Weekly Solaris Security Digest
2000/09/24 to 2000/10/01

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

By Seán Boran (sean at boran.com) for SecurityPortal


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

none

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-09-28: Netscape Communicator type=password Buffer Overflow Vulnerability
Netscape Communicator is susceptible to a buffer overflow when viewing a HTML document with an INPUT tag containing the argument 'type=password' consisting of over 16 KB. Fix: no patches yet.
2000-09-26: HP Openview Node Manager SNMP DoS Vulnerability
2000-09-26: Openview Network Node Manager ovalarmsrv Vulnerability
2000-09-26: Netscape Messaging Server DoS Vulnerability
2000-09-24: Alabanza Control Panel Domain Modification Vulnerability
2000-09-23: Pine Buffer Overflow Vulnerability


Patches

The dates on the latest Recommended and Security Patch clusters are:

Solaris 8       Sep/07/00
Solaris 7       Sep/19/00
Solaris 2.6    Sep/18/00
Solaris 2.5.1 Sep/08/00


News & Articles

CERT:
• The current CERT/CC PGP key will expire on Saturday, September 30, 2000. We use this key to sign all outgoing email, including advisories sent to this list. A new key is available and will be valid until October 1, 2001. To obtain further information or to download the new CERT/CC public PGP key, please visit www.cert.org/contact_cert/encryptmail.html
• The CERT/CC FTP server will be retired as a distribution source for CERT/CC publications on Friday, September 29, 2000. All documents that were previously distributed via ftp.cert.org are now available from the CERT/CC web site. For further information, please visit www.cert.org/ftp/README.html

SolarisGuide
pkg-get is a tool for getting an installing the latest version of a package from sunfreeware.com. Old packages that need upgrading, are also detected. In fact, the author of this tool has quite a few useful nuggets on his Solaris page, have a look at http://www.bolthole.com/solaris/.
• SuSE Linux (v7) is now also available for the SPARC architecture.
Downloads: ftp://ftp.suse.com/pub/suse/sparc,   Announcement: http://www.suse.de/uk/news/newsflash/SuSE_Linux_AG_Announce_Linux_Version_for_SPARC_Processors.html

UltraLinux.org
• Red Hat has said that it won't be releasing Red Hat Linux 7.0 for the SPARC platform due to low demand.
• For a list of current Linux distributions for SPARC, see http://www.ultralinux.org/dists.html . Note that some only run on SPARC, but not UltraSPARC.

O'Reilly Network
A tutorial on cron

SunWorld
Why aren't you logging?, by Peter Baer Galvin, 
This article discusses the filesystem mount options of 'logging' and 'noatime' and rightly points out that they are very useful and should be used. The question is why they are not enabled by default in Solaris 7 and 8. Note: in the second week of August we presented a 'tip of the week' on what mount options to use, when. See the digest archive http://www.securityportal.com/research/research.wss.html  

Sun:
Hardware Diagnostics for Sun Systems. This article discusses the boot prom.

SecurityFocus:
NFS Security, by Samuel Sheinin

Security Tools News

Snort www.snort.org
• 09262k.rules file released. This updated ruleset has too many changes to list. From rule corrections using '/' characters to adding IDS# matching the arachNIDS database. (Many were not listed properly)
• Snort-1.6.3-patch2 is now available in the file section.
• Snort 1.7 beta (dev.) is available via CVS (this works well and is needed if you want to try out the ACID tool mentioned two weeks ago).
• snortstart updated to v0.17
• Snorticus v1.0 is a collection of shell scripts designed to allow easy management of Snort sensors. It allows you to routinely collect Snort sensor data, analyze the data via snortsnarf, and easily maintain rule files. http://snorticus.baysoft.net/

TCT: The Coroner's Toolkit 1.03
Dan Farmer and Wietse Venema, http://www.porcupine.org/forensics/tct.html
TCT is a collection of programs that can be used for a post-mortem analysis of a UNIX system after break-in. Changes: Fixed a bug that caused icat etc. to remember the wrong file seek position, updated help-recovering-file document.

NMAP
• NDiff 0.03
NDiff compares two nmap scans and outputs the differences. Changes: Performance improvements to the ndiff program. Tweaks/workarounds to silence pod2man complaints when installing. These changes have not been heavily tested. www.vinecorp.com/ndiff  

SSL
•  Using OpenSSL's S/MIME facilities
•  Introducing SSL and Certificates using SSLeay, by Frederick J. Hirsch, . Although it does not refer to the newer OpenSSL/mod_ssl, it is thorough and useful.
•  OpenSSL v0.9.6 www.OpenSSL.org
Changes: This stable release includes bugfixes and extra documentation in addition to new sign and verify options to 'dgst' application, support for DER and PEM encoded messages in 'S/MIME' application, and new 'rsautl' application (low level RSA utility.)

OpenLDAP development v2.0.4 released, stable release is still v1.2.11. www.OpenLDAP.org
Changes: Fixed clients printf/usage bugs, lldap SASL interoperability, lldap PF_LOCAL declaration/call bugs, slapd SASL log error, slapd spasswd support, slapd/tools fixed sasl_props, slurpd SASL support, documentation, --enable-spasswd, ldif(5) file:/// . Added slapd accept(2).
Updated ldap_schema(3).

PGP
GnuPG v1.0.3 released. http://www.gnupg.org Changes: RSA support, supports the new MDC encryption packet, default options changed for better compatibility with PGP 7. The usual fixes and other enhancements.

AMaViS - A Mail Virus Scanner  0.2.1-pre3
Christian Bricart, http://www.amavis.org/
Apart from the usual typo and cosmetic changes: broken links updated in documentation improved detection for uuencoded mails (if sent inline) improved handling of self-extracting files a bit fixed possible mail loss in sendmail and postfix when used as relay

Big Brother v1.5c1
motu robert, http://freshmeat.net/projects/bigbrother/
Highly efficient network monitor.

NetSaint stable: v0.0.5 - devel: v0.0.6 beta 6
Ethan Galstad, http://www.netsaint.org
A relatively simple active network monitor.
Changes: Patched drop_privileges() to set supplementary group privileges properly. Patched subst and daemon-init scripts. Fixed bug where trends CGI would go into infinite loop if log rotation was not used. Commands that have a return code or 126 or 127 are now logged with a warning about potentially missing scripts or binaries. Added a check for NULL host name and service description in IPC message queue to avoid erroneous warnings about results being found for non-existent services. Services that are in an OK state are no longer escalated to a critical state (HOST_DOWN or UNREACHABLE) when there are host problems

pam_smb v1.1.6
http://www.csn.ul.ie/~airlied/pam_smb/
pam_smb is a PAM module/server which allows authentication of UNIX users using an NT server. This release fixes security holes.

httpf v1.03
http://httpf.sourceforge.net/
A WWW security proxy that forwards only allowed, harmless content, filtering of HTTP and HTML, using POSIX threads, written in plain C, generic configuration, extensive audit possible.

toby 0.77
http://www.buttsoft.com/~thumper/software/sysadmin/Toby/
Toby is another reimplementation of the ever-useful tripwire program. The original tripwire-1.3 is available for free, but ran a bit slow in my test comparisons. Also, newer versions of tripwire are not free for commercial users, but include much cooler cryptographic signatures and such. My feeling was that it it would be nice to have a GPL version of tripwire to use with some of my clients. The first major difference from tripwire is that toby is written in perl. Cryptographic modules from CPAN are used, hopefully ensuring that as better algorithms are found for some routines (e.g., MD5) then toby will inherit those improvements.

Nabou 1.5
Thomas Linden, http://www.0x49.org/nabou
nabou is a perl script which you can use to check file integrity and something more. One of it's main intentions is to be easy to use and easy to understand. It is written in perl, which ensures that it can run on many different platforms. Beside file integrity (MD5) it can also take a look at crontabs, suid files and user account changes. It stores all data in standard dbm databases. It can also check various file attributes, such as file-mode or size. Beside filesystem integrity you can use nabou as process monitor as well, in this special mode it can run as a daemon in the background and inform you if it finds a weird process.

Dante 1.1.3
Inferno Nettverk A/S, http://www.inet.no/dante
Dante is a free implementation of the proxy protocols socks version 4, socks version 5 (rfc1928) and msproxy. Dante is also a circuit-level firewall/proxy that can be used to provide convenient and secure network connectivity to a wide range of hosts while requiring only the server Dante runs on to have external network connectivity.
Major change: httpproxysupport in client (meaning "socksify" can work when going through webproxies too).

Email Security through Procmail 1.119
John Hardin, ftp://ftp.rubyriver.com/pub/jhardin/antispam/html-trap.procmail
Email Security through Procmail attempts to address the trend towards "enhancing" email clients with support for active content, which exposes end-users to many and varied threats, by "sanitizing" email: removing obvious exploit attempts and disabling the channels through which exploits are delivered. Facilities for detecting and blocking Trojan Horse exploits and worms are also provided.


Mailing Lists

FOCUS-Sun discussions

09/28/00 centralized syslog solutions request
09/27/00 CORE-SDI ssyslog [Was: Re: centralized syslog solutions request]
09/27/00 CORE-SDI ssyslog [Was: Re: centralized syslog solutions request]
09/27/00 Sun Syslog Server
09/22/00 JRE on systems
09/22/00 The DHCP Caveat (trivial, yet annoying)
09/22/00 Custom PAM for Solaris

YASSP (the Solaris hardening tool) Developers' list discussions

No Yassp discussions this week.

See also: Main site, DL archive, Interview With Jean Chouanard, Draft dev. doc.


Tip of the Week: "IPFilter"

I had always wanted to try out the Darren Reed's IPfilter firewall, and came across a great book on the topic, that I read cover to cover. It also covers ipchains. Although the book's focus is on use IPfilter on OpenBSD, it's equally valid for Solaris.

The book was detailed enough to see what IPfilter configurations look like in the real world, that's where I can across two problems, that seem like show stoppers to me, since I wanted to use IPfilter in a large, complex firewall:

So my summary of IPF is:

Features: IP filter offers filtering of protocol (udp or tcp), IP fragments, ports (and ranges), IP options, TCP flags, ICMP type/code and provides NAT, logging, transparent routing, VLSM (Variable Length Subnet Masks). In addition, redirection of services "transparent proxy" and packet state can be analysed to check that TCP packet ack/sequence numbers are correct.

Advantages: free, powerful, source code, works on many UNIX variants, probably easier to use than ipchains.

Disadvantages: no GUI, requires expert configuration. No definition of address groups is possible, which could make the rules for a firewall protection a large number of networks very complicated. Likewise no definition of groups of protocols is available. The filter engine is not intelligent: it does not understand applications protocols like RPC, FTP which makes spoofing the "keep state" feature a risk.

If your interested in IPF, some references:
•  A great book to buy is Building Linux and OpenBSD Firewalls, ISBN 0-471-35366-3 Sonnenreich / Yates/1999 and check out the companion website www.openlysecure.org.
•  cheops.anu.edu.au/~avalon/ip-filter.html
•  ftp://coombs.anu.edu.au/pub/net/ip-filter
•  mailing list at majordomo@coombs.anu.edu.au with a subject "subscribe ipfilter".
•  IP Filter Based Firewalls HOWTO
•  SecurityPortal - Firewalling with IPF
•  SecurityFocus Introduction to IP Filter, Introduction to IP Filter Part 2.

If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.


References and Resources

For brevity, the list of resources and references is kept in a separate document:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 29 September, 2000