary disk. The script is called from the root cron nightly. It mounts the spare disk under /newroot, copies all filesystems, installs a boot block and copies over a new vfstab. This creates a fully updated bootable spare disk. The results of the script are send to the administrator via email.

Advantages: This solution is very simple (no complex hardware or software) and easy to understand in a crisis (when RAID complexity can be hell).

Disadvantages: Hot failover is not available, and a downtime of say 15 minutes has to be acceptable.

Comments/corrections/suggestions are welcome.


References and Resources

Sun Security Resources:

Sun Security Coordination Team sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
Sun security bulletins are available at: sunsolve.sun.com/security
General Sun Security www.sun.com/security
Solaris Security Datasheets www.sun.com/software/solaris/ds/ds-security
Java Security java.sun.com/security

Patches

If you have a maintenance contract, login to sunsolve and get both the PatchDiag tool and it's reference database, sunsolve.sun.com. If you don't, use the SecurityFocus Solaris Patch Calculator: www.securityfocus.com/sun/vulncalc

Sun security patches: sunsolve.sun.com/securitypatch
Public  sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access Patch download tool WGET sunsite.auc.dk/ftp/pub/infosystems/wget

Web Publications, resources

SecurityFocus, Sun section: www.securityfocus.com/sun
Vulnerability database: www.securityfocus.com/vdb

Security Portal papers:
  Hardening Solaris
  Review of the Sunscreen EFS3 firewall
  All about SSH - Part I 
  All about SSH - Part II

SANS Report: How To Eliminate The Ten Most Critical Internet Security Threats

BigAdmin SunFreeware
Solaris Guide Freeware4sun
Solaris Central Intrusion Detection: snort
Solaris-System (x86) Forum Network scannesr: Nessus, Nmap
Sunwhere index of resources
Sunworld security columns The IT Security Cookbook
Solaris Security FAQ BSD Today

General discussion resources

News /personal interface to Sun resources: www.sun.com/MySun
BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html Newsgroups:
  comp.unix.solaris
  comp.sys.sun.admin
  comp.sys.sun.hardware
  alt.solaris.x86

Sun-managers Mailing list: This list has been around for many years and is an invaluable resource to Sun system administrators.
To have your mailing address added to or removed from the mailing list, send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".

SecurityFocus "FOCUS-Sun" list:  www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help ..., using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. ... In addition, important announcements related to breaking vulnerabilities will be posted.