Weekly Solaris Security Digest
2000/10/23 to 2000/10/30

By Seán Boran (sean at boran.com) for SecurityPortal

Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html

To receive this digest via Email:
http://securityportal.com/subscribe.html


The Rundown


Advisories and Security Bulletins

Sun / CERT bulletins

Sun Bulletin Number #00198, "Browser Certificates"
http://sunsolve.sun.com/security

Sun advises of a potential compromise of 2 specific security certificates which had limited distribution. Sun recommends that you follow the directions found at http://sunsolve5.sun.com/secbull/certificate_howto.html
to determine if your web browser has accepted any of the potentially compromised certificates.
Comment: These two certificates could be used by a browser to unwittingly trust malicious Java applets. It is unclear how widely these certificates were distributed by Sun.

 

CERT/CC Current Activity (October 19: updated one topic)
http://www.cert.org/current/current_activity.html

The CERT/CC Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities currently being reported to the CERT/CC.



CERT Statistics (October 19)
http://www.cert.org/stats/cert_stats.html

The CERT/CC statistics on incident and vulnerability reports, security alerts and notes, hotline calls, and email messages have been updated with information from the third quarter of 2000.
The number of vulnerabilities and incidents seems set to double in the last year.

Bugtraq vulnerabilities this week - Solaris:

2000-10-25: Sun HotJava Browser Arbitrary DOM Access Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1837

A malicious website operator may be able to obtain cookies from a target system browsing with Sun HotJava Browser. The Document Object Model (DOM) of arbitrary URLs can be accessed if a specially formed javascript is launched from a named window. Cookies that may contain sensitive information can be acquired through this method.
Fix: none yet, disable javascript as a temporary workaround.

Bugtraq vulnerabilities this week - 3rd party applications:

2000-10-26: iPlanet Webserver .shtml Buffer Overflow Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1848

2000-10-26: pam_mysql Authentication Input Validation Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1850

2000-10-23: MySQL Authentication Algorithm Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1826

2000-10-23: Allaire JRun 3.0 Directory Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1830

2000-10-23: Allaire JRun 2.3 Arbitrary Code Execution Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1831

2000-10-23: Allaire JRun 2.3 File Source Code Disclosure Vulnerability
http://www.securityfocus.com/vdb/bottom.html?vid=1833

2000-10-18: Oracle Internet Directory 2.0.6 oidldap Vulnerability
http://www.securityfocus.com/frames/?content=/vdb/bottom.html?vid=1828%3Fvid%3D1828


Patches

The latest Solaris Recommended / Security Patch clusters are as follows:

Solaris 8       Sep/07/00
Solaris 7       Oct/03/00
Solaris 2.6    Oct/09/00
Solaris 2.5.1 Oct/09/00


News & Articles

Sunworld

Security basics, Part 1: Understanding file attribute bits and modes
http://www.sunworld.com/sunworldonline/swol-10-2000/swol-1020-unix101.html

 

SecurityFocus

Hardening Solaris - Compass Security Draft 0.82, by Ivan Butler
http://www.csnc.ch/download/sources/Hardening-Solaris V0.82.pdf

This PDF document provides a step by step tutorial to creating a Solaris system resistant to various methods of attack, based on the Titan scripts.

 

Advanced Networking Security, by Raul Gonzalez Barron , Eric Daniel , Ralph Akram Gholmieh , Ajay Kumar Gummmadi , Faisal Karim and Rehan Ayyub Sheikh
http://www.securityfocus.com/external/http://security.tsu.ru/info/unix/report.html#C

This interesting 1996 report contains the details of a hacking test exercise.
The report includes the hacking techniques that learned, the attacks, and some suggestions for future versions of this class. All in all this course has been a very good learning ground for the future System Administrators having been able to get a view of what the bad guys can do to penetrate through the system. The practical aspect of the course brings in enthusiasm and helps learn and practice more.

 

An Unofficial Xinetd Tutorial, by Curator
http://www.macsecurity.org/resources/xinetd/tutorial.shtml

xinetd is a secure replacement for inetd, and a more efficient replacement for inetd and tcp_wrappers. It sports a number of features that make it a good choice for securing a server. These include access control (based on source address, destination address, and time), extensive logging, and the ability to bind services to specific interfaces. This tutorial will attempt to give an administrator the necessary tools to install, configure, and maintain xinetd.

 

Unix Password Management, by Elmo Recio
http://www.securityfocus.com/external/http://linux.com/sysadmin/newsitem.phtml?sid=113&aid=10935

Part of the neatness of UNIX is that you can just about do everything programmatically in the same way that you do it by hand. For example, you ever wonder why chmod() is called such? Well, in writing my admintool program, I found out that if I wanted to change the mode of a directory or ownership programmatically I would just call a function named chmod(). So I started to explore other aspects of the system calls and came across some really useful ones.

 

Security Tools News

All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.html


Mailing Lists

FOCUS-Sun discussions

10/21/00 Expiration of your subscription to the FOCUS-SUN list
http://www.securityfocus.com/templates/archive.pike?tid=140734&list=92&fromthread=0&threads=1&end=2000-10-21&start=2000-10-15&

10/20/00 locale exploit
http://www.securityfocus.com/templates/archive.pike?tid=140730&list=92&fromthread=0&threads=1&end=2000-10-21&start=2000-10-15&

10/20/00 unique character match for a password...
http://www.securityfocus.com/templates/archive.pike?tid=140731&list=92&fromthread=0&threads=1&end=2000-10-21&start=2000-10-15&

 

YASSP (the Solaris hardening tool) Developers' list discussions

FYI: New keyboard-interactive draft available
http://www.theorygroup.com/Archive/YASSP/2000/msg00663.html

Openssh and SecurID
http://www.theorygroup.com/Archive/YASSP/2000/msg00661.html

Re: package removing
http://www.theorygroup.com/Archive/YASSP/2000/msg00660.html

 

See also :
http://www.yassp.org


Tip of the Week: Improving Disksuite Security

Disksuite is a tool bundled with Solaris that allows disks to be mirrored or gathered into RAID sets. This is useful and a nice feature to have in the system. The problem is that Disksuite uses RPC (specifically: two programs rpc.metamhd and rpc.metad which run from inetd). RPC is a protocol that one tries to avoid having on sensitive servers, such as those on the Internet or in a DMZ. RPC uses dynamic ports and provides no standard access control methods.

How can disksuite security be improved?

  1. Don't run Disksuite. This is my often choice,  mainly because of bad experiences with early versions of Disksuite 4-5 years ago. I don't forgive easily :-)
  2. Run Disksuite and RPC, but use Wietse Venema's RPCBIND with access control restricted to localhost. This option is discussed in the Yassp post-install documentation:
    http://www.yassp.org/after.html#RPC
  3. Run Disksuite, but stop RPC altogether. I didn't know this was possible until a recently discussion on the Yassp discussion list. The 'metad' services in inetd.conf can be disabled, with the following consequences:

Doug Hughes has documented tips & links on Disksuite, VxVM and the SPARC Storagearray:
http://www.eng.auburn.edu/pub/mail-lists/ssastuff

 

If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.


References and Resources

For brevity, the list of Solaris resources and references is kept in a separate document:
securityportal.com/topnews/weekly/solarisref.html


About the Author

Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 27 October, 2000