Weekly Solaris Security Digest
2000/10/01 to 2000/10/08

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
To receive this digest via Email, visit http://securityportal.com/subscribe.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

CERT/CC Current Activity
http://www.cert.org/current/current_activity.html

The CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC.
This edition: Compromises via rpc.statd,  'SITE EXEC' and  SGI IRIX telnetd. Virus Activity. Scans and Probes.

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-10-02: WebTeacher WebData File Import Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1732

2000-10-02: XFCE 3.5.1 Local Xauthority Bypass Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1736

2000-10-02: Acme thttpd Arbitrary World-Readable File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1737

2000-10-01: Multiple Vendor Cfengine Format String Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1757

2000-09-30: scp File Create/Overwrite Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1742
• A malicious scp server can overwrite files belonging to the local user. i.e. if a user copies a file from workstation A to server B with scp and server B contains a hacked/malicious SSH, then server B can over any file it likes on Workstation A during the file transfer. Exploit code has been published. SSH2 uses a different protocol that is not vulnerable.
• Not vulnerable: OpenSSH 2.1 or later, SSH2.
• Fix: No patches so far, avoid using scp as root to untrusted servers.

2000-09-29: Apache Rewrite Arbitrary File Disclosure Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1728
mod_rewrite is a module to map special URLS to absolute files on the web server's filesystem. Fix: don't use it, or patch Apache.

2000-09-29: Slashcode Default Admin Password Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1731

Traceroute: a cross platform flaw was reported this week, but the version included in Solaris 7 and 8 is not vulnerable.


Patches

The latest Solaris Recommended / Security Patch clusters are:

Solaris 8       Sep/07/00
Solaris 7       Oct/03/00
Solaris 2.6    Oct/05/00
Solaris 2.5.1 Sep/08/00


News & Articles

CERT

CERT Incident Note IN-2000-10
http://www.cert.org/incident_notes/IN-2000-10.html

Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities. This article also explains how the 't0rnkit' rootkit can be detected.

 

Information Security Magazine

Penetration Testing Exposed
http://www.infosecuritymag.com/sep2000/securestrategies.htm

Part three of the series on "Audits, Assessments & Tests (Oh, My)" explores penetration testing, the controversial practice of simulating real-world attacks by discovering and exploiting system vulnerabilities.

 

Sun

Sun Enterprise Volume Manager/Veritas Volume Manager: Unencapsulating A Root Disk Manually While Booted From CDROM
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=infodoc/21725

 

JASS v0.11
http://www.sun.com/blueprints/tools

Sun Microsystems has released a security tool implementing the recommendations   made in published BluePrints online security articles available at:
http://www.sun.com/blueprints/browsesubject.html#security
The JumpStart(TM) Architecture and Security Scripts (Toolkit) has been developed by Sun's Enterprise Engineering and Professional Services organizations to harden, minimize, and secure Solaris systems. The primary goal behind the development of this Toolkit was to simplify and automate the process of securing Solaris systems. The "JASS" Toolkit attains that goal by being usable through JumpStart or in a standalone mode.

NOTE: see also Tip of the Week, where we take a closer look at this beast.

 

SolarisGuide

Sun Releases Updated Solaris 8
http://www.esj.com/breaknewsdisp.asp?ID=3400

Enhancements in this new release that should be available at the end of October: performance optimizations for Sun's new systems using the UltraSPARC III microprocessor. New features designed to increase system availability and system management include:

 

UltraLinux

http://www.ultralinux.org/

It was reported last week that RH7 will not be available on sparc. Apparently this does not mean that RH7.1 or 7.2 will not be available. No decision to drop SPARC has been made by RH as yet, and if it is dropped it would probably be turned into a community project.

 

SecurityFocus

Clear Text Communication: Slaying the Beast Part. I , By Hal Flynn
http://www.securityfocus.com/frames/?focus=linux&content=/focus/linux/articles/clear1.html

An Article on using OpenSSH.

 

Vulnerability Assessment Survey
http://www.securityfocus.com/focus/ih/articles/vulnassess.html

This Vulnerability Assessment Survey has been designed to allow organizations to build up their crisis management capability. Its purpose is to help answer the question: "How secure is your organization's information?" This crucial question emerges over and over as one of the highest priorities in an organization.

 

Security Tools News

All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Here we look only at new announcements since the last tools digest.

 

Secure Programming
SecurityFocus has opened a new mailing list. It's called SECPROG and is dedicated to the discussion of secure programming methods and techniques. To subscribe to this list, send a message to listserv@securityfocus.com with the following in the body of the message: "subscribe secprog"

 

AES crypto
http://www.heise.de/newsticker/data/vza-05.10.00-003/

German company Utimaco Safeware announced an encryption product that implements the newly selected Advanced Encryption Standard (AES). From October 16th, it will be possible to download freeware "SafeGuard PrivateCrypt" from Utimaco's web site. On Monday, the US National Institute of Standards and Technology (NIST) announced the choice of "Rijndael" as new cryptographic standard, known under AES (in German).


Mailing Lists

FOCUS-Sun discussions

10/06/00 enabling sudo logging
http://www.securityfocus.com/templates/archive.pike?start=2000-10-01&tid=137944&fromthread=0&threads=1&list=92&end=2000-10-07&

10/05/00 Announcement: JumpStart(TM) Architecture and Security Scripts (Toolkit)
http://www.securityfocus.com/templates/archive.pike?start=2000-10-01&tid=137819&fromthread=0&threads=1&list=92&end=2000-10-07&

10/05/00 port number 9611/tcp and 5874/tcp question?
http://www.securityfocus.com/templates/archive.pike?start=2000-10-01&tid=137801&fromthread=0&threads=1&list=92&end=2000-10-07&

 

YASSP (the Solaris hardening tool) Developers' list discussions

Yassp discussions this week.

An invitation for a comparison of three Solaris hardening tools
http://www.theorygroup.com/Archive/YASSP/2000/msg00628.html

rpc.meta
http://www.theorygroup.com/Archive/YASSP/2000/msg00626.html

Update
http://www.theorygroup.com/Archive/YASSP/2000/msg00613.html

dmesg broken by our new syslog.conf
http://www.theorygroup.com/Archive/YASSP/2000/msg00610.html

SNMP and DMI on Solaris
http://www.theorygroup.com/Archive/YASSP/2000/msg00609.html

See also: Main site, DL archive, Interview With Jean Chouanard, Draft dev. doc.


Tip of the Week

Sun has released JASS v0.11 a hardening tool for Solaris and we're taking it for a test drive.
http://www.sun.com/blueprints/tools

Overview

JASS stands for JumpStart Architecture and Security Scripts (Toolkit). The primary goal behind the development of this Toolkit was to simplify and automate the process of securing Solaris systems through JumpStart or in a standalone mode. It implements the recommendations Sun's BluePrints online security articles:
http://www.sun.com/blueprints/browsesubject.html#security

First off, checking out the license, we find it is pretty restrictive:

Distribution: Only Sun or an authorized Sun VAR may distribute the Toolkit......
License grant: Sun hereby grants a non-exclusive, non-transferable and royalty free license to use, reproduce, and modify the Toolkit for the following internal purposes only (no license is granted for any other purpose):
1. Your internal research use;
2. Your internal evaluation of the Toolkit;
3. Your internal use only, for the purposes of running your business or otherwise.

So it's not as free as Yassp or Titan.

Installation

Jass comes in a small 50k tar.Z file that extracts to the current directory (note that it does *not* create a subdirectory and put all files there). This test involved a simple installation on a fresh Solaris 8 box.

Summary of Results

Since we didn't get past the installation phase, it's difficult to imagine how good it would have been. It is structured a bit like Titan and does seem to include many of the standard hardening tweaks and seems flexible. An 'undo' or 'redo' feature does not seem to be available.

Hopefully next week the news will be better and we'll be able to do a real test of Jass.

If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.


References and Resources

For brevity, the list of Solaris resources and references is kept in a separate document:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 06 October, 2000