Weekly Solaris Security Roundup -  2000/07/23 to 2000/07/31

Name:
Email:

Security Portal
Weekly Newsletter

Weekly Solaris Security Roundup Archive

By Seán Boran, sean AT boran.com, for Security Portal


The Rundown

Vulnerabilities: Roxen, Websphere and Navigator require attention.
Tools updated: Snort.
Articles: Forensics, IPFilter, Sendmail.
Tip of the Week presents The Coroner's Toolkit (TCT).


Advisories & Security Bulletins

No relevant Sun or CERT advisories this week.

Bugtraq vulnerabilities this week - Solaris: none.

Bugtraq vulnerabilities this week - Applications that run on Solaris:

2000-07-25: Netscape Communicator JPEG-Comment Heap Overwrite Vulnerability

2000-07-24: IBM WebSphere Showcode Vulnerability
Code/scripts can be viewed remotely.

2000-07-21: Roxen WebServer %00 Request File/Directory Disclosure Vulnerability
Directory contents and script contents can be remotely listed, by sending a request like http://www.server.com/%00. A patch is available.


News

Sunworld

Forensics, How do you trace a security breach? By Carole Fennelly
A useful summary of tracking down what had happened to a compromised system. No mention is made of The Coroner's Toolkit though, which is very useful in such situations.

Securing Sendmail

SecurityFocus:

Introduction to IP Filter

by Jeremy Rauch
The first of a two part series, discusses installing a configuring IPF for localhost use. Network firewall usage will be discussed next week.

Moment's Notice: The Immediate Steps of Incident Handling, by Ben Malisow

Security Tools News:

PortSentry monitor ports and can kick off alarms. Useful for intrusion detection. A new article by Clifford Smith on 'BSD Today' explains how to set it up: Deploying Portsentry.

Snort Intrusion detection tool:
- V1.6.3. released. This is a stable release and no changes are expected soon. This new version comes bundled with DB plugs and all the available helper scripts (such as snort snarf).
- A new Win32 version is available too.
- 07122k.rules released, another update to the rules is expected in the coming days.
- The author has compiled and tested this new release on Solaris 2.6, 2.8 and OpenBSD 2.6. Note: the default logging directory has changed from /var/log to /var/log/snort (the '-l' option can be used also).

Nmap: The email lists are now archived on-line.


Mailing lists

FOCUS-Sun discussions:

07/21/00 filesystem integrity
07/21/00 secure shell advice
07/21/00 SUNWski

Yassp (the Solaris hardening tool) Developers' list:

- Yassp beta#11 is still under test.
- SANS announced that Yassp is nearing release status and has provided a permanent link from their home page.

Discussions:
lsof and traceroute
Re: Beta#11 feedback
Mods to tarball.html
RTFM...

See also: Main site, DL archive.


Tip of the Week

Once your system has been penetrated by an attacker, what do you (apart from panic!)?

The Coroner's Toolkit (TCT) by the Dan Farmer and Wietse Venema can help with the analyse of system in an effort to find out what happened, how and when.

Tips

Preparation


If you have any security tips/scripts you'd like to share with others, contact sean AT boran.com.


References and Resources

For brevity, the list of resources and references is now kept in a separate document: solarisref.html.


© Copyright 2000, SecurityPortal Inc. & Seán Boran, All Rights Reserved     Last Update: 31 July, 2000