Weekly Solaris Security Digest
2000/10/09 to 2000/10/22

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
To receive this digest via Email, visit http://securityportal.com/subscribe.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

none

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - 3rd party applications:

2000-10-16: Valve Software Half-Life Dedicated Server Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1799

2000-10-16: cmd5checkpw Qmail Remote Password Retrieval Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1809

2000-10-13: cURL Remote Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1804

2000-10-12: CGI Script Center Auction Weaver Arbitrary File Deletion Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1782

2000-10-12: CGI Script Center Auction Weaver Username / Bidfile Directory Traversal Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1783

2000-10-12: PHP Error Logging Format String Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1786

2000-10-12: CommuniGate Pro Email Address Verification Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1792%3Fvid%3D1792

2000-10-12: GnuPG Multiple Signed Message Modification Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1797%3Fvid%3D1797

2000-10-12: xlib Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1805

2000-10-11: Netscape Messaging Server Email Address Verification Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1787

2000-10-11: MailFile Arbitrary File Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1807

Two weeks ago a serious weakness in SSH/scp was reported, no patches are yet available.
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1742
• Not vulnerable: SSH2, OpenSSH 2.2 or later (apparently: I've seen no detailed tests that confirm this)
• SSH1: no patches so far, avoid using scp, especially as root to untrusted servers.
• OpenSSH: Upgrade to OpenSSH 2.2 or later.


Patches

The latest Solaris Recommended / Security Patch clusters are as follows, changes are marked with a '*':

Solaris 8       Sep/07/00
Solaris 7       Oct/03/00
Solaris 2.6    Oct/09/00
Solaris 2.5.1 Oct/09/00


News & Articles

SecurityFocus

Chasing the Wind - Episode Two: Raising the Stakes, by Robert G. Ferrell
http://www.securityfocus.com/frames/?focus=ih&content=/focus/ih/articles/chasing2.html

Light reading on a hacking incident.

Security Tools News

All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html

There are new versions of Apache and also PHP that incorporate security updates. The PHP update seems particularly urgent.
http://www.apache.org
http://www.php.net

 


Mailing Lists

FOCUS-Sun discussions

10/19/00 Sun security alerts
http://www.securityfocus.com/templates/archive.pike?end=2000-10-21&tid=140442&fromthread=0&start=2000-10-15&list=92&threads=1&

10/13/00 Secure password propagation and authentication for Oracle
http://www.securityfocus.com/templates/archive.pike?fromthread=0&threads=1&tid=139748&list=92&end=2000-10-14&start=2000-10-08&

10/13/00 tftp sources for Solaris
http://www.securityfocus.com/templates/archive.pike?fromthread=0&threads=1&tid=139422&list=92&end=2000-10-14&start=2000-10-08&

10/13/00 System Security Conference?
http://www.securityfocus.com/templates/archive.pike?fromthread=0&threads=1&tid=139908&list=92&end=2000-10-21&start=2000-10-15&

10/13/00 auditing users actions
http://www.securityfocus.com/templates/archive.pike?fromthread=0&threads=1&tid=139412&list=92&end=2000-10-14&start=2000-10-08&

 

YASSP (the Solaris hardening tool) Developers' list discussions

New syslog.conf for beta#12
http://www.theorygroup.com/Archive/YASSP/2000/msg00657.html

package removing
http://www.theorygroup.com/Archive/YASSP/2000/msg00658.html

See also :
http://www.yassp.org


Tip of the Week: Limiting SUID Files

Files which have the SUID bit set (an "s" where the execute bit for the owner/group is shown in 'ls' listings) allow the user executing the program to assume the identity/group of the owner of the program. This is typically used to allow normal users to access certain function typically only allowed to root, for example binding to low ports, mounting  a floppy disk, etc. The problem is that historically, many security weakness have been found in such programs allowing attackers with local accounts to become root by exploiting buffer over flows, race conditions etc.

Solaris has many "SUID root" binaries and each one presents a risk, so when hardening systems it is advisable to disable as many SUID program as possible.

The purpose of this section is to provide a brief overview of the subject, a list of documents and scripts for disabling SUID files is provided.

What SUID files are on the system?

The find command can be used to list all SUID files:
find / -perm -u+s -ls

or all SGID files:
find / -perm -g+s -ls

Example listing of SUID/SGID files on a Solaris 7 system:
http://www.boran.com/security/sp/solaris/suid_sol7.txt

Example listing of SUID/SGID files on a Solaris 8 system:
http://www.boran.com/security/sp/solaris/suid_sol8.txt

How should we handle SUID files? Possible courses of action, in order of preference, are:

What SUID files need to be limited?

SUID references and further reading:

  1. Solaris 7 Setuid/Setgid Files Information Systems and Technology University of Waterloo
    [Reg Quinton's documentation on Solaris 7 SUID files and associated scripts].
    http://ist.uwaterloo.ca/security/howto/1999-04-21.html
    Solaris 2.6:
    http://ist.uwaterloo.ca/security/howto/2000-08-22.html
    Solaris 8:
    http://ist.uwaterloo.ca/security/howto/2000-08-17.html
  2. Titan's ziplock module
    http://www.titan.org
  3. Example listing of SUID/SGID files on a Solaris 7 system:
    http://www.boran.com/security/sp/solaris/suid_sol7.txt
    Example listing of SUID/SGID files on a Solaris 8 system:
    http://www.boran.com/security/sp/solaris/suid_sol8.txt

 

If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.


References and Resources

For brevity, the list of Solaris resources and references is kept in a separate document:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 20 October, 2000