By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
To receive this digest via Email, visit http://securityportal.com/subscribe.html
CERT/CC Current Activity
http://www.cert.org/current/current_activity.htmlThe CERT/CC Current Activity web page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC.
This edition: Compromises via rpc.statd, 'SITE EXEC' and SGI IRIX telnetd. Virus Activity. Scans and Probes.
none
2000-10-02: WebTeacher WebData File Import Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D17322000-10-02: XFCE 3.5.1 Local Xauthority Bypass Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D17362000-10-02: Acme thttpd Arbitrary World-Readable File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=17372000-10-01: Multiple Vendor Cfengine Format String Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D17572000-09-30: scp File Create/Overwrite Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1742
• A malicious scp server can overwrite files belonging to the local user. i.e. if a user copies a file from workstation A to server B with scp and server B contains a hacked/malicious SSH, then server B can over any file it likes on Workstation A during the file transfer. Exploit code has been published. SSH2 uses a different protocol that is not vulnerable.
• Not vulnerable: OpenSSH 2.1 or later, SSH2.
• Fix: No patches so far, avoid using scp as root to untrusted servers.2000-09-29: Apache Rewrite Arbitrary File Disclosure Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1728
mod_rewrite is a module to map special URLS to absolute files on the web server's filesystem. Fix: don't use it, or patch Apache.2000-09-29: Slashcode Default Admin Password Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1731Traceroute: a cross platform flaw was reported this week, but the version included in Solaris 7 and 8 is not vulnerable.
The latest Solaris Recommended / Security Patch clusters are:
Solaris 8 Sep/07/00
Solaris 7 Oct/03/00
Solaris 2.6 Oct/05/00
Solaris 2.5.1 Sep/08/00
CERT Incident Note IN-2000-10
http://www.cert.org/incident_notes/IN-2000-10.htmlWidespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities. This article also explains how the 't0rnkit' rootkit can be detected.
Penetration Testing Exposed
http://www.infosecuritymag.com/sep2000/securestrategies.htmPart three of the series on "Audits, Assessments & Tests (Oh, My)" explores penetration testing, the controversial practice of simulating real-world attacks by discovering and exploiting system vulnerabilities.
Sun Enterprise Volume Manager/Veritas Volume Manager: Unencapsulating A Root Disk Manually While Booted From CDROM
http://sunsolve.sun.com/pub-cgi/retrieve.pl?type=0&doc=infodoc/21725
JASS v0.11
http://www.sun.com/blueprints/toolsSun Microsystems has released a security tool implementing the recommendations made in published BluePrints online security articles available at:
http://www.sun.com/blueprints/browsesubject.html#security
The JumpStart(TM) Architecture and Security Scripts (Toolkit) has been developed by Sun's Enterprise Engineering and Professional Services organizations to harden, minimize, and secure Solaris systems. The primary goal behind the development of this Toolkit was to simplify and automate the process of securing Solaris systems. The "JASS" Toolkit attains that goal by being usable through JumpStart or in a standalone mode.NOTE: see also Tip of the Week, where we take a closer look at this beast.
Sun Releases Updated Solaris 8
http://www.esj.com/breaknewsdisp.asp?ID=3400Enhancements in this new release that should be available at the end of October: performance optimizations for Sun's new systems using the UltraSPARC III microprocessor. New features designed to increase system availability and system management include:
- IP Network Multipathing - Network load can be spread over multiple NICs which provides a failover capability.
- Mobile IP - Enables a mobile device to be accessible at a fixed IP address, regardless of where that device is connecting to the Internet.
- Solaris WBEM Services - Makes Solaris manageable by tools from enterprise vendors other than Sun.
It was reported last week that RH7 will not be available on sparc. Apparently this does not mean that RH7.1 or 7.2 will not be available. No decision to drop SPARC has been made by RH as yet, and if it is dropped it would probably be turned into a community project.
Clear Text Communication: Slaying the Beast Part. I , By Hal Flynn
http://www.securityfocus.com/frames/?focus=linux&content=/focus/linux/articles/clear1.htmlAn Article on using OpenSSH.
Vulnerability Assessment Survey
http://www.securityfocus.com/focus/ih/articles/vulnassess.htmlThis Vulnerability Assessment Survey has been designed to allow organizations to build up their crisis management capability. Its purpose is to help answer the question: "How secure is your organization's information?" This crucial question emerges over and over as one of the highest priorities in an organization.
All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html
Here we look only at new announcements since the last tools digest.
Secure Programming
SecurityFocus has opened a new mailing list. It's called SECPROG and is dedicated to the discussion of secure programming methods and techniques. To subscribe to this list, send a message to listserv@securityfocus.com with the following in the body of the message: "subscribe secprog"
AES crypto
http://www.heise.de/newsticker/data/vza-05.10.00-003/German company Utimaco Safeware announced an encryption product that implements the newly selected Advanced Encryption Standard (AES). From October 16th, it will be possible to download freeware "SafeGuard PrivateCrypt" from Utimaco's web site. On Monday, the US National Institute of Standards and Technology (NIST) announced the choice of "Rijndael" as new cryptographic standard, known under AES (in German).
10/06/00 enabling sudo logging
http://www.securityfocus.com/templates/archive.pike?start=2000-10-01&tid=137944&fromthread=0&threads=1&list=92&end=2000-10-07&10/05/00 Announcement: JumpStart(TM) Architecture and Security Scripts (Toolkit)
http://www.securityfocus.com/templates/archive.pike?start=2000-10-01&tid=137819&fromthread=0&threads=1&list=92&end=2000-10-07&10/05/00 port number 9611/tcp and 5874/tcp question?
http://www.securityfocus.com/templates/archive.pike?start=2000-10-01&tid=137801&fromthread=0&threads=1&list=92&end=2000-10-07&
Yassp discussions this week.
An invitation for a comparison of three Solaris hardening tools
http://www.theorygroup.com/Archive/YASSP/2000/msg00628.htmlrpc.meta
http://www.theorygroup.com/Archive/YASSP/2000/msg00626.htmlUpdate
http://www.theorygroup.com/Archive/YASSP/2000/msg00613.htmldmesg broken by our new syslog.conf
http://www.theorygroup.com/Archive/YASSP/2000/msg00610.htmlSNMP and DMI on Solaris
http://www.theorygroup.com/Archive/YASSP/2000/msg00609.htmlSee also: Main site, DL archive, Interview With Jean Chouanard, Draft dev. doc.
Sun has released JASS v0.11 a hardening tool for Solaris and we're
taking it for a test drive.
http://www.sun.com/blueprints/tools
JASS stands for JumpStart Architecture and Security Scripts (Toolkit). The primary goal
behind the development of this Toolkit was to simplify and automate the process of
securing Solaris systems through JumpStart or in a standalone mode. It implements the
recommendations Sun's BluePrints online security articles:
http://www.sun.com/blueprints/browsesubject.html#security
First off, checking out the license, we find it is pretty restrictive:
Distribution: Only Sun or an authorized Sun VAR may distribute the Toolkit......
License grant: Sun hereby grants a non-exclusive, non-transferable and royalty free license to use, reproduce, and modify the Toolkit for the following internal purposes only (no license is granted for any other purpose):
1. Your internal research use;
2. Your internal evaluation of the Toolkit;
3. Your internal use only, for the purposes of running your business or otherwise.So it's not as free as Yassp or Titan.
Jass comes in a small 50k tar.Z file that extracts to the current directory (note that it does *not* create a subdirectory and put all files there). This test involved a simple installation on a fresh Solaris 8 box.
- Since it was not done from a Jumpstart server, uncomment the STANDALONE and ROOT lines at the bottom of ./Drivers/user.init
- Now were ready to run the Jass install, except the README/INSTALL files are scarce on how to do this. Looking around the sources suggested: changing to the directory containing the extracted files/directories and (C-Shell):
setenv SI_CONFIG_DIR `pwd`
sh Drivers/secure.driver- We're not home and dry yet though, numerous errors popped up (see below), apparently because files are not where they are expected, or are not executable when they should be.
secure.driver: Driver started.
secure.driver: Copying personalized files.
Copying /.cshrc from /opt/install/jass/Files//.cshrc.
......
secure.driver: Starting finish script: install-recommended-patches.fin
Drivers/secure.driver: ERROR: Could not find the 8_Recommended patch cluster
.....
secure.driver: Starting finish script: set-root-password.fin
Drivers/secure.driver: ERROR: The system is not booted from mini-root.
......
secure.driver: Starting finish script: set-term-type.fin
.......
Copying //etc/profile to //etc/profile.JASS.20001006144458 Adding default terminal type (vt100) to login scripts.
Copying //etc/.login to //etc/.login.JASS.20001006144458
.....
secure.driver: Driver finished. Drivers/hardening.driver
Drivers/secure.driver: Drivers/hardening.driver: not found
Since we didn't get past the installation phase, it's difficult to imagine how good it would have been. It is structured a bit like Titan and does seem to include many of the standard hardening tweaks and seems flexible. An 'undo' or 'redo' feature does not seem to be available.
Hopefully next week the news will be better and we'll be able to do a real test of Jass.
If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.
For brevity, the list of Solaris resources and references is kept in a separate
document:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 06 October, 2000 |