Weekly Solaris Security Roundup -  2000/07/16 to 2000/07/23

Name:
Email:

Security Portal
Weekly Newsletter

Weekly Solaris Security Roundup Archive

By Seán Boran, sean AT boran.com, for Security Portal


The Rundown

Tools updated: Yassp, OpenSSH, LSH, nmap-web.

Interesting articles on Routing, C2 in Solaris, DNS hijacking, hackers revenge, security processes, the ICAT database, installing snort.

Vulnerabilities: Java webserver, wu-pop2d, listserv.

Tip of the Week presents a script for easy Solaris audits.


CERT Advisories & Sun Security Bulletins

No Sun advisories this week.

CERT

Advisory updated: CA-2000-13 Two Input Validation Problems in FTPD

Activitiy:
Compromises via Multiple FTP Vulnerabilities
Compromises via BIND Vulnerability
Scans and Probes


News

ICAT The ICAT Metabase is a searchable index of computer vulnerabilities. ICAT links users into a variety of publicly available vulnerability databases and patch sites, thus enabling one to search the combined knowledge of the best vulnerability resources on the web. ICAT is not itself a vulnerability database, but instead a searchable index leading one to vulnerability resources and patch information. ICAT allows one to search at a fine granularity, a feature unavailable with most vulnerability databases, by characterizing each vulnerability by over 40 attributes (including software name and version number). ICAT indexes the information available in CERT advisories, ISS X-Force, Security Focus, NT Bugtraq, Bugtraq, and a variety of vendor security and patch bulletins. ICAT does not compete with publicly available vulnerability databases but instead is a search engine that drives traffic to them. ICAT uses the CVE vulnerability naming standard.

The Need for Security, by David Molnar, is useful article tying together encryption algorithms, protocols, implementation, "reality", threat assessment and understanding the overall security picture

RootPrompt: Cracked! Part 7: The Cracker's Revenge.
The final part in a very educational series of articles on being hacked and observing hacker behavior.

Sunworld

Domain name hijacking, By Carole Fennelly
Network Solutions need to improve their processes and customer interfaces...

Performance versus security Rik Farrow presents a short discussion on the effectiveness of use stateful packet filters rather than application proxies for difficult protocols like ftp. Firewall-1 and PIX were hit by problems of this kind recently.

Sun

Routing Support Document/FAQ is an old, but comprehensive and useful overview of routing, how it works in Solaris and how to configure/debug routing.

SecurityFocus:

Intrusion Detection using Solaris Basic Security Module, by David Endler.
Kernel auditing is available in many flavors of UNIX, although some administrators shy away from enabling it. Three common reasons for hesitation are fears of cpu performance drain, not enough disk space, and not enough time available to comb through copious amounts of audit output. This article explains the value of kernel audit sources in host and hybrid-based intrusion detection systems. As an example, I demonstrate the built-in C2 kernel auditing features of the Solaris Basic Security Module, and present a few ideas for automating real-time misuse detection with it.

Security Tools News:

SSH:
- OpenSSH Portable 2.1.1p4 released, see also the Changelog.
- LSH v1.0 (a free distribution of the ssh2 protocol) has been released.

Libpcap is now at V0.5 (first update since 1998). This packet filter library is used by tools such as tcpdump, snmpsniff, ntop, ethereal, Iplog, nmap, ngrep and snort. It is now maintained by the tcpdump group at www.tcpdump.org.
Note: It compiles fine on Solaris, but when installing, "make install" only installs the library, to install include files and man pages, do "make install-incl" and "make install-man"

Snort Intrusion detection tool:
- Snort Installation and Basic Usage is a brief article describing how to install and to setup snort.
- V1.6.2.2 has a few problems, stay with v1.6 until a cleaner version arrives (v1.6.3 beta5 is currently under test).

Enhancing E-Mail Security With Procmail

Nessus 1.0.3 released.

Nmap: A http front-end to nmap has been developed, nmap-web. It also includes a CLI for running nmap "differences" to detect changes in open ports on a host/network. The author warns that it is "quick and dirty"...

PAD is at v1.02. It is a small command-line utility to separate data into two files, each mathematically indistinguishable from white noise, and to take two such files and put them back together into the original. No longer forces output to be written to a file.


Mailing lists, Bugtraq

Bugtraq vulnerabilities this week - Solaris:

none.

Bugtraq vulnerabilities this week - Applications that run on Solaris:

2000-07-20: Default Sun Java Web Server Servlets Vulnerability
The information on this vulnerability has been updated with exploit code.

2000-07-17: L-Soft Listserv 1.8c and 1.8d Web Archives Long QUERY_STRING Buffer Overflow Vulnerability
A buffer overflow allows remote access, a patch is available.

2000-07-14: Univ. of Washington pop2d Remote File Read Vulnerability
Any user who has a pop account on the machine can view any world or group readable file on the file system.

FOCUS-Sun discussions this week:

07/19/00 CISSPStudy Mailing List
07/18/00 rootless NIS passwd maps
07/18/00 Secure NTP Recommendations
07/17/00 Commercial POP3 server Recommendations
07/16/00 filesystem integrity
07/16/00 Listserv hiccup

Yassp (the Solaris hardening tool) Developers' list:

Yassp beta#11 is out and looking very good. It is a release candidate

Key changes from beta#9:
- Upgrade SSH to 1.2.30.
- Overhaul web site and doc.
- Changes: On Solaris 8 no priority_paging should be used in /etc/system, typo on ip6_ignore_redirects, note in /etc/sshd_config and /etc/hosts.allow on sshdfwd-X11, minor changes to PARCdaily, packaging fixes, new nettune (which includes ipV6), order or messages in post install.

Discussions:
Beta#11, release candidate is out
Beta#11 feedback
Yassp:ToDo list

See also: Main site, DL archive.


Tip of the Week

Auditing the security of an existing Solaris system can be time consuming, and often requires on site visits. There are several commercial tools (e.g. Raxco ESM) and a few free ones (Titan and the Coroners Toolkit), but they can be complicated and require local installation.

For situations where a "quick audit" of the system is required, the author has developed a small Bourne shell script, audit.sh. It's simple to run, the auditor would even give it to the sysadmin, ask him to run it at night and send the results back to the auditor (perhaps by encrypted email). It's simplicity makes it easy to verify. This script is not as thorough as other tools, but it is small and easy to understand, and useful when you are ask to have a "quick look" at a system.

This script automates the gathering of the information only, of course the difficult part is the interpretation and deciding what countermeasures to take.

Read the header in the script for examples on how to use it. Feedback and comments are welcome.

Several of the tools recently presented in "Tip of the Week", have been updated:
- Simple version control script: saveit
- Script for cold mirroring of a boot disk: mirror_boot.sh
- Running BIND v8 chroot'ed on Solaris 5/6/7

If you have any security tips/scripts you'd like to share with others, contact sean AT boran.com.


References and Resources

Sun Resources: Security Co-ordination Team, Security bulletins, General Sun Security, Solaris Security Datasheets, Java Security.

Patches

Sun security patches, Public patches. If you have a maintenance contract, login to Sunsolve and get both the PatchDiag tool and it's reference database.
If you don't, use the SecurityFocus Solaris Patch Calculator.

Web Publications, resources

CERT: Recovering from an Incident
SANS
Security Portal papers: Hardening Solaris, Review of the Sunscreen EFS3 firewall, All about SSH - Part I, All about SSH - Part II.

SecurityFocus: Sun section, Vulnerability database.

BigAdmin SunFreeware
Solaris Guide Freeware4sun
Solaris Central BSD Today, Daemonnews
Solaris-System (x86) Forum IT Security Cookbook
Sunwhere index of resources Tools: tcpd, rdist, fwtk/smap
nessus, nmap, snort, yassp, tcpdump.
Sunworld security columns
Solaris Security FAQ

General discussion resources

Personal interface to Sun resources: www.sun.com/MySun
BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html Newsgroups: comp.unix.solaris, comp.sys.sun.admin, comp.sys.sun.hardware,  alt.solaris.x86

Sun-managers Mailing list: This high quality list has been around for many years and is an invaluable resource to Sun system administrators.
Send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".
Archives: Calagry1, Calgary2

SecurityFocus "FOCUS-Sun" list: see www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help ..., using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. ... In addition, important announcements related to breaking vulnerabilities will be posted.