Weekly Solaris Security Roundup -  2000/07/02 to 2000/07/09

Name:
Email:

Security Portal
Weekly Newsletter

Weekly Solaris Security Roundup Archive

By Seán Boran, sean AT boran.com, for Security Portal


The Rundown

SSH and wu-ftp have been updated to fix security issues.

Security tools snort and nessus have new versions. Yassp is at beta#9.

The tip of the week presents "saveit", a script for simple version control of files/directories.


CERT Advisories & Sun Security Bulletins

No new advisories this week.

Patches have not yet been produced for the Solaris 2.6/7/8 ufsrestore vulnerability noted three weeks ago.

CERT activity:


News

SecurityFocus: Installing djbdns (DNScache) for Name Service, by Jeremy Rauch
This article discusses installing Dan Bernstein's alternative to BIND.

Solarisguide: Sun re-thinking source code giveaway

Security Tools News:

Nessus 1.0.2 released.

Snort Intrusion detection tool:
- New rules file released 07062k
- 'SnortNet' released by Fyodor
- Craig Smith has finished the Passive OS detection for snort and a Perl module for manipulating snort log files.

SSH 1.2.30 released, changes: disallow access via unsupported ciphersm, not hogging syslog file handles, making sure scp's don't miss data at the ends of files, Kerberos "none" ticket handling fix, Applied patch for BSD tty chown() bug, Previous: RSAREF buffer overflow bug fix.

OpenSSH Portable 1.1.1p2 released, see Changelog.


Mailing lists, Bugtraq

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - Applications that run on Solaris:

2000-07-05: Checkpoint Firewall-1 Spoofed Source Denial of Service Vulnerability
2000-07-05: proftpd Remote User Supplied Data Passed as Format String Vulnerability
2000-07-05: SSH 1.2.27 Kerberos Ticket Cache Exposure Vulnerability
This affects SSH users who use kerberos in a multi-user environment. An Upgrade to V1.2.30 is recommended (see above).
2000-07-05: cyrus With postfix and Procmail Remote Shell Expansion Vulnerabilities
2000-07-04: CGI-World Poll It Internal Variable Override Vulnerability
2000-06-30: Checkpoint Firewall-1 Remote Resource Overload Vulnerability
2000-06-30: Sendmail on Solaris - mail.local Content-Length Vulnerability

FOCUS-Sun discussions this week:

07/05/00 Disabling direct access
07/05/00 Max. No of processes
07/05/00 Solstice Disk Suite
07/05/00 FW-1 on Sun.
07/03/00 Book on SunScreen
06/30/00 Firewall in Sun

Yassp (the Solaris hardening tool) Developers' list:

Yassp beta#9 has been released as a new (9MB) tarball. It looks very good, but a few minor problems have been found. Discussions:
feedback
browser problem
tcpd in /usr/bin

See also: Main site, DL archiveHardening Solaris Article.


Tip of the Week

It's a good idea to keep previous versions of configuration files, to allow rollback, have an audit trail and coordinate between several administrators. Some sysadmins use rcs, some copy the configuration file to file.DATE before hand, some do nothing :).

Francisco Mancardi from U&R Consultores [fman@uyr.com.ar] has written a simple script that can be used to save a copy of a file or directory before doing modifications.

Saveit is a little tool to make a backup of config files before you change them. It saves a copy under /Backup.d/DATE/ and logs "who saved what file" in /Backup.d/log-DATE. The existing directory structure is preserved under the backup directory.
It's a simple, but useful version control tool for text files. e.g.

etc/[9]% saveit vfstab
copying file vfstab ===> /Backup.d/20000707/etc/vfstab

etc/[61]% saveit vfstab
copying file vfstab ===> /Backup.d/20000707/etc/vfstab.13:37

etc/[10]% ls -l /Backup.d/20000707/etc/vfs*
-rw-r--r-- 1 root sys 386 Mar 14 08:31 /Backup.d/20000707/etc/vfstab
-rw-r--r-- 1 root sys 386 Mar 14 08:31 /Backup.d/20000707/etc/vfstab.13:37


etc/[11]% tail /Backup.d/log-20000707
Backup base directory /Backup.d
Backup requested by root
Date (dd/mm/aaaa) 07-07-2000
Time 11:36
/etc/vfstab
--------------------------------------------------------------
Backup base directory /Backup.d
Backup requested by root
Date (dd/mm/aaaa) 07-07-2000
Time 13:37
/etc/vfstab

The advantages of this tool are: simplicity, and no clogging up the current directory with old versions of files, rcs directories etc. It has been tested on Linux, Solaris 2.6/7 and OpenBSD 2.6.

Three versions of the script can be downloaded:
- Francisco's original spanish version: saveit-sp.sh
- Francisco's version with english messages: saveit-en.sh
- My tweaked version: saveit (less verbose messages, fix for OpenBSD, english translations and if target exists save with a time postfix).


References and Resources

Sun Resources: Security Coordination Team, Security bulletins, General Sun Security, Solaris Security Datasheets, Java Security.

Patches

Sun security patches: sunsolve.sun.com/securitypatch
Public patches sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

If you have a maintenance contract, login to sunsolve and get both the PatchDiag tool and it's reference database.
If you don't, use the SecurityFocus Solaris Patch Calculator.

Web Publications, resources

Security Portal papers: Hardening Solaris, Review of the Sunscreen EFS3 firewall, All about SSH - Part I, All about SSH - Part II.

SecurityFocus: Sun section, Vulnerability database.
SANS

BigAdmin SunFreeware
Solaris Guide Freeware4sun
Solaris Central BSD Today, Daemonnews
Solaris-System (x86) Forum IT Security Cookbook
Sunwhere index of resources Tools: tcpd, rdist, fwtk/smap
Nessus, Nmap, snort, Yassp.
Sunworld security columns
Solaris Security FAQ

General discussion resources

Personal interface to Sun resources: www.sun.com/MySun
BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html Newsgroups: comp.unix.solaris, comp.sys.sun.admin, comp.sys.sun.hardware,  alt.solaris.x86

Sun-managers Mailing list: This high quality list has been around for many years and is an invaluable resource to Sun system administrators.
Send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".

SecurityFocus "FOCUS-Sun" list: see www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help ..., using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. ... In addition, important announcements related to breaking vulnerabilities will be posted.